AWS EC2 VM Export Failure

Oct 17, 2023 · attack.collection attack.t1005 attack.exfiltration attack.t1537 ·

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Sigma rule (View on GitHub)

 1title: AWS EC2 VM Export Failure
 2id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
 3status: test
 4description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
 5references:
 6    - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
 7author: Diogo Braz
 8date: 2020/04/16
 9modified: 2022/10/05
10tags:
11    - attack.collection
12    - attack.t1005
13    - attack.exfiltration
14    - attack.t1537
15logsource:
16    product: aws
17    service: cloudtrail
18detection:
19    selection:
20        eventName: 'CreateInstanceExportTask'
21        eventSource: 'ec2.amazonaws.com'
22    filter1:
23        errorMessage|contains: '*'
24    filter2:
25        errorCode|contains: '*'
26    filter3:
27        responseElements|contains: 'Failure'
28    condition: selection and not 1 of filter*
29level: low

References

Exporting an instance as a VM using VM Import/Export - VM Import/Export

Export a copy of an EC2 instance to your on-premises virtualization environment.

Read More

AWS EC2 VM Export Failure

Sigma rule (View on GitHub)

References

Exporting an instance as a VM using VM Import/Export - VM Import/Export

Related rules