Detect Create Snapshot in Microsoft Sentinel
Adversaries may create a snapshot or data backup within a cloud account to evade defenses and gain access to restricted compute infrastructure. A snapshot is a point-in-time copy of a cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. After creating a snapshot, an adversary can create a new cloud instance, mount the snapshot to it, and apply permissive policies (such as firewall rules allowing SSH/RDP) that bypass restrictions enforced on the original resource. This allows access to data and configurations on the original volume without triggering alerts tied to direct access of the live instance. The Pacu AWS exploitation framework includes modules to enumerate and create EBS snapshots and RDS snapshots. Snapshot creation may also precede cross-account sharing, where the adversary modifies snapshot attributes to share it with an attacker-controlled AWS account for offline analysis.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.001 Create Snapshot
- Canonical reference
- https://attack.mitre.org/techniques/T1578/001/
KQL Detection Query
// Detect suspicious cloud snapshot creation and sharing across Azure (AzureActivity) and AWS (AWSCloudTrail)
let LookbackWindow = 24h;
let BulkThreshold = 5;
// --- Azure: Snapshot creation via Resource Manager ---
let AzureSnapshots = AzureActivity
| where TimeGenerated > ago(LookbackWindow)
| where OperationNameValue =~ "MICROSOFT.COMPUTE/SNAPSHOTS/WRITE"
| where ActivityStatusValue =~ "Succeeded"
| extend SnapshotName = tostring(split(ResourceId, "/")[-1])
| extend SubscriptionId = tostring(split(ResourceId, "/")[2])
| extend ResourceGroupName = tostring(split(ResourceId, "/")[4])
| project TimeGenerated, CloudProvider="Azure",
Caller, CallerIpAddress,
ResourceId, SnapshotName, ResourceGroupName, SubscriptionId,
OperationName=OperationNameValue,
IsExternalShare=false;
// --- AWS: Snapshot creation and sharing via CloudTrail ---
let AWSSnapshots = AWSCloudTrail
| where TimeGenerated > ago(LookbackWindow)
| where EventName in ("CreateSnapshot", "CopySnapshot", "CreateDBSnapshot",
"CreateDBClusterSnapshot", "ModifySnapshotAttribute",
"ModifyDBSnapshotAttribute")
| extend SourceVolumeId = tostring(parse_json(RequestParameters).volumeId)
| extend SnapshotId = tostring(parse_json(ResponseElements).snapshotId)
| extend IsExternalShare = (EventName == "ModifySnapshotAttribute" and
tostring(parse_json(RequestParameters).attributeType) == "createVolumePermission")
| project TimeGenerated, CloudProvider="AWS",
Caller=UserIdentityArn, CallerIpAddress=SourceIpAddress,
ResourceId=coalesce(SnapshotId, SourceVolumeId),
SnapshotName=coalesce(SnapshotId, EventName),
ResourceGroupName="", SubscriptionId=RecipientAccountId,
OperationName=EventName, IsExternalShare;
// --- Combine and enrich ---
union AzureSnapshots, AWSSnapshots
| extend HourOfDay = hourofday(TimeGenerated)
| extend IsOffHours = (HourOfDay < 7 or HourOfDay > 19)
| extend IsWeekend = (dayofweek(TimeGenerated) == 0d or dayofweek(TimeGenerated) == 6d)
| summarize SnapshotCount=count(),
FirstEvent=min(TimeGenerated),
LastEvent=max(TimeGenerated),
Operations=make_set(OperationName),
SnapshotNames=make_set(SnapshotName, 10),
SourceIPs=make_set(CallerIpAddress),
ExternalShareCount=countif(IsExternalShare == true),
OffHoursCount=countif(IsOffHours == true)
by Caller, CloudProvider, SubscriptionId
| extend SuspicionScore = case(
ExternalShareCount > 0, 3,
SnapshotCount > BulkThreshold and OffHoursCount > 0, 3,
SnapshotCount > BulkThreshold, 2,
OffHoursCount > 0, 1,
1)
| where SnapshotCount > 1 or ExternalShareCount > 0
| project FirstEvent, LastEvent, CloudProvider, Caller, SourceIPs,
SnapshotCount, ExternalShareCount, OffHoursCount,
Operations, SnapshotNames, SubscriptionId, SuspicionScore
| sort by SuspicionScore desc, SnapshotCount descDetects suspicious cloud snapshot creation and cross-account sharing across Azure (via AzureActivity) and AWS (via AWSCloudTrail). Identifies bulk snapshot creation, off-hours activity, and the high-confidence signal of ModifySnapshotAttribute events that share snapshots with external AWS accounts — a key indicator of the attacker-controlled account exfiltration pattern. Assigns a suspicion score to prioritize analyst review. Requires AWS CloudTrail connector and Azure Activity Logs connector in Microsoft Sentinel.
Data Sources
Required Tables
False Positives & Tuning
- Automated backup solutions (AWS Backup, Azure Backup, third-party tools like Veeam) running scheduled snapshot jobs — these will appear as bulk creation from service principals or IAM roles
- Disaster recovery and business continuity operations where admins create snapshots before major maintenance windows, often outside business hours
- DevOps pipelines using Infrastructure-as-Code (Terraform, CloudFormation, Pulumi) that create and destroy snapshots as part of environment provisioning
- Cloud-native services such as AWS Data Lifecycle Manager or Azure Disk Snapshot policies that automate snapshot rotation at scale
- Cross-account sharing for legitimate DR scenarios where snapshots are replicated to a dedicated recovery AWS account
Other platforms for T1578.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EBS Snapshot Creation via CLI
Expected signal: AWS CloudTrail: EventName=CreateSnapshot, EventSource=ec2.amazonaws.com, RequestParameters.volumeId=vol-0123456789abcdef0, ResponseElements.snapshotId=snap-<generated>. UserIdentityArn will reflect the IAM principal used. SourceIPAddress will show the originating IP of the CLI call. RecipientAccountId will show the AWS account number.
- Test 2AWS Snapshot Cross-Account Share (External Exfiltration Simulation)
Expected signal: AWS CloudTrail: EventName=ModifySnapshotAttribute, EventSource=ec2.amazonaws.com, RequestParameters.attributeType=createVolumePermission, RequestParameters.operationType=add, RequestParameters.createVolumePermission.add.items[0].userId=123456789012. The event is logged even if the call returns an error response.
- Test 3Azure Disk Snapshot Creation via CLI
Expected signal: Azure Activity Log: OperationNameValue=MICROSOFT.COMPUTE/SNAPSHOTS/WRITE, ActivityStatusValue=Succeeded, ResourceId contains /snapshots/df00tech-atomictest-T1578001. Caller will reflect the authenticated Azure principal (user UPN or service principal object ID). CallerIpAddress will show the source IP of the az CLI call.
- Test 4Pacu AWS Exploitation Framework Snapshot Enumeration and Creation
Expected signal: AWS CloudTrail: Multiple DescribeSnapshots API calls from the Pacu session, EventSource=ec2.amazonaws.com. UserAgent field will contain 'python-requests' or 'Boto3' and may contain 'Pacu'. If the session escalates to creation, CreateSnapshot events will appear. Source IP will match the host running Pacu.
References (12)
- https://attack.mitre.org/techniques/T1578/001/
- https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- https://github.com/RhinoSecurityLabs/pacu
- https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html
- https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
- https://cloud.google.com/compute/docs/instances/create-start-instance
- https://cloud.google.com/logging/docs/audit#admin-activity
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
Unlock Pro Content
Get the full detection package for T1578.001 including response playbook, investigation guide, and atomic red team tests.