Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudControlPlane-CrossAccountExfil.

Upgrade to Pro
THREAT-CloudControlPlane-CrossAccountExfil Google Chronicle · YARA-L

Detect Cloud-Native Data Exfiltration via Cross-Account Resource Sharing in Google Chronicle

Adversaries with cloud administrative access can exfiltrate data without ever touching an endpoint agent or crossing a monitored network egress point, by using the cloud provider's own control plane to grant an attacker-controlled account read access to victim data. Common patterns include modifying an S3 bucket policy or ACL to grant access to an external AWS account (or to 'AllUsers'), sharing an EBS or RDS snapshot with an external account ID via ModifySnapshotAttribute/ModifyDBSnapshotAttribute, and granting AMI launch permissions to an external account via ModifyImageAttribute. Because the resulting data transfer happens entirely within the cloud provider's backbone between the victim account and the attacker's own account, it never appears in DeviceNetworkEvents, proxy logs, or DLP tooling — the only telemetry is the management-plane API call itself, recorded in AWS CloudTrail (or the equivalent Azure Activity Log / GCP Admin Activity log). Scattered Spider has been observed enumerating and exporting cloud snapshots and VM images during intrusions to stage data outside victim-controlled infrastructure; LAPSUS$ operators have similarly abused overly permissive cloud IAM access to copy source repositories and storage buckets to attacker-owned tenants. Detection must live in cloud audit-log telemetry rather than host or network telemetry, and hinges on distinguishing grants to known organizational account IDs (legitimate cross-account architectures, DR replication) from grants to unrecognized account IDs or public principals.

MITRE ATT&CK

Tactic
Exfiltration

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule cloud_cross_account_resource_sharing {
  meta:
    author = "df00tech"
    description = "Detects AWS cross-account resource permission grants (S3 bucket policy/ACL, EBS/RDS snapshot sharing, AMI launch permissions) consistent with T1537 Transfer Data to Cloud Account"
    severity = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1537"
    threat_actors = "Scattered Spider, LAPSUS$"
    reference = "https://attack.mitre.org/techniques/T1537/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_UPDATE_PERMISSIONS"
    $e.metadata.vendor_name = "Amazon"
    re.regex($e.metadata.product_event_type, `(?i)(PutBucketPolicy|PutBucketAcl|ModifySnapshotAttribute|ModifyDBSnapshotAttribute|ModifyImageAttribute)`)
    (
      re.regex($e.metadata.description, `(?i)(AllUsers|"Principal":"\*"|"group":"all")`)
      or re.regex($e.metadata.description, `arn:aws:iam::\d{12}:`)
    )
    $principal = $e.principal.user.userid

  match:
    $principal over 15m

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule matching USER_RESOURCE_UPDATE_PERMISSIONS UDM events sourced from AWS CloudTrail. Fires when an S3 bucket policy/ACL change or an EBS/RDS snapshot/AMI permission change grants public access or references an external AWS account ARN, grouped by the calling principal over a 15-minute window to surface scripted, multi-resource sharing campaigns.

Data Sources

Google Chronicle SIEMChronicle UDM (Unified Data Model)AWS CloudTrail (via Chronicle AWS feed)

Required Tables

UDM Events (USER_RESOURCE_UPDATE_PERMISSIONS)

False Positives & Tuning

  • Approved cross-account DR/replication automation targeting a sibling account not yet added to the organization allowlist — maintain a Chronicle reference list of authorized destination account IDs and exclude matching grants
  • AMI Marketplace publishing service accounts that intentionally set public launch permissions — exclude by principal.user.userid matching the known publishing automation identity

Other platforms for THREAT-CloudControlPlane-CrossAccountExfil


Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate S3 Bucket Policy Exposure to External Account

    Expected signal: AWS CloudTrail management event: eventName=PutBucketPolicy, eventSource=s3.amazonaws.com, requestParameters containing the external account ARN 999999999999 and Principal grant.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-CloudControlPlane-CrossAccountExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections