<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Snapshot - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/snapshot/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 15 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/snapshot/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS RDS DB Snapshot Shared with Another Account</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/</link><pubDate>Fri, 15 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/</guid><description>An AWS RDS DB snapshot is shared with another AWS account or made public, potentially enabling unauthorized access, offline analysis, or data exfiltration by allowing adversaries to restore the snapshot in their controlled infrastructure.</description><content:encoded><![CDATA[<p>This threat focuses on the exfiltration of data from AWS RDS DB snapshots. Adversaries with valid credentials or through misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing existing security measures. This allows the attacker to restore the snapshot in an environment they control, enabling unauthorized access, offline analysis, or data exfiltration. The attack starts when modifications are made to snapshot attributes adding one or more additional AWS accounts to the snapshot's restore permissions. The rule &quot;AWS RDS DB Snapshot Shared with Another Account&quot; from Elastic detects these successful modifications. This is a critical issue, as DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to an AWS account through compromised credentials or exploiting a misconfiguration.</li>
<li><strong>Discovery:</strong> The attacker uses reconnaissance actions such as <code>DescribeDBSnapshots</code> or <code>DescribeDBInstances</code> to identify valuable RDS DB snapshots.</li>
<li><strong>Privilege Escalation (Optional):</strong> The attacker may attempt to escalate privileges using techniques like <code>AttachRolePolicy</code>, <code>PutUserPolicy</code>, or <code>AssumeRole</code> to gain the necessary permissions to modify snapshot attributes.</li>
<li><strong>Modify DBSnapshotAttribute:</strong> The attacker modifies the snapshot's attributes using the <code>ModifyDBSnapshotAttribute</code> or <code>ModifyDBClusterSnapshotAttribute</code> API calls, adding the attacker's AWS account to the restore permissions.</li>
<li><strong>Snapshot Copying (Optional):</strong> The attacker may copy the snapshot using the <code>CopyDBSnapshot</code> event to another region or account under their control.</li>
<li><strong>Snapshot Restoration:</strong> The attacker restores the snapshot in their AWS environment. This creates a new DB instance or cluster with the data from the snapshot.</li>
<li><strong>Data Exfiltration:</strong> The attacker accesses the restored database instance and extracts the sensitive data.</li>
<li><strong>Cleanup (Optional):</strong> The attacker may attempt to cover their tracks by deleting CloudTrail logs or modifying other security configurations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows the attacker to exfiltrate sensitive data contained within the RDS DB snapshot. The number of potential victims is dependent on how widely these snapshots are shared and on the value of the data contained within. Sectors that rely heavily on cloud databases are at increased risk. Consequences of successful attacks include data breaches, financial loss, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Elastic EQL rule &quot;AWS RDS DB Snapshot Shared with Another Account&quot; to your SIEM to detect unauthorized snapshot modifications, tuning it for your environment.</li>
<li>Restrict snapshot sharing using IAM condition keys (<code>kms:ViaService</code>, <code>rds:dbSnapshotArn</code>, <code>aws:PrincipalArn</code>) as noted in the overview, and remediate existing cross-account access.</li>
<li>Enable AWS Config rules and Security Hub controls for public or cross-account snapshot access, based on the recommendation in the overview section.</li>
<li>Monitor AWS CloudTrail logs for <code>ModifyDBSnapshotAttribute</code> and <code>ModifyDBClusterSnapshotAttribute</code> events (as seen in the Attack Chain) to identify suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>snapshot</category><category>exfiltration</category></item><item><title>AWS RDS Snapshot Deletion Detected</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/</guid><description>The deletion of AWS RDS DB snapshots or disabling backups via configuration changes can inhibit recovery, destroy forensic evidence, and prepare for destructive actions by adversaries.</description><content:encoded><![CDATA[<p>This rule detects the deletion of AWS RDS DB snapshots or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting &quot;backupRetentionPeriod=0&quot; has a similar impact by preventing future restore points. A threat actor with sufficient AWS permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion. The rule focuses on successful snapshot deletions and backup disabling events within AWS RDS. The scope includes any AWS environment utilizing RDS for database services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to an AWS account with sufficient permissions to manage RDS instances and snapshots, possibly through compromised credentials or an IAM role with excessive privileges.</li>
<li>The attacker enumerates available RDS DB instances and snapshots within the target AWS account using AWS CLI or API calls (e.g., <code>DescribeDBSnapshots</code>, <code>DescribeDBInstances</code>).</li>
<li>The attacker identifies target DB instances and their associated snapshots that are critical for recovery or contain valuable forensic data.</li>
<li>The attacker deletes RDS DB snapshots using the <code>DeleteDBSnapshot</code> API call, effectively removing restore points.</li>
<li>Alternatively, the attacker modifies the DB instance configuration using the <code>ModifyDBInstance</code> API call, setting <code>backupRetentionPeriod</code> to 0 to disable automated backups and prevent future restore points.</li>
<li>The attacker may then delete the RDS instance itself using DeleteDBInstance.</li>
<li>The attacker attempts to cover their tracks by deleting relevant CloudTrail logs or disabling CloudTrail logging.</li>
<li>The attacker's objective is to prevent restoration to a known-good state and destroy forensic evidence of attacker actions, potentially as part of a ransomware attack or data exfiltration attempt.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of RDS snapshots or disabling of backups can lead to significant data loss and prolonged downtime, making recovery from security incidents or operational failures difficult or impossible. This can impact business continuity, data integrity, and regulatory compliance. The precise impact depends on the criticality of the affected databases and the availability of alternative backup mechanisms. If successful, this can result in total data loss for the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect suspicious <code>DeleteDBSnapshot</code>, <code>DeleteDBClusterSnapshot</code>, or <code>ModifyDBInstance</code> events setting <code>backupRetentionPeriod=0</code> in AWS CloudTrail logs.</li>
<li>Restrict IAM permissions for <code>rds:DeleteDBSnapshot</code>, <code>rds:DeleteDBClusterSnapshot</code>, and <code>rds:ModifyDBInstance</code> (especially backup and deletion-related parameters) to a small set of privileged roles, as described in the remediation steps.</li>
<li>Use AWS Config rules and/or Security Hub controls to detect instances with <code>backupRetentionPeriod=0</code>, as recommended in the hardening and preventive controls section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>snapshot</category><category>backup</category><category>datadestruction</category></item><item><title>AWS EC2 EBS Snapshot Access Permissions Removed</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-ebs-snapshot-access-removed/</link><pubDate>Tue, 09 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-ebs-snapshot-access-removed/</guid><description>Detection of AWS EC2 EBS snapshot access permissions removal can indicate malicious attempts to disrupt data recovery, evade detection, or maintain exclusive backup access, leading to increased attack impact and incident response complexity.</description><content:encoded><![CDATA[<p>This detection identifies the removal of access permissions from shared AWS EC2 EBS snapshots using AWS CloudTrail logs. EBS snapshots are critical for data retention and disaster recovery. Threat actors may attempt to revoke or modify snapshot permissions to prevent legitimate users or processes from accessing backups, which hinders recovery efforts following data loss or destructive actions. This tactic can also be employed to evade detection or maintain exclusive access to sensitive backups, amplifying the impact of attacks and complicating incident response. This behavior matters because successful removal of access can significantly delay or prevent data recovery, leading to prolonged downtime and potential data loss. The rule focuses on identifying <code>ModifySnapshotAttribute</code> events where access is being removed, specifically looking for changes to <code>CREATE_VOLUME_PERMISSION</code> via <code>remove=</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS account, possibly through compromised credentials or exploiting IAM misconfigurations.</li>
<li>The attacker enumerates available EC2 EBS snapshots within the targeted AWS environment to identify potential targets for disruption.</li>
<li>The attacker uses the <code>ModifySnapshotAttribute</code> API call to remove access permissions from the identified EBS snapshots, specifically targeting the <code>CREATE_VOLUME_PERMISSION</code> attribute.</li>
<li>The request parameters in the CloudTrail logs indicate the removal of access, observed through the presence of <code>&quot;attributeType=CREATE_VOLUME_PERMISSION&quot;</code> and <code>&quot;remove=&quot;</code>.</li>
<li>Legitimate users or automated processes attempting to restore data from the affected snapshots will fail, hindering recovery efforts.</li>
<li>The attacker may repeat the process across multiple snapshots to maximize the impact and disrupt the entire recovery strategy.</li>
<li>The attacker may also delete snapshots entirely using <code>DeleteSnapshot</code> to ensure complete data loss.</li>
<li>The attacker achieves their objective of disrupting business operations, holding data for ransom, or covering tracks by preventing forensic analysis and recovery.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful removal of EBS snapshot access can have significant consequences. Organizations may face extended downtime, data loss, and reputational damage. Depending on the criticality of the affected systems, financial losses and regulatory penalties may also occur. The number of victims and sectors targeted can vary, but any organization relying on AWS for data storage and backup is potentially at risk. If the attack succeeds, the organization's ability to recover from data loss events like ransomware or accidental deletion is severely compromised, potentially leading to irreversible data loss.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS EBS Snapshot Access Removal</code> to detect unauthorized modification of snapshot access permissions in your AWS environment. Enable AWS CloudTrail logging and ensure logs are ingested to your SIEM (Security Information and Event Management) to enable the rule.</li>
<li>Review IAM policies and restrict <code>ec2:ModifySnapshotAttribute</code> permissions to only trusted administrative roles as mentioned in the rule's investigation steps.</li>
<li>Enable AWS Config rules and Security Hub controls such as <code>ebs-snapshot-public-restorable-check</code> to provide continuous monitoring and compliance checks, as recommended in the rule's response section.</li>
<li>Implement backup immutability using AWS Backup Vault Lock or S3 Object Lock to protect against unauthorized modifications, as mentioned in the response section.</li>
<li>Investigate any alerts generated by the Sigma rule, examining <code>aws.cloudtrail.user_identity.arn</code> and <code>source.ip</code> to identify the actor and source of the access removal, as indicated in the rule's triage section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>ebs</category><category>snapshot</category><category>impact</category></item><item><title>Mass Azure Compute Snapshot Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-snapshot-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-snapshot-deletion/</guid><description>The rule detects mass deletion of Azure disk snapshots, which could indicate an adversary attempting to inhibit system recovery capabilities, destroy backup evidence, or prepare for a ransomware attack.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of mass Azure compute snapshot deletions, a tactic used by threat actors to impede system recovery and potentially pave the way for ransomware attacks. The behavior is identified through Azure Activity Logs when a single user or service principal deletes multiple Azure disk snapshots within a short timeframe. The source research indicates that adversaries target snapshots to prevent victims from recovering data without paying ransom or to eliminate forensic evidence of their activities. Mass deletion of snapshots eliminates restore points, significantly impacting disaster recovery capabilities, and is a critical indicator of potentially malicious activity. The activity is detectable via Azure Activity Logs. This activity has been associated with groups like Storm-0501.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an Azure account or compromises a user account with sufficient privileges.</li>
<li>The attacker enumerates available Azure compute snapshots within the subscription.</li>
<li>The attacker initiates a mass deletion of Azure disk snapshots using the compromised account, often targeting critical system backups.</li>
<li>Azure Activity Logs record the snapshot deletion events, capturing details like the user, timestamp, and resource names.</li>
<li>The attacker may attempt to disable or modify other backup mechanisms to further hinder recovery efforts.</li>
<li>With snapshots deleted, the attacker proceeds with data encryption for ransomware attacks or other malicious activities.</li>
<li>The victim is left without readily available restore points, increasing the likelihood of paying a ransom or experiencing significant data loss.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful mass deletion of Azure compute snapshots can have severe consequences. Organizations may lose critical restore points, making data recovery difficult or impossible without paying a ransom. This can lead to significant downtime, financial losses, and reputational damage. Affected sectors include any organization relying on Azure for compute and storage services. The number of victims depends on the scope of the attack, but even a single successful incident can have a major impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Compute Snapshot Deletions by User</code> to your SIEM to detect suspicious snapshot deletion activity (rule).</li>
<li>Investigate any alerts generated by the rule, focusing on the user or service principal involved and the number of snapshots deleted (rule).</li>
<li>Implement Azure Resource Locks on critical snapshots to prevent accidental or malicious deletion (reference).</li>
<li>Configure Azure Policy to restrict snapshot deletion permissions to only authorized backup administrators (reference).</li>
<li>Enable Azure Activity Log alerts and configure notifications to security teams immediately when snapshots are deleted (reference).</li>
<li>Review and enhance backup strategies to ensure redundant backup mechanisms exist beyond Azure snapshots, including geo-redundant backups and offline copies (reference).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>snapshot</category><category>data-destruction</category><category>impact</category></item><item><title>AWS EC2 Snapshot Shared Externally</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-ec2-snapshot-shared-externally/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-ec2-snapshot-shared-externally/</guid><description>Detection of AWS EC2 snapshot shared publicly, indicating potential data exfiltration, by analyzing AWS CloudTrail events.</description><content:encoded><![CDATA[<p>This analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. The detection method leverages CloudTrail logs ingested into Amazon Security Lake to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. A threat actor could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. The rule focuses on <code>ModifySnapshotAttribute</code> events where the <code>createVolumePermission.add.items{}.group</code> is set to <code>all</code>, indicating public sharing.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials or other means.</li>
<li>The attacker enumerates existing EC2 snapshots within the AWS environment to identify potentially valuable data.</li>
<li>The attacker modifies the snapshot's attributes using the <code>ModifySnapshotAttribute</code> API call.</li>
<li>Within the API request, the attacker sets the <code>createVolumePermission.add.items{}.group</code> parameter to <code>all</code>, making the snapshot publicly accessible.</li>
<li>The CloudTrail logs record this <code>ModifySnapshotAttribute</code> event, capturing the details of the permission change.</li>
<li>The attacker, or any external party, can now create a volume from the publicly shared snapshot in their own AWS account.</li>
<li>The attacker mounts the volume to an EC2 instance and accesses the data stored within the snapshot.</li>
<li>The attacker exfiltrates sensitive data from the mounted volume, completing the objective of data theft.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could lead to the exfiltration of sensitive data stored within the EC2 snapshot. The shared snapshot could be accessed by unauthorized individuals, leading to a data breach. This could result in financial losses, reputational damage, and legal liabilities. Depending on the data contained within the snapshot, the impact could range from exposure of proprietary business information to personally identifiable information (PII).</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect publicly shared EC2 snapshots based on <code>ModifySnapshotAttribute</code> events in Amazon Security Lake CloudTrail logs.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user (<code>actor.user.uid</code>) and source IP address (<code>src_endpoint.ip</code>) associated with the event.</li>
<li>Review AWS IAM policies to ensure least privilege and restrict the ability to modify snapshot attributes.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>ec2</category><category>snapshot</category><category>data exfiltration</category><category>cloudtrail</category></item><item><title>AWS EC2 Snapshot Exfiltration Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-snapshot-exfiltration/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-snapshot-exfiltration/</guid><description>This analytic detects potential exfiltration of data from AWS EC2 instances through the suspicious creation, modification, and deletion of EC2 snapshots within a short timeframe, potentially leading to unauthorized data access.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of potential data exfiltration from AWS EC2 instances using EC2 snapshots. Attackers might attempt to exfiltrate sensitive data by creating snapshots of EC2 volumes, modifying snapshot attributes to share them externally, and then deleting the snapshot to cover their tracks. This activity can occur rapidly, within a 5-minute timeframe. This technique allows unauthorized individuals to gain access to the data stored in the EC2 volumes, leading to potential data breaches and compliance violations. The detection strategy leverages AWS CloudTrail logs, focusing on API calls related to snapshot manipulation. The exfiltration technique is further detailed in reports from Nettitude, bleemb.medium.com, and Stratus Red Team.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.</li>
<li>The attacker uses the <code>CreateSnapshot</code> API call to create a snapshot of a target EC2 volume containing sensitive data.</li>
<li>The attacker uses <code>DescribeSnapshotAttribute</code> to check the existing attributes and permissions of the created snapshot.</li>
<li>The attacker uses <code>ModifySnapshotAttribute</code> to modify the snapshot's attributes, specifically granting access to an external AWS account controlled by the attacker. This is done by adding the attacker's AWS account ID to the <code>createVolumePermission.add.items{}.userId</code> parameter.</li>
<li>The attacker may repeatedly use <code>DescribeSnapshotAttribute</code> and <code>ModifySnapshotAttribute</code> to refine access permissions or attempt to bypass security controls.</li>
<li>The attacker in the external AWS account creates a volume from the shared snapshot, gaining access to the data contained within.</li>
<li>The attacker exfiltrates the data from the newly created volume to a location outside the victim's AWS environment.</li>
<li>The attacker may use the <code>DeleteSnapshot</code> API call to delete the snapshot in the original AWS account, attempting to remove evidence of the exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation leads to the exfiltration of sensitive data stored within EC2 volumes. The number of victims and sectors targeted can vary. The exfiltration may include customer data, financial records, or intellectual property, leading to significant financial losses, reputational damage, and legal liabilities. Data breaches resulting from this technique can also trigger compliance violations and regulatory scrutiny.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule (<code>AWS EC2 Snapshot Exfiltration</code>) to your SIEM and tune the threshold (distinct API calls &gt;= 2) based on your environment's baseline activity.</li>
<li>Enable and monitor AWS CloudTrail logs to capture API calls related to EC2 snapshots, ensuring comprehensive logging of <code>CreateSnapshot</code>, <code>DescribeSnapshotAttribute</code>, <code>ModifySnapshotAttribute</code>, and <code>DeleteSnapshot</code> events.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user (<code>user</code>), source IP (<code>src_ip</code>), and affected AWS account (<code>vendor_account</code>) to determine if the activity is legitimate or malicious.</li>
<li>Review and enforce strict IAM policies to limit the ability of users and roles to create, modify, or share EC2 snapshots, reducing the attack surface.</li>
<li>Implement monitoring and alerting for unusual or unauthorized access to EC2 snapshots from external AWS accounts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>ec2</category><category>snapshot</category><category>data_exfiltration</category><category>cloudtrail</category></item></channel></rss>