A cloud snooping attack refers to unauthorized monitoring, access, or manipulation of cloud resources to exfiltrate data or compromise services. Attackers often exploit vulnerabilities, misconfiguration, or weak access controls to infiltrate cloud environments. These attacks can involve techniques like DNS tunneling, API misuse, or leveraging legitimate communication protocols (e.g., HTTP/HTTPS) to evade detection.
Cloud snooping targets sensitive assets, such as logs, databases, or storage buckets, often using Command and Control (C2) communication channels to maintain persistence. Attackers may manipulate firewall rules, create backdoor, or use scheduled tasks for continuous access. The attack blends with normal cloud activity, making detection challenging.
Such attacks can result in data breaches, financial loss, or disrupted services. Effective defense requires cloud monitoring, log analysis (e.g., AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs), and enforcing security best practices, including strong access controls and anomaly detection.
Cloud Snooping Attack Hunting
| TTP | Description | Cloud Log Sources Required | MITRE ATT&CK Mapping | What to Check in Logs |
| C2 Communication via Legitimate Protocols | Uses legitimate protocols (e.g., HTTP/HTTPS, DNS) for Command and Control (C2) communication, blending with normal traffic. | – AWS VPC Flow Logs | – T1071.001: Application Layer Protocol (HTTP/HTTPS) | – Repeated outbound traffic to suspicious IPs/domains |
| – Azure NSG Flow Logs | – T1071.004: DNS Communication | – High DNS query volumes to uncommon or long domain names. | ||
| – Google Cloud VPC Logs | ||||
| – DNS Logs | ||||
| Beaconing Traffic | Periodic or irregular small data packets sent to C2 servers to maintain communication. | – AWS VPC Flow Logs | – T1105: Ingress Tool Transfer | – Outbound connections at regular intervals |
| – Azure Traffic Analytics | – T1071.001: Application Layer Protocol | – Low data transfer volumes to the same destination over time. | ||
| – Google Cloud VPC Logs | ||||
| Firewall Rule Manipulation | Modifies firewall rules to allow unauthorized access or bypass restrictions. | – AWS Security Group Logs | – T1562.004: Impair Defenses: Disable or Modify System Firewall | – New rules allowing traffic from 0.0.0.0/0 or unusual IP ranges |
| – Azure NSG Logs | – Sudden changes to inbound/outbound traffic rules. | |||
| – Google Cloud Firewall Logs | ||||
| Unauthorized API Calls | Abuses cloud APIs to modify configurations or access resources. | – AWS CloudTrail Logs | – T1569.002: System Services: API Calls | – API calls from unfamiliar IPs or service accounts |
| – Azure Activity Logs | – T1098: Account Manipulation | – Modifications to permissions, IAM roles, or policies. | ||
| – Google Cloud Audit Logs | ||||
| DNS Tunneling | Encodes data in DNS queries to exfiltrate information or send commands to C2. | – AWS Route 53 Logs | – T1071.004: DNS Communication | – DNS queries with long, encoded domain names |
| – Azure DNS Logs | – T1568.002: DNS Tunneling | – High frequency of DNS requests to uncommon domains. | ||
| – Google Cloud DNS Logs | ||||
| Persistence via Scheduled Tasks | Maintains access by creating scheduled tasks or cron jobs. | – AWS CloudTrail Logs | – T1053.003: Scheduled Task/Job – Cron | – Creation of new tasks with unexpected execution scripts |
| – Azure Activity Logs | – Modifications to existing schedules or automation. | |||
| – Google Cloud Audit Logs | ||||
| Data Exfiltration via Cloud Storage | Transfers sensitive data from storage buckets to external locations. | – AWS S3 Access Logs | – T1048: Exfiltration Over Alternative Protocol | – Large or unusual file transfers from storage |
| – Azure Blob Storage Logs | – T1020: Automated Exfiltration | – Access by unknown users or service accounts. | ||
| – Google Cloud Storage Logs | ||||
| Anomalous Traffic Patterns | Exhibits traffic spikes, sudden large data transfers, or irregular access patterns. | – AWS VPC Flow Logs | – T1071.001: Application Layer Protocol | – Large outbound data volumes |
| – Azure Traffic Analytics | – T1571: Non-Standard Port | – Unusual ports or protocols used for traffic. | ||
| – Google Cloud VPC Logs |
Descriptions of Cloud Snooping TTPs
- C2 Communication via Legitimate Protocols: Attackers use common protocols like HTTP/HTTPS and DNS to establish Command and Control (C2) communication, blending into normal traffic.
- Beaconing Traffic: Periodic or jittered small data packets are sent to C2 servers to maintain communication or receive instructions.
- Bacon Pattern:- 📍Pattern :- 3 (3 S3) — 2(2 S2) — 4(4 S4)
📍 3 sets (3 event per second) — 2 sets (2 event per second) — 4 sets (4 event per second)
📍S3 / S2 / S4 it is sleep period of 3 / 2 / 4 seconds ( Sleep Time :- It is a gap in seconds between each set that are generating pattern of events) - Firewall Rule Manipulation: Firewall rules are modified to enable traffic from unauthorized sources, allowing attackers to bypass security controls.
- Unauthorized API Calls: Attackers misuse cloud APIs to modify configurations, escalate privileges, or maintain control over cloud resources.
- DNS Tunneling: DNS queries are used to encode and transmit data or commands, evading traditional traffic monitoring.
- Persistence via Scheduled Tasks: Tasks or cron jobs are created to automate malicious activities or maintain access after initial compromise.
- Data Exfiltration via Cloud Storage: Sensitive data is extracted from cloud storage to external locations, often leveraging legitimate storage APIs.
- Anomalous Traffic Patterns: Traffic spikes or irregularities indicate potential exfiltration, reconnaissance, or lateral movement within the cloud environment.
Attributes and Indicators by Cloud Provider
1. AWS (Amazon Web Services)
- CloudTrail Logs:
- Look for unusual API calls like
StartInstances,PutBucketPolicy, orInvokeFunction. - Check for access to sensitive resources from unexpected IPs or regions.
- Look for unusual API calls like
- VPC Flow Logs:
- Identify outbound traffic to suspicious IPs/domains.
- Monitor for consistent traffic patterns indicative of beaconing.
- Route 53 Logs:
- Track DNS queries with long subdomain names or high query volumes.
- S3 Access Logs:
- Monitor large uploads or downloads (
PutObject,GetObject) to/from unfamiliar buckets.
- Monitor large uploads or downloads (
2. Azure
- Activity Logs:
- Detect resource modification events like
UpdateSecurityRuleorSet-AzFirewallPolicy. - Look for unusual REST API calls from unknown service principals.
- Detect resource modification events like
- NSG Logs:
- Identify new rules allowing wide IP ranges or critical ports. 2020, 6060, 7070, 8080, 9999, 2080/TCP, 2053/TCP and 10443/TCP
- DNS Logs:
- Monitor high-frequency DNS queries or encoded subdomains.
- Blob Storage Logs:
- Track
PutBlobandGetBlobevents for bulk data transfers.
- Track
3. Google Cloud
- Audit Logs:
- Check for unauthorized changes to IAM roles or policies.
- Monitor excessive
storage.objects.getorcompute.instances.startAPI calls.
- VPC Flow Logs:
- Analyze traffic spikes or connections to non-standard ports. 2020, 6060, 7070, 8080, 9999, 2080/TCP, 2053/TCP and 10443/TCP
- Cloud DNS Logs:
- Identify DNS queries with encoded data or suspicious domain patterns.
- Cloud Storage Logs:
- Review
storage.objects.copyorstorage.objects.insertfor large file movements.
- Review
