/
aws_ec2_snapshot_shared_externally.yml
69 lines (69 loc) · 2.5 KB
/
aws_ec2_snapshot_shared_externally.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: AWS EC2 Snapshot Shared Externally
id: 2a9b80d3-6340-4345-b5ad-290bf3d222c4
version: 3
date: '2023-03-20'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: The following analytic utilizes AWS CloudTrail events to identify when
an EC2 snapshot permissions are modified to be shared with a different AWS account.
This method is used by adversaries to exfiltrate the EC2 snapshot.
data_source:
- AWS CloudTrail ModifySnapshotAttribute
search: '`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId
as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = "No Match" | `aws_ec2_snapshot_shared_externally_filter` '
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: It is possible that an AWS admin has legitimately shared a
snapshot with others for a specific purpose.
references:
- https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/
- https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/
tags:
analytic_story:
- Suspicious Cloud Instance Activities
- Data Exfiltration
asset_type: EC2 Snapshot
confidence: 80
impact: 60
message: AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$
by user $user_arn$ from $src_ip$
mitre_attack_id:
- T1537
observable:
- name: user_arn
type: User
role:
- Attacker
- name: src_ip
type: IP Address
role:
- Attacker
- name: aws_account_id
type: Other
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- user_arn
- src_ip
- requestParameters.attributeType
- aws_account_id
- vendor_region
- user_agent
- userIdentity.principalId
risk_score: 48
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true