Exfiltrate EBS Snapshot by Sharing It
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Exfiltration
Description
Exfiltrates an EBS snapshot by sharing it with an external AWS account.
Warm-up:
- Create an EBS volume and a snapshot.
Detonation:
- Call ec2:ModifySnapshotAttribute to share the snapshot with an external, fictitious AWS account.
Instructions
Detection
Through CloudTrail's ModifySnapshotAttribute
event, when requestParameters.createVolumePermission
shows
that the EBS snapshot was shared with a new or unknown AWS account, such as:
"requestParameters": {
"snapshotId": "snap-01b3f7d87a02559a1",
"attributeType": "CREATE_VOLUME_PERMISSION",
"createVolumePermission": {
"add": {
"items": [{ "userId": "111111111111" }]
}
}
}
An attacker can also make an EBS snapshot completely public. In this case, the item
entry
will look like {"groups":"all"}
.