Techniques
Sample rules
AWS AMI Attribute Modification for Exfiltration
- source: splunk
- technicques:
- T1537
Description
The following analytic detects suspicious modifications to AWS AMI attributes, such as sharing an AMI with another AWS account or making it publicly accessible. It leverages AWS CloudTrail logs to identify these changes by monitoring specific API calls. This activity is significant because adversaries can exploit these modifications to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information.
Detection logic
`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all)
| rename requestParameters.launchPermission.add.items{}.group as group_added
| rename requestParameters.launchPermission.add.items{}.userId as accounts_added
| eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public")
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime values(group_added) as group_added values(accounts_added) as accounts_added values(ami_status) as ami_status by signature dest user user_agent src vendor_account vendor_region vendor_product
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `aws_ami_attribute_modification_for_exfiltration_filter`
ASL AWS EC2 Snapshot Shared Externally
- source: splunk
- technicques:
- T1537
Description
The following analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot’s data, potentially leading to data breaches or further exploitation of the compromised information.
Detection logic
`amazon_security_lake` api.operation=ModifySnapshotAttribute
| spath input=api.request.data path=createVolumePermission.add.items{}.group output=group
| search group=all
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_ec2_snapshot_shared_externally_filter`
AWS EC2 Snapshot Shared Externally
- source: splunk
- technicques:
- T1537
Description
The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot’s data, potentially leading to data breaches or further exploitation of the compromised information.
Detection logic
`cloudtrail` eventName=ModifySnapshotAttribute
| rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id
| search requested_account_id != NULL
| eval match=if(requested_account_id==aws_account_id,"Match","No Match")
| where match = "No Match"
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product requested_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_ec2_snapshot_shared_externally_filter`