vm export and ec2 image creation may be done by system administrators, devops or migration teams as part of planned maintenance, disaster-recovery or known backup methods. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1005
t1119
T1530
t1537
aws
elastic

Techniques

T1005
T1119
T1530
T1537

Sample rules

AWS EC2 Export Task

source: elastic
technicques:
- T1005
- T1119
- T1530
- T1537

Description

Identifies successful export tasks of EC2 instances via the APIs CreateInstanceExportTask, ExportImage, or CreateStoreImageTask. These exports can be used by administrators for legitimate VM migration or backup workflows however, an attacker with access to an EC2 instance or AWS credentials can export a VM or its image and then transfer it off-account for exfiltration of data.

Detection logic

event.dataset: "aws.cloudtrail" and 
    event.provider: "ec2.amazonaws.com" and 
    event.action: ("CreateInstanceExportTask" or "ExportImage" or "CreateStoreImageTask") and 
    event.outcome: "success"