Exfiltrate EBS Snapshot by Sharing It
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Exfiltration
Description
Exfiltrates an EBS snapshot by sharing it with an external AWS account.
Warm-up:
- Create an EBS volume and a snapshot.
Detonation:
- Call ec2:ModifySnapshotAttribute to share the snapshot with an external, fictitious AWS account.
Instructions
Detection
Through CloudTrail's ModifySnapshotAttribute
event, when requestParameters.createVolumePermission
shows
that the EBS snapshot was shared with a new or unknown AWS account, such as:
"requestParameters": {
"snapshotId": "snap-01b3f7d87a02559a1",
"attributeType": "CREATE_VOLUME_PERMISSION",
"createVolumePermission": {
"add": {
"items": [{ "userId": "111111111111" }]
}
}
}
An attacker can also make an EBS snapshot completely public. In this case, the item
entry
will look like {"groups":"all"}
.
When an attacker copies the snapshot to their own AWS account or creates an EBS volume for it, the SharedSnapshotCopyInitiated
(respectively SharedSnapshotVolumeCreated
) event is logged (see AWS docs).
In that case, userIdentity.accountId
contains the attacker's account ID and recipientAccountId
contains the victim's account ID where the snapshot was originally created.
{
"userIdentity": {
"invokedBy": "ec2.amazonaws.com",
"type": "AWSAccount",
"accountId": "999999999999"
},
"eventSource": "ec2.amazonaws.com",
"eventVersion": "1.08",
"eventTime": "2022-09-27T07:58:49Z",
"service": "cloudtrail",
"eventName": "SharedSnapshotCopyInitiated",
"eventType": "AwsServiceEvent",
"eventCategory": "Management",
"awsRegion": "us-east-1",
"serviceEventDetails": {
"snapshotId": "snap-12345"
},
"readOnly": false,
"managementEvent": true,
"recipientAccountId": "111111111111"
}
Note that detonating this attack technique with Stratus Red Team does not simulate an attacker accessing the snapshot from their account (only sharing it publicly from your account).