LoFP / it is possible that an aws admin has legitimately shared a snapshot with an other account for a specific purpose. please check any recent change requests filed in your organization.

Techniques

• T1537

Sample rules

AWS Exfiltration via EC2 Snapshot

• source: splunk
• technicques:
  • T1537

Description

This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information.

Detection logic

`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" 
|  bin _time span=5m 
|  stats count dc(eventName) as distinct_api_calls values(eventName)  values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id 
| where distinct_api_calls >= 2 
| `aws_exfiltration_via_ec2_snapshot_filter`