Techniques
Sample rules
AWS EC2 Snapshot Shared Externally
- source: splunk
- technicques:
- T1537
Description
The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.
Detection logic
`cloudtrail` eventName=ModifySnapshotAttribute
| rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id
| search requested_account_id != NULL
| eval match=if(requested_account_id==aws_account_id,"Match","No Match")
| table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId
| where match = "No Match"
| `aws_ec2_snapshot_shared_externally_filter`
AWS AMI Attribute Modification for Exfiltration
- source: splunk
- technicques:
- T1537
Description
This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs.
Detection logic
`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all)
| rename requestParameters.launchPermission.add.items{}.group as group_added
| rename requestParameters.launchPermission.add.items{}.userId as accounts_added
| eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public")
| stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_ami_attribute_modification_for_exfiltration_filter`