AWS Bedrock Claude High Risk Filesystem and Exec Tool Invocation
Detection identifies anomalous or high-risk usage of filesystem and execution tools (such as bash, curl, edit, write, webfetch, grep, read, read_file) invoked by an identity through AWS Bedrock Claude, flagging suspicious activity that could indicate attempts to escalate privileges, exfiltrate data, execute unauthorized commands, or establish persistence.
This threat brief details the detection of high-risk filesystem and execution tool invocations by identities interacting with AWS Bedrock Claude, a generative AI service. The activity involves the use of potentially dangerous commands such as bash, curl, edit, write, webfetch, grep, read, and read_file within the AI model's operational context. These actions, especially when combined (e.g., bash with curl, or bash with write), signal potential malicious intent, including privilege escalation, data exfiltration, unauthorized command execution, or persistence establishment. The detection aims to identify anomalous behaviors that deviate from historical baselines, highlighting a critical risk given the access and capabilities an AI model might have within an AWS environment. Such activities could severely compromise data integrity and confidentiality if exploited.
Attack Chain
This detection describes observed high-risk behaviors that an attacker could leverage within an AWS Bedrock Claude environment, rather than a specific, fully documented attack campaign. These behaviors represent critical stages an attacker might follow:
- Initial Compromise/Access: An attacker obtains unauthorized access to an AWS identity (IAM user, assumed role, or automated process) that possesses permissions to interact with AWS Bedrock Claude.
- Tool Invocation for Discovery: The compromised identity causes Bedrock Claude to invoke filesystem tools such as
grep,read, orread_fileto perform reconnaissance and discover sensitive data or system configurations within the AI model's accessible environment. - Content Retrieval: The identity leverages Bedrock Claude to invoke network tools like
curlorwebfetchto retrieve external content, which could include malicious scripts, additional tools, or specific files from external sources. - Command Execution: The identity uses Bedrock Claude to invoke an execution tool like
bash, enabling the execution of arbitrary commands, potentially those downloaded in the previous step, to gain further control or establish a shell. - Persistence or Data Modification: The identity causes Claude to invoke file modification tools such as
editorwriteto alter system configurations, establish persistence mechanisms, or modify sensitive data. - Data Exfiltration / Impact: Through various combinations of these tools (e.g.,
readandcurlfor data exfiltration over network, orbashfor unauthorized system control), the attacker achieves their final objective, such as data theft, unauthorized system control, or further lateral movement within the AWS environment.
Impact
Successful exploitation of this vector can lead to severe consequences for an organization. Attackers could escalate privileges within the AWS environment, gaining unauthorized access to sensitive data and subsequently exfiltrating it to external destinations. The ability to execute arbitrary commands or modify files through an AI model offers a novel and potentially stealthy attack path, bypassing traditional security controls. While specific victim counts are not available, any organization utilizing AWS Bedrock Claude is a potential target, and a successful compromise could result in significant data breaches, service disruption, and severe reputational damage.
Recommendation
- Enable AWS Bedrock model invocation logging as described in the
how_to_implementsection of the source content, ensuring Claude request/response payloads are delivered to your SIEM. - Ingest the Amazon Bedrock invocation logs into your Splunk environment (or equivalent SIEM) following the guidance in the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876).
- Deploy the provided Sigma rule "Detect AWS Bedrock Claude High-Risk Tool Invocation" to your SIEM solution and configure it for your environment.
- Review and tune the detection with your legitimate developer activity, as noted in the
falsepositivessection, to minimize alerts from authorized users invoking shell execution, file write, or network tools through Claude as part of normal operations.
Detection coverage 1
Detect AWS Bedrock Claude High-Risk Tool Invocation
highDetects identities causing AWS Bedrock Claude to invoke high-risk filesystem or execution tools such as bash, curl, edit, write, webfetch, grep, read, or read_file. This indicates anomalous behavior that could lead to privilege escalation, data exfiltration, or unauthorized command execution.
Detection queries are available on the platform. Get full rules →