Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CloudControlPlane-CrossAccountExfil.
Upgrade to ProDetect Cloud-Native Data Exfiltration via Cross-Account Resource Sharing in IBM QRadar
Adversaries with cloud administrative access can exfiltrate data without ever touching an endpoint agent or crossing a monitored network egress point, by using the cloud provider's own control plane to grant an attacker-controlled account read access to victim data. Common patterns include modifying an S3 bucket policy or ACL to grant access to an external AWS account (or to 'AllUsers'), sharing an EBS or RDS snapshot with an external account ID via ModifySnapshotAttribute/ModifyDBSnapshotAttribute, and granting AMI launch permissions to an external account via ModifyImageAttribute. Because the resulting data transfer happens entirely within the cloud provider's backbone between the victim account and the attacker's own account, it never appears in DeviceNetworkEvents, proxy logs, or DLP tooling — the only telemetry is the management-plane API call itself, recorded in AWS CloudTrail (or the equivalent Azure Activity Log / GCP Admin Activity log). Scattered Spider has been observed enumerating and exporting cloud snapshots and VM images during intrusions to stage data outside victim-controlled infrastructure; LAPSUS$ operators have similarly abused overly permissive cloud IAM access to copy source repositories and storage buckets to attacker-owned tenants. Detection must live in cloud audit-log telemetry rather than host or network telemetry, and hinges on distinguishing grants to known organizational account IDs (legitimate cross-account architectures, DR replication) from grants to unrecognized account IDs or public principals.
MITRE ATT&CK
- Tactic
- Exfiltration
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
"Event Name" AS EventName,
"Event Source" AS EventSource,
"User Identity ARN" AS CallerArn,
"Source IP Address" AS SourceIP,
"AWS Region" AS Region,
"Recipient Account Id" AS RecipientAccountId,
CASE
WHEN LOWER("Request Parameters") LIKE '%"principal":"*"%' OR LOWER("Request Parameters") LIKE '%allusers%' THEN 95
ELSE 80
END AS RiskScore,
CASE
WHEN "Event Name" IN ('PutBucketPolicy','PutBucketAcl') THEN 'S3_CrossAccount_PolicyExposure'
WHEN "Event Name" = 'ModifyImageAttribute' THEN 'AMI_CrossAccount_Share'
WHEN "Event Name" = 'ModifyDBSnapshotAttribute' THEN 'RDSSnapshot_CrossAccount_Share'
WHEN "Event Name" = 'ModifySnapshotAttribute' THEN 'EBSSnapshot_CrossAccount_Share'
ELSE 'Unknown'
END AS ThreatType
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) = 'Amazon AWS CloudTrail'
AND (
("Event Source" = 's3.amazonaws.com' AND "Event Name" IN ('PutBucketPolicy','PutBucketAcl'))
OR
("Event Source" IN ('ec2.amazonaws.com','rds.amazonaws.com') AND "Event Name" IN ('ModifySnapshotAttribute','ModifyDBSnapshotAttribute','ModifyImageAttribute'))
)
AND (
LOWER("Request Parameters") LIKE '%"principal":"*"%'
OR LOWER("Request Parameters") LIKE '%allusers%'
OR LOWER("Request Parameters") LIKE '%"group":"all"%'
OR (LOWER("Request Parameters") LIKE '%arn:aws:iam::%' AND LOWER("Request Parameters") NOT LIKE '%<YOUR_ORG_ACCOUNT_ID>%')
)
AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
LIMIT 500 QRadar AQL query detecting cross-account cloud resource exposure from an AWS CloudTrail log source. Flags S3 bucket policy/ACL changes and EBS/RDS snapshot or AMI permission changes that grant public access or reference an external AWS account ARN not present in the organization's known account ID. Requires a CloudTrail DSM or Universal DSM extracting 'Event Name', 'Event Source', 'User Identity ARN', and 'Request Parameters' as custom event properties.
Data Sources
Required Tables
False Positives & Tuning
- Approved multi-account replication or DR configurations targeting a sibling AWS account not yet added to the QRadar reference set of known organization account IDs
- AMI Marketplace publishing pipelines that intentionally set public launch permissions — suppress via a QRadar reference set of approved publishing service account usernames
Other platforms for THREAT-CloudControlPlane-CrossAccountExfil
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate S3 Bucket Policy Exposure to External Account
Expected signal: AWS CloudTrail management event: eventName=PutBucketPolicy, eventSource=s3.amazonaws.com, requestParameters containing the external account ARN 999999999999 and Principal grant.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-CloudControlPlane-CrossAccountExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month