Snapshot Exfiltration Detector
The Snapshot Exfiltration Detector alerts when AWS EC2 snapshots are maliciously exported or when permissions are granted to an unknown account in preparation for copying a snapshot. The detector looks for a sequence of events where a user is granted permissions to an EC2 instance snapshot and then the snapshot is copied to another account within a specified timeframe.
This detector scores process events for a set timeframe using predetermined rules and then uses these scores to identify potential Snapshot Exfiltration activity, published as alerts to the Secureworks® Taegis™ XDR Dashboard.
Snapshot Exfiltration Alert
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- CloudAudit
Inputs ⫘
Detections are from the following normalized sources:
- AWS CloudTrail Logs
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
- MITRE Enterprise ATT&CK - Exfiltration - Transfer Data to Cloud Account. For more information, see MITRE Technique T1537.
Detector Testing ⫘
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:snapshot-exfiltration'
References ⫘
- Schemas