Skip to main content

AWS EC2 export task was initiated in an anomalous way

ID:aws_ec2_export_task_anomaly
Data type:AWS CloudTrail
Severity:
Low
-
Medium
MITRE ATT&CK:TA0010:T1567.002

Description

AlphaSOC detected the initiation of an AWS EC2 export task. This operation allows Amazon EC2 instance data to be exported to an S3 bucket as a virtual machine image file. This can be exploited by threat actors to exfiltrate sensitive data or entire virtual machine images from the AWS environment. Actions initiated by AWS services and export task initiation attempts are exempt from the detection to avoid false positives.

Impact

An unauthorized EC2 export task can result in significant data exposure, allowing threat actors to exfiltrate entire virtual machine images, including sensitive data, configurations, and credentials. This could lead to theft of intellectual property, exposure of customer data, or provide attackers with detailed infrastructure information for further attacks.

Severity

SeverityCondition
Low
Anomalous EC2 export task initiation
Medium
EC2 export task initiated to an unknown S3 bucket

Investigation and Remediation

Investigate the legitimacy of the EC2 export task by verifying with the system administrators if this was a planned activity. If unauthorized, immediately cancel the export task and revoke the permissions of the compromised account. Analyze the targeted EC2 instance for signs of compromise and review the contents of the associated S3 bucket.

Known False Positives

  • Legitimate export to a new S3 bucket