AWS EC2 Export Task

  1[metadata]
  2creation_date = "2025/10/23"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies successful export tasks of EC2 instances via the APIs CreateInstanceExportTask, ExportImage, or
 11CreateStoreImageTask. These exports can be used by administrators for legitimate VM migration or backup workflows
 12however, an attacker with access to an EC2 instance or AWS credentials can export a VM or its image and then transfer it
 13off-account for exfiltration of data.
 14"""
 15false_positives = [
 16    """
 17    VM export and EC2 image creation may be done by system administrators, DevOps or migration teams as part of planned
 18    maintenance, disaster-recovery or known backup methods. Verify whether the user identity, user agent, and/or
 19    hostname should be making changes in your environment. Exports from unfamiliar users or hosts should be
 20    investigated. If known behavior is causing false positives, it can be exempted from the rule.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS EC2 Export Task"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating AWS EC2 Export Task
 34
 35The APIs `CreateInstanceExportTask`, `ExportImage`, and `CreateStoreImageTask` allow the export of a running or stopped EC2 instance (or its AMI/image) to external storage (e.g., S3) or image formats. While often used for migration, cloning or backup, adversaries can leverage these actions to copy full VM state or images out of the environment for exfiltration.
 36
 37#### Possible investigation steps
 38
 39**Identify the actor and context**  
 40   - Check `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, `aws.cloudtrail.user_identity.access_key_id` to identify who made the call.  
 41   - Verify `user_agent.original`, `source.ip` and `@timestamp` to determine whether the action is by known automation, trusted operator, or an unexpected identity or location.  
 42   - Confirm `cloud.account.id` and `cloud.region` match the expected account/region for export tasks.
 43
 44**Examine the specific export/image task details**  
 45   - Review `aws.cloudtrail.request_parameters` for details such as the `InstanceId`, `TargetEnvironment`, `S3Bucket`, `S3Key`, `DiskImageFormat`, `ContainerFormat`. 
 46   - Check `aws.cloudtrail.response_elements` for the resulting export task ID and status.  
 47   - Determine whether the exported instance or image contained sensitive workloads (e.g., production databases, critical systems) via instance tags or asset inventory.
 48
 49**Pivot to related API calls/events**  
 50   - Look for follow-on tasks such as:  
 51     - S3 bucket writes or cross-account bucket ACL changes (`PutBucketAcl`/`PutBucketPolicy`) referencing the export S3 bucket or key.  
 52     - `CopyImage`, `ModifyImageAttribute`, or `ShareImage` events if the exported image is copied or shared.  
 53     - Network or usage anomalies in the region or from the S3 bucket (large downloads from the exported object).  
 54   - Check for preceding suspicious actions that could indicate compromise: `AssumeRole`, `CreateAccessKey`, `AttachUserPolicy`, or unusual `Describe*` operations.
 55
 56**Assess legitimacy and risk**  
 57   - Confirm whether this export was authorized (via change ticket or migration workflow) and whether the principal has a documented justification for VM export.  
 58   - If unauthorized, assess what was exported, where it is stored, how it may be transferred or used externally, and the data risk exposure.
 59
 60### False positive analysis
 61
 62- Legitimate migration or backup workflows may trigger these export/image APIs.  
 63- Development/test environments may export VM images or instances for sandbox cloning.  
 64- Known automation tools may create exports at scheduled times.  
 65
 66### Response and remediation
 67
 68- Immediately identify and disable or isolate any object/resource created by the export (e.g., the S3 bucket/object, image ID) that is suspected of unauthorized use.  
 69- Revoke the access credentials (`aws.cloudtrail.user_identity.access_key_id`) used if they show unusual activity.  
 70- Rotate keys, enforce MFA, and review IAM permissions for the principal.  
 71- Audit the exported VM/image: review its contents if possible, check whether it has been moved off-account.  
 72- Strengthen monitoring: set alerts for subsequent large data transfers from the S3 export location, cross-account sharing of exported images, or anomalous AMI imports.  
 73- Update policy: restrict who can perform exports, monitor export actions via AWS Config or CloudTrail, tag and track export tasks and their destinations.
 74"""
 75references = [
 76    "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html",
 77    "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport_image.html",
 78    "https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ami-store-s3-exfiltration.html,",
 79]
 80risk_score = 47
 81rule_id = "deee5856-25ba-438d-ae53-09d66f41b127"
 82severity = "medium"
 83tags = [
 84    "Domain: Cloud",
 85    "Data Source: AWS",
 86    "Data Source: Amazon Web Services",
 87    "Data Source: AWS EC2",
 88    "Use Case: Asset Visibility",
 89    "Tactic: Exfiltration",
 90    "Tactic: Collection",
 91    "Resources: Investigation Guide",
 92]
 93timestamp_override = "event.ingested"
 94type = "query"
 95
 96query = '''
 97event.dataset: "aws.cloudtrail" and 
 98    event.provider: "ec2.amazonaws.com" and 
 99    event.action: ("CreateInstanceExportTask" or "ExportImage" or "CreateStoreImageTask") and 
100    event.outcome: "success"
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1537"
108name = "Transfer Data to Cloud Account"
109reference = "https://attack.mitre.org/techniques/T1537/"
110
111
112[rule.threat.tactic]
113id = "TA0010"
114name = "Exfiltration"
115reference = "https://attack.mitre.org/tactics/TA0010/"
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1005"
120name = "Data from Local System"
121reference = "https://attack.mitre.org/techniques/T1005/"
122
123[[rule.threat.technique]]
124id = "T1119"
125name = "Automated Collection"
126reference = "https://attack.mitre.org/techniques/T1119/"
127
128[[rule.threat.technique]]
129id = "T1530"
130name = "Data from Cloud Storage"
131reference = "https://attack.mitre.org/techniques/T1530/"
132
133
134[rule.threat.tactic]
135id = "TA0009"
136name = "Collection"
137reference = "https://attack.mitre.org/tactics/TA0009/"
138
139[rule.investigation_fields]
140field_names = [
141    "@timestamp",
142    "user.name",
143    "user_agent.original",
144    "source.ip",
145    "aws.cloudtrail.user_identity.arn",
146    "aws.cloudtrail.user_identity.type",
147    "aws.cloudtrail.user_identity.access_key_id",
148    "event.action",
149    "event.outcome",
150    "cloud.account.id",
151    "cloud.region",
152    "aws.cloudtrail.request_parameters",
153    "aws.cloudtrail.response_elements"
154]