The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments.
Data Collection Measures:
CreateSnapshot).Microsoft.Compute/snapshots/write).compute.disks.createSnapshot.The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments.
Data Collection Measures:
CreateSnapshot).Microsoft.Compute/snapshots/write).compute.disks.createSnapshot.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .001 | Create Snapshot |
The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.[3]In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.[4]Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.[5] It is also possible to detect the usage of the GCP API with the |
||
| Enterprise | T1537 | Transfer Data to Cloud Account |
Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts. Analytic 1 - Detecting Suspicious Snapshot Exfiltration
|
|
The removal of a point-in-time backup of a cloud storage volume, virtual machine (VM), or database.
Data Collection Measures:
DeleteSnapshot API calls in EC2, RDS, and EBS services.Microsoft.Compute/snapshots/delete API calls.compute.disks.deleteSnapshot events.The removal of a point-in-time backup of a cloud storage volume, virtual machine (VM), or database.
Data Collection Measures:
DeleteSnapshot API calls in EC2, RDS, and EBS services.Microsoft.Compute/snapshots/delete API calls.compute.disks.deleteSnapshot events.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a snapshot (ex: AWS |
|
| Enterprise | T1490 | Inhibit System Recovery |
Monitor for unexpected deletion of snapshots (ex: AWS |
|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
The process of listing or retrieving metadata about existing snapshots in a cloud environment.
Data Collection Measures:
DescribeSnapshots, ListSnapshots, and GetSnapshotAttributes.Microsoft.Compute/snapshots/read.compute.disks.listSnapshots.The process of listing or retrieving metadata about existing snapshots in a cloud environment.
Data Collection Measures:
DescribeSnapshots, ListSnapshots, and GetSnapshotAttributes.Microsoft.Compute/snapshots/read.compute.disks.listSnapshots.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1580 | Cloud Infrastructure Discovery |
Monitor cloud logs for API calls and other potentially unusual activity related to snapshot enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
|
Contextual data about a snapshot, which may include information such as ID, type, and status
Contextual data about a snapshot, which may include information such as ID, type, and status
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Periodically baseline snapshots to identify malicious modifications or additions. |
|
| .001 | Create Snapshot |
Periodically baseline snapshots to identify malicious modifications or additions. |
||
| Enterprise | T1537 | Transfer Data to Cloud Account |
Periodically baseline snapshots to identify malicious modifications or additions. |
|
Changes made to a cloud snapshot's metadata, attributes, or control settings. These modifications may involve adjusting access permissions, changing retention policies, or altering encryption settings.
Data Collection Measures:
ModifySnapshotAttribute, ResetSnapshotAttribute, and ModifySnapshotTier.Microsoft.Compute/snapshots/write.compute.snapshots.setIamPolicy and compute.snapshots.patch.Changes made to a cloud snapshot's metadata, attributes, or control settings. These modifications may involve adjusting access permissions, changing retention policies, or altering encryption settings.
Data Collection Measures:
ModifySnapshotAttribute, ResetSnapshotAttribute, and ModifySnapshotTier.Microsoft.Compute/snapshots/write.compute.snapshots.setIamPolicy and compute.snapshots.patch.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the mounting of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| Enterprise | T1537 | Transfer Data to Cloud Account |
Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. |
|