Techniques
Sample rules
AWS EC2 EBS Snapshot Shared with Another Account
- source: elastic
- technicques:
- T1537
Description
Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.
Detection logic
from logs-aws.cloudtrail-*
| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}"
| where operationType == "add" and cloud.account.id != userId
| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId
EC2 AMI Shared with Another Account
- source: elastic
- technicques:
- T1537
Description
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
Detection logic
event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
and event.action: ModifyImageAttribute and event.outcome: success
and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)