AWS EBS Snapshot possible exfiltration

Documentos > Datadog Security > OOTB Rules > AWS EBS Snapshot possible exfiltration

Classification:

attack

Tactic:

Technique:

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect the possible exfiltration of an EBS snapshot.

Strategy

This rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:

An attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared publicly or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.

Triage and response

Determine if {{@userIdentity.arn}} should have made the API calls.
If the API call was not made by the user:

Rotate user credentials.
Determine what other API calls were made by the user.
Remove any snapshot attributes generated by the user with the aws-cli command modify-snapshot-attribute.
Begin your organization’s incident response process and investigate.

If the API calls were made by the user:

Determine if the user should be performing these API calls.
If No, see if other API calls were made by the user and determine if they warrant further investigation.

Changelog

10 October 2022 - Updated query and severity.