Initial construction of a new snapshot (ex: AWS create-snapshot)
Initial construction of a new snapshot (ex: AWS create-snapshot)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .001 | Create Snapshot |
The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.[3]In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.[4]Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.[5] It is also possible to detect the usage of the GCP API with the |
||
| Enterprise | T1537 | Transfer Data to Cloud Account |
Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts. |
|
Removal of a snapshot (ex: AWS delete-snapshot)
Removal of a snapshot (ex: AWS delete-snapshot)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a snapshot (ex: AWS |
|
| Enterprise | T1490 | Inhibit System Recovery |
Monitor for unexpected deletion of snapshots (ex: AWS |
|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)
An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1580 | Cloud Infrastructure Discovery |
Monitor cloud logs for API calls and other potentially unusual activity related to snapshot enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
|
Contextual data about a snapshot, which may include information such as ID, type, and status
Contextual data about a snapshot, which may include information such as ID, type, and status
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Periodically baseline snapshots to identify malicious modifications or additions. |
|
| .001 | Create Snapshot |
Periodically baseline snapshots to identify malicious modifications or additions. |
||
| Enterprise | T1537 | Transfer Data to Cloud Account |
Periodically baseline snapshots to identify malicious modifications or additions. |
|
Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)
Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the mounting of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| Enterprise | T1537 | Transfer Data to Cloud Account |
Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. |
|