Initial construction of a new snapshot (ex: AWS create-snapshot)
Initial construction of a new snapshot (ex: AWS create-snapshot)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1537 | 传输数据至云账户 |
Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts. |
|
| Enterprise | T1578 | 修改云计算基础设施 |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .001 | Create Snapshot |
The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.[3]In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.[4]Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.[5] It is also possible to detect the usage of the GCP API with the |
||
Removal of a snapshot (ex: AWS delete-snapshot)
Removal of a snapshot (ex: AWS delete-snapshot)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | 修改云计算基础设施 |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| Enterprise | T1485 | 数据销毁 |
Monitor for unexpected deletion of a snapshot (ex: AWS |
|
| Enterprise | T1490 | 系统恢复抑制 |
Monitor for unexpected deletion of snapshots (ex: AWS |
|
An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)
An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1580 | 云基础设施发现 |
Monitor cloud logs for API calls and other potentially unusual activity related to snapshot enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
|
Contextual data about a snapshot, which may include information such as ID, type, and status
Contextual data about a snapshot, which may include information such as ID, type, and status
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1537 | 传输数据至云账户 |
Periodically baseline snapshots to identify malicious modifications or additions. |
|
| Enterprise | T1578 | 修改云计算基础设施 |
Periodically baseline snapshots to identify malicious modifications or additions. |
|
| .001 | Create Snapshot |
Periodically baseline snapshots to identify malicious modifications or additions. |
||
Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)
Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1537 | 传输数据至云账户 |
Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. |
|
| Enterprise | T1578 | 修改云计算基础设施 |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the mounting of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|