AWS AuthorizeSecurityGroupEgress
Adds outbound rules to a VPC security group, permitting traffic from instances to specified destination IP ranges or security groups.
Exfiltration
Exfiltration
Section titled “Exfiltration”The adversary is trying to steal data.
Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
In cloud environments, adversaries exfiltrate data by sharing snapshots or AMIs with external accounts, copying data to attacker-controlled storage buckets, or transferring resources across regions. They may also abuse cloud-native data transfer services or modify bucket policies to allow public access.
View Exfiltration on MITRE ATT&CK →Events Related to Exfiltration
Section titled “Events Related to Exfiltration”GCP bigquery.jobs.insert
Creates and submits a BigQuery job (query, load, export, or copy) that accesses or transforms data in BigQuery datasets.
GCP cloudsql.instances.export
Exports data from a Cloud SQL instance to a Cloud Storage bucket.
Azure CopyBlob
Copies a blob within or between Azure Storage accounts or containers.
AWS CopyObject
Copies an object from one S3 location to another, within or across buckets, optionally modifying metadata or encryption.
AWS CreateDBSnapshot
Creates a manual point-in-time snapshot of an RDS database instance for backup or recovery purposes.
AWS CreateImage
Creates an Amazon Machine Image (AMI) from a running or stopped EC2 instance, capturing its disk state for reuse.
AWS CreateInstanceExportTask
Exports an EC2 instance as a virtual machine image to an S3 bucket in a format such as OVF or VMDK.
AWS CreateSnapshot
Creates a point-in-time snapshot of an EBS volume, stored durably for backup or volume duplication.
AWS GetObject
Retrieves (downloads) an object from an S3 bucket; logged in CloudTrail only when S3 data events are enabled.
Azure Microsoft.Compute/disks/beginGetAccess/action
Generates a time-limited SAS URL to access or download the data of an Azure managed disk.
Azure Microsoft.Compute/snapshots/beginGetAccess/action
Generates a time-limited SAS URL to access or download the data from an Azure VM disk snapshot.
Azure Microsoft.Sql/servers/databases/export/action
Exports an Azure SQL Database to a BACPAC file stored in Azure Blob Storage.
AWS ModifyDBInstance
Modifies settings on an RDS database instance, such as instance class, storage, networking, and access configuration.
AWS ModifyDBSnapshotAttribute
Modifies the attributes of an RDS DB snapshot, such as sharing it with other AWS accounts.
AWS ModifyImageAttribute
Modifies attributes of an AMI, such as making it public or sharing it with specific AWS accounts.
AWS ModifySnapshotAttribute
Modifies the permissions of an EBS snapshot, such as making it public or sharing it with specific AWS accounts.
AWS PutBucketAcl
Sets the Access Control List (ACL) for an S3 bucket, controlling access for specific AWS accounts or predefined groups.
AWS PutBucketPolicy
Applies or replaces the resource-based policy on an S3 bucket, defining who can access it and how.
AWS PutBucketReplication
Enables replication for an S3 bucket, automatically copying objects to a destination bucket in the same or another region.
AWS RestoreDBInstanceFromDBSnapshot
Restores an RDS instance from a snapshot, enabling an attacker to access database contents by spinning up a copy.
AWS SharedSnapshotCopyInitiated
Records the start of a copy operation for an EBS snapshot shared from another AWS account.
AWS SharedSnapshotVolumeCreated
Records the creation of an EBS volume from a snapshot shared by another AWS account.
AWS StartExportTask
Starts an export of an RDS snapshot to Amazon S3 in Apache Parquet format for use in analytics.