Skip to content

Exfiltrate EBS Snapshot by Sharing It

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Exfiltration

Description

Exfiltrates an EBS snapshot by sharing it with an external AWS account.

Warm-up:

  • Create an EBS volume and a snapshot.

Detonation:

  • Call ec2:ModifySnapshotAttribute to share the snapshot with an external, fictitious AWS account.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.exfiltration.ec2-share-ebs-snapshot

Detection

Through CloudTrail's ModifySnapshotAttribute event, when requestParameters.createVolumePermission shows that the EBS snapshot was shared with a new or unknown AWS account, such as:

"requestParameters": {
  "snapshotId": "snap-01b3f7d87a02559a1",
  "attributeType": "CREATE_VOLUME_PERMISSION",
  "createVolumePermission": {
    "add": {
      "items": [{ "userId": "111111111111" }]
    }
  }
}

An attacker can also make an EBS snapshot completely public. In this case, the item entry will look like {"groups":"all"}.