Detectionmediumtest

AWS Snapshot Backup Exfiltration

Detects the modification of an EC2 snapshot's permissions to enable access from another account

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Darin SmithCreated Mon May 17Updated Thu Aug 19abae8fec-57bd-4f87-aff6-6e3db989843dcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection_source:
        eventSource: ec2.amazonaws.com
        eventName: ModifySnapshotAttribute
    condition: selection_source

False Positives

Valid change to a snapshot's permissions

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

abae8fec-57bd-4f87-aff6-6e3db989843d

Status

test

Level

medium

Type

Detection

Created

Mon May 17

Modified

Thu Aug 19

Author

Path

rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml

Raw Tags

attack.exfiltrationattack.t1537