Query Details
AWS Cloud Trail AWS EBS Snapshot Publicly Exposed
Query
// https://github.com/FalconForceTeam/FalconFriday/blob/master/Collection/0xFF-0236-Resource_Shared_with_Unknown_External_Account-AWS.md
AWSCloudTrail
| where EventName == "ModifySnapshotAttribute"
| mv-expand Item = todynamic(RequestParameters)["createVolumePermission"]["add"]["items"]
| where Item["userId"] contains "*" or Item["group"] has "all"
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves data from the AWSCloudTrail table and filters for events with the EventName "ModifySnapshotAttribute". It then expands the RequestParameters field to extract specific information related to creating volume permissions. It further filters for items where the userId contains "*" or the group has "all". The query then invokes the AWSIdentityRole function and projects various fields from the result, including TimeGenerated, UserIdentityType, Identity, ActorRole, UserIdentityAccountId, UserIdentityAccountName, RecipientAccountId, RecipientAccountName, SessionCreationDate, UserIdentityPrincipalid, UserIdentityArn, SourceIpAddress, EventSource, EventTypeName, EventName, ManagementEvent, ReadOnly, ErrorCode, ErrorMessage, RequestParameters, ResponseElements, Resources, SessionMfaAuthenticated, UserAgent, and AwsEventId.
Details
Jose Sebastián Canós
Released: February 12, 2024
Tables
Keywords
Operators