T1578.001 Splunk · SPL

Detect Create Snapshot in Splunk

Adversaries may create a snapshot or data backup within a cloud account to evade defenses and gain access to restricted compute infrastructure. A snapshot is a point-in-time copy of a cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. After creating a snapshot, an adversary can create a new cloud instance, mount the snapshot to it, and apply permissive policies (such as firewall rules allowing SSH/RDP) that bypass restrictions enforced on the original resource. This allows access to data and configurations on the original volume without triggering alerts tied to direct access of the live instance. The Pacu AWS exploitation framework includes modules to enumerate and create EBS snapshots and RDS snapshots. Snapshot creation may also precede cross-account sharing, where the adversary modifies snapshot attributes to share it with an attacker-controlled AWS account for offline analysis.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1578 Modify Cloud Compute Infrastructure
Sub-technique
T1578.001 Create Snapshot
Canonical reference
https://attack.mitre.org/techniques/T1578/001/

SPL Detection Query

Splunk (SPL)
spl 
index=cloud (sourcetype="aws:cloudtrail" OR sourcetype="azure:monitor:activity")
(
  (sourcetype="aws:cloudtrail"
   (EventName="CreateSnapshot" OR EventName="CopySnapshot" OR EventName="CreateDBSnapshot"
    OR EventName="CreateDBClusterSnapshot" OR EventName="ModifySnapshotAttribute"
    OR EventName="ModifyDBSnapshotAttribute")
  )
  OR
  (sourcetype="azure:monitor:activity"
   operationName="MICROSOFT.COMPUTE/SNAPSHOTS/WRITE" status="Succeeded"
  )
)
| eval CloudProvider=if(sourcetype="aws:cloudtrail", "AWS", "Azure")
| eval Caller=coalesce(userIdentity.arn, caller)
| eval CallerIP=coalesce(sourceIPAddress, callerIpAddress)
| eval Operation=coalesce(EventName, operationName)
| eval ResourceRef=coalesce(requestParameters.volumeId, resourceId)
| eval IsExternalShare=if(
    (Operation="ModifySnapshotAttribute" AND requestParameters.attributeType="createVolumePermission"),
    1, 0)
| eval HourOfDay=strftime(_time, "%H")
| eval IsOffHours=if(HourOfDay < "07" OR HourOfDay > "19", 1, 0)
| eval IsWeekend=if(strftime(_time, "%w")="0" OR strftime(_time, "%w")="6", 1, 0)
| stats count as SnapshotCount,
        earliest(_time) as FirstEvent,
        latest(_time) as LastEvent,
        values(Operation) as Operations,
        values(ResourceRef) as Resources,
        dc(CallerIP) as UniqueSourceIPs,
        sum(IsExternalShare) as ExternalShareCount,
        sum(IsOffHours) as OffHoursCount
        by Caller, CloudProvider
| eval SuspicionScore=case(
    ExternalShareCount > 0, 3,
    SnapshotCount > 5 AND OffHoursCount > 0, 3,
    SnapshotCount > 5, 2,
    OffHoursCount > 0, 1,
    true(), 1)
| where SnapshotCount > 1 OR ExternalShareCount > 0
| eval FirstEvent=strftime(FirstEvent, "%Y-%m-%d %H:%M:%S")
| eval LastEvent=strftime(LastEvent, "%Y-%m-%d %H:%M:%S")
| table FirstEvent, LastEvent, CloudProvider, Caller, SnapshotCount,
        ExternalShareCount, OffHoursCount, UniqueSourceIPs,
        Operations, Resources, SuspicionScore
| sort - SuspicionScore - SnapshotCount
high severity medium confidence

Detects suspicious cloud snapshot creation and external sharing across AWS CloudTrail and Azure Activity Logs. Aggregates snapshot operations by caller identity, flags off-hours activity, bulk creation, and high-severity ModifySnapshotAttribute cross-account sharing events. The suspicion score helps SOC analysts prioritize alerts. Requires cloud log ingestion into a unified index.

Data Sources

Cloud Service: Cloud Service ModificationAWS CloudTrailAzure Monitor Activity Logs

Required Sourcetypes

aws:cloudtrailazure:monitor:activity

False Positives & Tuning

  • Automated backup solutions running scheduled snapshot jobs from known service accounts or IAM roles
  • DevOps pipelines creating snapshots as part of environment provisioning or golden image workflows
  • Legitimate DR cross-account snapshot sharing to a designated recovery account
  • Cloud-native lifecycle management policies (AWS DLM, Azure snapshot policies) creating routine snapshots at scale
  • Migration projects where large numbers of snapshots are created during a data center exit or cloud adoption sprint
Download portable Sigma rule (.yml)

Other platforms for T1578.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS EBS Snapshot Creation via CLI

    Expected signal: AWS CloudTrail: EventName=CreateSnapshot, EventSource=ec2.amazonaws.com, RequestParameters.volumeId=vol-0123456789abcdef0, ResponseElements.snapshotId=snap-<generated>. UserIdentityArn will reflect the IAM principal used. SourceIPAddress will show the originating IP of the CLI call. RecipientAccountId will show the AWS account number.

  2. Test 2AWS Snapshot Cross-Account Share (External Exfiltration Simulation)

    Expected signal: AWS CloudTrail: EventName=ModifySnapshotAttribute, EventSource=ec2.amazonaws.com, RequestParameters.attributeType=createVolumePermission, RequestParameters.operationType=add, RequestParameters.createVolumePermission.add.items[0].userId=123456789012. The event is logged even if the call returns an error response.

  3. Test 3Azure Disk Snapshot Creation via CLI

    Expected signal: Azure Activity Log: OperationNameValue=MICROSOFT.COMPUTE/SNAPSHOTS/WRITE, ActivityStatusValue=Succeeded, ResourceId contains /snapshots/df00tech-atomictest-T1578001. Caller will reflect the authenticated Azure principal (user UPN or service principal object ID). CallerIpAddress will show the source IP of the az CLI call.

  4. Test 4Pacu AWS Exploitation Framework Snapshot Enumeration and Creation

    Expected signal: AWS CloudTrail: Multiple DescribeSnapshots API calls from the Pacu session, EventSource=ec2.amazonaws.com. UserAgent field will contain 'python-requests' or 'Boto3' and may contain 'Pacu'. If the session escalates to creation, CreateSnapshot events will appear. Source IP will match the host running Pacu.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1578.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1578Modify Cloud Compute Infrastructure

Related Sub-techniques

T1578.002Create Cloud InstanceT1578.003Delete Cloud InstanceT1578.004Revert Cloud InstanceT1578.005Modify Cloud Compute Configurations

Related Techniques

T1578Modify Cloud Compute InfrastructureT1578.002Create Cloud InstanceT1578.003Delete Cloud InstanceT1578.004Revert Cloud InstanceT1537Transfer Data to Cloud AccountT1530Data from Cloud StorageT1552.005Cloud Instance Metadata APIT1136.003Cloud AccountT1098.001Additional Cloud CredentialsT1562.008Disable or Modify Cloud Logs

Same Tactic: Defense Evasion

Popular Detections