Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1537-transfer-data-to-cloud-account

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect the possible exfiltration of an EBS snapshot.

Strategy

This rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:

• CreateSnapshot
• ModifySnapshotAttribute

An attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared publicly or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.

Triage and response

1. Determine if {{@userIdentity.arn}} should have made the API calls.
2. If the API call was not made by the user:

• Rotate user credentials.
• Determine what other API calls were made by the user.
• Remove any snapshot attributes generated by the user with the aws-cli command modify-snapshot-attribute.
• Begin your organization’s incident response process and investigate.

3. If the API calls were made by the user:

• Determine if the user should be performing these API calls.
• If No, see if other API calls were made by the user and determine if they warrant further investigation.

Changelog

10 October 2022 - Updated query and severity.