AWS Snapshot Backup Exfiltration
Detects the modification of an EC2 snapshot's permissions to enable access from another account
Sigma rule (View on GitHub)
1title: AWS Snapshot Backup Exfiltration
2id: abae8fec-57bd-4f87-aff6-6e3db989843d
3status: test
4description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
5references:
6 - https://www.justice.gov/file/1080281/download
7author: Darin Smith
8date: 2021/05/17
9modified: 2021/08/19
10tags:
11 - attack.exfiltration
12 - attack.t1537
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection_source:
18 eventSource: ec2.amazonaws.com
19 eventName: ModifySnapshotAttribute
20 condition: selection_source
21falsepositives:
22 - Valid change to a snapshot's permissions
23level: medium
References
Related rules
- AWS S3 Data Management Tampering
- Data Exfiltration to Unsanctioned Apps
- Suspicious BlackCat-Related Exfiltration Command
- Restore Public AWS RDS Instance
- Suspicious Inbox Forwarding