LoFP LoFP / it is possible that an aws admin has legitimately shared a snapshot with others for a specific purpose.

Techniques

Sample rules

AWS EC2 Snapshot Shared Externally

Description

The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.

Detection logic

`cloudtrail` eventName=ModifySnapshotAttribute 
| rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id 
| search requested_account_id != NULL 
| eval match=if(requested_account_id==aws_account_id,"Match","No Match") 
| table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId 
| where match = "No Match" 
| `aws_ec2_snapshot_shared_externally_filter`

AWS AMI Attribute Modification for Exfiltration

Description

This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs.

Detection logic

`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) 
|  rename requestParameters.launchPermission.add.items{}.group as group_added 
|  rename requestParameters.launchPermission.add.items{}.userId as accounts_added 
| eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public")  
| stats count min(_time) as firstTime max(_time) as lastTime  values(group_added) values(accounts_added) as accounts_added values(ami_status) by  src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId 
|  `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_ami_attribute_modification_for_exfiltration_filter`