Detect shared ec2 snapshot
Description
The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.
- Type: TTP
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2021-07-20
- Author: Bhavin Patel, Splunk
- ID: 2a9b80d3-6340-4345-b5ad-290bf3d222c4
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1537 | Transfer Data to Cloud Account | Exfiltration |
Search
`cloudtrail` eventName=ModifySnapshotAttribute
| rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id
| search requested_account_id != NULL
| eval match=if(requested_account_id==aws_account_id,"Match","No Match")
| table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent
| where match = "No Match"
| `detect_shared_ec2_snapshot_filter`
Associated Analytic Story
How To Implement
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Required field
- _time
- eventName
- user_arn
- src_ip
- requestParameters.attributeType
- aws_account_id
- vendor_region
- user_agent
Kill Chain Phase
- Actions on Objectives
Known False Positives
It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 48.0 | 60 | 80 | AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2