Snowflake Data Exfiltration

Severity: critical
Time window: 36h
Match by: p_alert_context.stage
Tags: Snowflake, Data Exfiltration, Database, Cloud Security
Reference: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/
Source: github.com/panther-labs/panther-analysis

Detects multi-step Snowflake data exfiltration by identifying temporary stage creation, table data copied to stage, and file downloads. This technique was used in the April 2024 Snowflake breach (UNC5537) targeting accounts without MFA. The correlation of all three steps provides high-confidence evidence of active data theft beyond legitimate ETL operations.

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1213` Data from Information Repositories, `T1530` Data from Cloud Storage
Exfiltration	`T1041` Exfiltration Over C2 Channel

Rule body yaml

AnalysisType: correlation_rule
RuleID: "Snowflake.Stream.DataExfiltration"
DisplayName: "Snowflake Data Exfiltration"
Enabled: true
Tags:
  - Snowflake
  - Data Exfiltration
  - Database
  - Cloud Security
Severity: Critical
Description: >
  Detects multi-step Snowflake data exfiltration by identifying temporary stage creation, table data copied to stage, and file downloads. This technique was used in the April 2024 Snowflake breach (UNC5537) targeting accounts without MFA. The correlation of all three steps provides high-confidence evidence of active data theft beyond legitimate ETL operations.
Runbook: |
  1. Query Snowflake's QUERY_HISTORY and ACCESS_HISTORY views for the stage name in p_alert_context.stage to identify the user account, session ID, source IP addresses, client application, and all tables that were copied into the stage
  2. Review the specific tables copied into the stage to determine data sensitivity (PII, financial records, intellectual property) and estimate the volume of data exfiltrated, then check Snowflake's LOGIN_HISTORY to verify if the user account had MFA enabled
  3. Analyze the source IP addresses used during the exfiltration sequence against threat intelligence feeds to determine if they are corporate IPs, suspicious cloud providers, or known malicious infrastructure, and check for impossible travel patterns
Reference: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/
Reports:
  MITRE ATT&CK:
    - TA0010:T1041 # Exfiltration: Exfiltration Over C2 Channel
    - TA0010:T1530 # Exfiltration: Data from Cloud Storage
    - TA0009:T1213 # Collection: Data from Information Repositories
Detection:
  - Sequence:
      - ID: SnowflakeTempStageCreated
        RuleID: Snowflake.Stream.TempStageCreated
      - ID: SnowflakeCopyIntoStage
        RuleID: Snowflake.Stream.TableCopiedIntoStage
      - ID: SnowflakeFileDownloaded
        RuleID: Snowflake.Stream.FileDownloaded
    Transitions:
      - ID: Match SnowflakeTempStageCreated and SnowflakeCopyIntoStage on stage
        From: SnowflakeTempStageCreated
        To: SnowflakeCopyIntoStage
        Match:
          - On: p_alert_context.stage
      - ID: Match SnowflakeCopyIntoStage and SnowflakeFileDownloaded on path
        From: SnowflakeCopyIntoStage
        To: SnowflakeFileDownloaded
        Match:
          - On: p_alert_context.stage
    Schedule:
      RateMinutes: 1440
      TimeoutMinutes: 15
    LookbackWindowMinutes: 2160
Tests:
    - Name: Data Exfiltration
      ExpectedResult: true
      RuleOutputs:
        - ID: SnowflakeTempStageCreated
          Matches:
            p_alert_context.stage:
                LOGS.PUBLIC.data_exfil:
                    - "2006-01-02T15:04:05Z"
                    - "2006-01-02T15:04:06Z"
        - ID: SnowflakeCopyIntoStage
          Matches:
            p_alert_context.stage:
                LOGS.PUBLIC.data_exfil:
                    - "2006-01-02T15:04:05Z"
                    - "2006-01-02T15:04:06Z"
        - ID: SnowflakeFileDownloaded
          Matches:
            p_alert_context.stage:
                LOGS.PUBLIC.data_exfil:
                    - "2006-01-02T15:04:05Z"
                    - "2006-01-02T15:04:06Z"
    - Name: Data Staged but not Downloaded
      ExpectedResult: false
      RuleOutputs:
        - ID: SnowflakeTempStageCreated
          Matches:
            p_alert_context.stage:
                LOGS.PUBLIC.data_exfil:
                    - "2006-01-02T15:04:05Z"
                    - "2006-01-02T15:04:06Z"
        - ID: SnowflakeCopyIntoStage
          Matches:
            p_alert_context.stage:
                LOGS.PUBLIC.data_exfil:
                    - "2006-01-02T15:04:05Z"
                    - "2006-01-02T15:04:06Z"

Detection logic

Stage 1: `step SnowflakeTempStageCreated` ordered before `$SnowflakeCopyIntoStage`

References detection Snowflake.Stream.TempStageCreated.

Stage 2: `step SnowflakeCopyIntoStage` ordered before `$SnowflakeFileDownloaded` ordered after `$SnowflakeTempStageCreated`

References detection Snowflake.Stream.TableCopiedIntoStage.

Stage 3: `step SnowflakeFileDownloaded` ordered after `$SnowflakeCopyIntoStage`

References detection Snowflake.Stream.FileDownloaded.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Snowflake Data Exfiltration

MITRE ATT&CK coverage

Rule body yaml

Detection logic

Stage 1: `step SnowflakeTempStageCreated` ordered before `$SnowflakeCopyIntoStage`

Stage 2: `step SnowflakeCopyIntoStage` ordered before `$SnowflakeFileDownloaded` ordered after `$SnowflakeTempStageCreated`

Stage 3: `step SnowflakeFileDownloaded` ordered after `$SnowflakeCopyIntoStage`

Keyboard shortcuts

Search operators

Snowflake Data Exfiltration

MITRE ATT&CK coverage

Rule body yaml

Detection logic

Stage 1: step SnowflakeTempStageCreated ordered before $SnowflakeCopyIntoStage

Stage 2: step SnowflakeCopyIntoStage ordered before $SnowflakeFileDownloaded ordered after $SnowflakeTempStageCreated

Stage 3: step SnowflakeFileDownloaded ordered after $SnowflakeCopyIntoStage

Stage 1: `step SnowflakeTempStageCreated` ordered before `$SnowflakeCopyIntoStage`

Stage 2: `step SnowflakeCopyIntoStage` ordered before `$SnowflakeFileDownloaded` ordered after `$SnowflakeTempStageCreated`

Stage 3: `step SnowflakeFileDownloaded` ordered after `$SnowflakeCopyIntoStage`