Exfiltrate EBS Snapshot by Sharing It
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Exfiltration
Description
Exfiltrates an EBS snapshot by sharing it with an external AWS account.
Warm-up:
- Create an EBS volume and a snapshot.
Detonation:
- Call ec2:ModifySnapshotAttribute to share the snapshot with an external, fictitious AWS account.
Instructions
Detection
Through CloudTrail's ModifySnapshotAttribute event, when requestParameters.createVolumePermission shows
that the EBS snapshot was shared with a new or unknown AWS account, such as:
"requestParameters": {
"snapshotId": "snap-01b3f7d87a02559a1",
"attributeType": "CREATE_VOLUME_PERMISSION",
"createVolumePermission": {
"add": {
"items": [{ "userId": "111111111111" }]
}
}
}An attacker can also make an EBS snapshot completely public. In this case, the item entry
will look like {"groups":"all"}.
When an attacker copies the snapshot to their own AWS account or creates an EBS volume for it, the SharedSnapshotCopyInitiated (respectively SharedSnapshotVolumeCreated) event is logged (see AWS docs).
In that case, userIdentity.accountId contains the attacker's account ID and recipientAccountId contains the victim's account ID where the snapshot was originally created.
{
"userIdentity": {
"invokedBy": "ec2.amazonaws.com",
"type": "AWSAccount",
"accountId": "999999999999"
},
"eventSource": "ec2.amazonaws.com",
"eventVersion": "1.08",
"eventTime": "2022-09-27T07:58:49Z",
"service": "cloudtrail",
"eventName": "SharedSnapshotCopyInitiated",
"eventType": "AwsServiceEvent",
"eventCategory": "Management",
"awsRegion": "us-east-1",
"serviceEventDetails": {
"snapshotId": "snap-12345"
},
"readOnly": false,
"managementEvent": true,
"recipientAccountId": "111111111111"
}
Note that detonating this attack technique with Stratus Red Team does not simulate an attacker accessing the snapshot from their account (only sharing it publicly from your account).