Sample rules
AWS EC2 AMI Shared with Another Account
- source: elastic
- technicques:
- T1537
Description
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
Detection logic
data_stream.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
and event.action: ModifyImageAttribute and event.outcome: success
and aws.cloudtrail.request_parameters: *add=*
and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"
AWS EC2 EBS Snapshot Shared or Made Public
- source: elastic
- technicques:
- T1537
Description
Detects when an Amazon Elastic Block Store (EBS) snapshot is shared with another AWS account or made public. EBS snapshots contain copies of data volumes that may include sensitive or regulated information. Adversaries may exploit ModifySnapshotAttribute to share snapshots with external accounts or the public, allowing them to copy and access data in an environment they control. This activity often precedes data exfiltration or persistence operations, where the attacker transfers stolen data out of the victim account or prepares a staging area for further exploitation.
Detection logic
info where data_stream.dataset == "aws.cloudtrail"
and event.action == "ModifySnapshotAttribute"
and event.outcome == "success"
and stringContains (aws.cloudtrail.request_parameters, "attributeType=CREATE_VOLUME_PERMISSION")
and stringContains (aws.cloudtrail.request_parameters, "add=")