Skip to content
Threat Feed
high advisory

AWS EC2 Snapshot Exfiltration Attempt

This analytic detects potential exfiltration of data from AWS EC2 instances through the suspicious creation, modification, and deletion of EC2 snapshots within a short timeframe, potentially leading to unauthorized data access.

This threat brief focuses on the detection of potential data exfiltration from AWS EC2 instances using EC2 snapshots. Attackers might attempt to exfiltrate sensitive data by creating snapshots of EC2 volumes, modifying snapshot attributes to share them externally, and then deleting the snapshot to cover their tracks. This activity can occur rapidly, within a 5-minute timeframe. This technique allows unauthorized individuals to gain access to the data stored in the EC2 volumes, leading to potential data breaches and compliance violations. The detection strategy leverages AWS CloudTrail logs, focusing on API calls related to snapshot manipulation. The exfiltration technique is further detailed in reports from Nettitude, bleemb.medium.com, and Stratus Red Team.

Attack Chain

  1. Attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.
  2. The attacker uses the CreateSnapshot API call to create a snapshot of a target EC2 volume containing sensitive data.
  3. The attacker uses DescribeSnapshotAttribute to check the existing attributes and permissions of the created snapshot.
  4. The attacker uses ModifySnapshotAttribute to modify the snapshot's attributes, specifically granting access to an external AWS account controlled by the attacker. This is done by adding the attacker's AWS account ID to the createVolumePermission.add.items{}.userId parameter.
  5. The attacker may repeatedly use DescribeSnapshotAttribute and ModifySnapshotAttribute to refine access permissions or attempt to bypass security controls.
  6. The attacker in the external AWS account creates a volume from the shared snapshot, gaining access to the data contained within.
  7. The attacker exfiltrates the data from the newly created volume to a location outside the victim's AWS environment.
  8. The attacker may use the DeleteSnapshot API call to delete the snapshot in the original AWS account, attempting to remove evidence of the exfiltration.

Impact

Successful exploitation leads to the exfiltration of sensitive data stored within EC2 volumes. The number of victims and sectors targeted can vary. The exfiltration may include customer data, financial records, or intellectual property, leading to significant financial losses, reputational damage, and legal liabilities. Data breaches resulting from this technique can also trigger compliance violations and regulatory scrutiny.

Recommendation

  • Deploy the provided Sigma rule (AWS EC2 Snapshot Exfiltration) to your SIEM and tune the threshold (distinct API calls >= 2) based on your environment's baseline activity.
  • Enable and monitor AWS CloudTrail logs to capture API calls related to EC2 snapshots, ensuring comprehensive logging of CreateSnapshot, DescribeSnapshotAttribute, ModifySnapshotAttribute, and DeleteSnapshot events.
  • Investigate any alerts generated by the Sigma rule, focusing on the user (user), source IP (src_ip), and affected AWS account (vendor_account) to determine if the activity is legitimate or malicious.
  • Review and enforce strict IAM policies to limit the ability of users and roles to create, modify, or share EC2 snapshots, reducing the attack surface.
  • Implement monitoring and alerting for unusual or unauthorized access to EC2 snapshots from external AWS accounts.

Detection coverage 2

AWS EC2 Snapshot Exfiltration

high

Detects a series of AWS API calls related to EC2 snapshots within a short time window, indicating potential exfiltration via EC2 Snapshot modifications.

sigma tactics: exfiltration techniques: T1537 sources: cloudtrail, aws

AWS EC2 Snapshot Shared to External Account

medium

Detects EC2 snapshot modification to grant access to an external AWS account, potentially indicating data exfiltration.

sigma tactics: exfiltration techniques: T1537 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →