Tag
AWS RDS DB Snapshot Shared with Another Account
2 rules 1 TTPAn AWS RDS DB snapshot is shared with another AWS account or made public, potentially enabling unauthorized access, offline analysis, or data exfiltration by allowing adversaries to restore the snapshot in their controlled infrastructure.
AWS RDS Snapshot Deletion Detected
3 rules 2 TTPsThe deletion of AWS RDS DB snapshots or disabling backups via configuration changes can inhibit recovery, destroy forensic evidence, and prepare for destructive actions by adversaries.
AWS EC2 EBS Snapshot Access Permissions Removed
2 rules 4 TTPsDetection of AWS EC2 EBS snapshot access permissions removal can indicate malicious attempts to disrupt data recovery, evade detection, or maintain exclusive backup access, leading to increased attack impact and incident response complexity.
Mass Azure Compute Snapshot Deletion
2 rules 2 TTPsThe rule detects mass deletion of Azure disk snapshots, which could indicate an adversary attempting to inhibit system recovery capabilities, destroy backup evidence, or prepare for a ransomware attack.
AWS EC2 Snapshot Shared Externally
2 rules 1 TTPDetection of AWS EC2 snapshot shared publicly, indicating potential data exfiltration, by analyzing AWS CloudTrail events.
AWS EC2 Snapshot Exfiltration Attempt
2 rules 1 TTPThis analytic detects potential exfiltration of data from AWS EC2 instances through the suspicious creation, modification, and deletion of EC2 snapshots within a short timeframe, potentially leading to unauthorized data access.