AWS Suspect Public EBS Change
Detection overview
Triggers
- A credential was observed performing a set of AWS control plane API actions related to exfiltration EC2 snapshots.
Possible Root Causes
- An attacker may be actively looking for privilege escalation opportunities
- A security or IT service may intentionally be enumerating these APIs for monitoring reasons.
Business Impact
- Exfiltration by an attacker of EC2 snapshots may expose details that support further attack progression, or lead to data loss.
Steps to Verify
- Investigate the account context that performed this action for other signs of malicious activity.
- Investigate for data loss.
- If review indicates possible malicious actions or high-risk configuration, revert applicable configurations and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Public EBS Change
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Public EBS Change
Example scenarios
AWS Suspect Public EBS Change
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Public EBS Change
Steps to investigate
AWS Suspect Public EBS Change
MITRE ATT&CK techniques covered
AWS Suspect Public EBS Change
Related detections
No items found.