AWS Snapshot Backup Exfiltration

Aug 12, 2024 · attack.exfiltration attack.t1537 ·

Detects the modification of an EC2 snapshot's permissions to enable access from another account

Sigma rule (View on GitHub)

 1title: AWS Snapshot Backup Exfiltration
 2id: abae8fec-57bd-4f87-aff6-6e3db989843d
 3status: test
 4description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
 5references:
 6    - https://www.justice.gov/file/1080281/download
 7author: Darin Smith
 8date: 2021-05-17
 9modified: 2021-08-19
10tags:
11    - attack.exfiltration
12    - attack.t1537
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection_source:
18        eventSource: ec2.amazonaws.com
19        eventName: ModifySnapshotAttribute
20    condition: selection_source
21falsepositives:
22    - Valid change to a snapshot's permissions
23level: medium

References

https://www.justice.gov/file/1080281/download

Read More

Related rules

AWS EC2 VM Export Failure
AWS S3 Data Management Tampering
Data Exfiltration to Unsanctioned Apps
Suspicious BlackCat-Related Exfiltration Command
APT40 Dropbox Tool User Agent