Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudControlPlane-CrossAccountExfil.
Upgrade to ProTransfer Data to Cloud Account — Cloud-Native Data Exfiltration via Cross-Account Resource Sharing
Adversaries with cloud administrative access can exfiltrate data without ever touching an endpoint agent or crossing a monitored network egress point, by using the cloud provider's own control plane to grant an attacker-controlled account read access to victim data. Common patterns include modifying an S3 bucket policy or ACL to grant access to an external AWS account (or to 'AllUsers'), sharing an EBS or RDS snapshot with an external account ID via ModifySnapshotAttribute/ModifyDBSnapshotAttribute, and granting AMI launch permissions to an external account via ModifyImageAttribute. Because the resulting data transfer happens entirely within the cloud provider's backbone between the victim account and the attacker's own account, it never appears in DeviceNetworkEvents, proxy logs, or DLP tooling — the only telemetry is the management-plane API call itself, recorded in AWS CloudTrail (or the equivalent Azure Activity Log / GCP Admin Activity log). Scattered Spider has been observed enumerating and exporting cloud snapshots and VM images during intrusions to stage data outside victim-controlled infrastructure; LAPSUS$ operators have similarly abused overly permissive cloud IAM access to copy source repositories and storage buckets to attacker-owned tenants. Detection must live in cloud audit-log telemetry rather than host or network telemetry, and hinges on distinguishing grants to known organizational account IDs (legitimate cross-account architectures, DR replication) from grants to unrecognized account IDs or public principals.
What is THREAT-CloudControlPlane-CrossAccountExfil Cloud-Native Data Exfiltration via Cross-Account Resource Sharing?
Cloud-Native Data Exfiltration via Cross-Account Resource Sharing (THREAT-CloudControlPlane-CrossAccountExfil) is a sub-technique of Transfer Data to Cloud Account (T1537) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.
This page provides production-ready detection logic for Cloud-Native Data Exfiltration via Cross-Account Resource Sharing, covering the data sources and telemetry it touches: AWS CloudTrail (management events, ingested via Microsoft Sentinel AWS S3 connector), AWSCloudTrail table. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Exfiltration
// THREAT: Cloud-native cross-account data exfiltration (T1537)
// Requires AWS CloudTrail ingested into the AWSCloudTrail table (AWS S3 connector)
let LookbackWindow = 24h;
let KnownOrgAccountIds = dynamic(["<YOUR_AWS_ACCOUNT_IDS>"]); // populate with every legitimate AWS account ID in your organization
// Alert 1: S3 bucket policy/ACL modified to grant public or external-account access
let S3PolicyExposure = AWSCloudTrail
| where TimeGenerated > ago(LookbackWindow)
| where EventSource == "s3.amazonaws.com"
| where EventName in ("PutBucketPolicy", "PutBucketAcl")
| where ErrorCode == "" or isempty(ErrorCode)
| extend PolicyText = tostring(RequestParameters)
| extend GrantsPublic = PolicyText has_any ("\"Principal\":\"*\"", "AllUsers", "\"AWS\":\"*\"")
| extend HasExternalAccountArn = PolicyText matches regex @"arn:aws:iam::\d{12}:"
| extend IsKnownOrgAccount = PolicyText has_any (KnownOrgAccountIds)
| where GrantsPublic or (HasExternalAccountArn and not(IsKnownOrgAccount))
| project TimeGenerated, EventName, UserIdentityArn, SourceIpAddress, AWSRegion, RecipientAccountId, GrantsPublic, PolicyText
| extend ThreatType = "S3_CrossAccount_PolicyExposure"
| extend RiskScore = iff(GrantsPublic, 95, 85);
// Alert 2: EBS/RDS snapshot or AMI shared with an external account
let SnapshotSharing = AWSCloudTrail
| where TimeGenerated > ago(LookbackWindow)
| where EventSource in ("ec2.amazonaws.com", "rds.amazonaws.com")
| where EventName in ("ModifySnapshotAttribute", "ModifyDBSnapshotAttribute", "ModifyImageAttribute")
| where ErrorCode == "" or isempty(ErrorCode)
| extend ParamsText = tostring(RequestParameters)
| extend GrantsPublic = ParamsText has_any ("\"group\":\"all\"", "all-groups", "AllUsers")
| extend HasExternalAccountId = ParamsText matches regex @"\d{12}"
| extend IsKnownOrgAccount = ParamsText has_any (KnownOrgAccountIds)
| where GrantsPublic or (HasExternalAccountId and not(IsKnownOrgAccount))
| project TimeGenerated, EventName, UserIdentityArn, SourceIpAddress, AWSRegion, RecipientAccountId, GrantsPublic, ParamsText
| extend ThreatType = case(
EventName == "ModifyImageAttribute", "AMI_CrossAccount_Share",
EventName == "ModifyDBSnapshotAttribute", "RDSSnapshot_CrossAccount_Share",
"EBSSnapshot_CrossAccount_Share")
| extend RiskScore = iff(GrantsPublic, 95, 80);
union S3PolicyExposure, SnapshotSharing
| sort by RiskScore desc, TimeGenerated desc Two-vector detection over AWS CloudTrail management events: (1) S3 bucket policy or ACL changes that grant public access or reference an AWS account ID outside the organization's known account allowlist; (2) EBS snapshot, RDS snapshot, or AMI permission modifications that add a public grant or an external account ID as a permitted restorer/launcher. Both vectors are classic cloud-to-cloud exfiltration primitives that leave no network or endpoint telemetry, only a control-plane audit record.
Data Sources
Required Tables
False Positives
- Legitimate disaster-recovery or multi-account architectures that replicate S3 buckets or share AMIs/snapshots to sibling accounts within the same organization but outside the configured KnownOrgAccountIds allowlist — keep the allowlist current via AWS Organizations account inventory
- Marketplace AMI publishing workflows that intentionally call ModifyImageAttribute with public launch permissions
- Public static-website S3 buckets that legitimately carry a public-read bucket policy (should be tagged and excluded by bucket name)
- Managed service providers sharing snapshots with a customer's separate but authorized AWS account for migration or backup purposes
Sigma rule & cross-platform mapping
The detection logic for Cloud-Native Data Exfiltration via Cross-Account Resource Sharing (THREAT-CloudControlPlane-CrossAccountExfil) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-CloudControlPlane-CrossAccountExfil
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate S3 Bucket Policy Exposure to External Account
Expected signal: AWS CloudTrail management event: eventName=PutBucketPolicy, eventSource=s3.amazonaws.com, requestParameters containing the external account ARN 999999999999 and Principal grant.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-CloudControlPlane-CrossAccountExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month