Unexpected GCP API calls indicating Compute Engine snapshot creation
Description
AlphaSOC detected creation of a GCP Compute Engine disk snapshot via
compute.snapshots.insert. While snapshots are often created for legitimate
purposes, adversaries may also use them to exfiltrate data from disk volumes.
Snapshots can be shared with external projects or exported, allowing attackers
to access disk contents outside the victim's environment.
Impact
Unauthorized snapshot creation can facilitate data exfiltration by capturing entire disk contents including databases, application data, and credentials stored on disk. Snapshots shared with external projects enable attackers to access sensitive data from their own infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the compute.snapshots.insert action. Identify which
disk was snapshotted, the principal responsible, and verify if this aligns with
authorized backup procedures.
If unauthorized, delete the snapshot immediately to prevent data access. Review snapshot sharing settings to ensure it was not shared externally. Investigate the compromised identity and rotate its credentials.