AWS RDS DB Instance Restored

calendar Jun 29, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS RDS Use Case: Asset Visibility Tactic: Defense Evasion  ·
Share on: linkedin copy

An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS RestoreDBInstanceFromDBSnapshot or RestoreDBInstanceFromS3 API operations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/06/29"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/06/20"
 6
 7[rule]
 8author = ["Austin Songer", "Elastic"]
 9description = """
10An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations. 
11"""
12false_positives = [
13    """
14    Restoring DB instances may be done by a system or network administrator. Verify whether the user identity, user agent,
15    and/or hostname should be making changes in your environment. Instance restoration by unfamiliar users or hosts
16    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
17    """,
18]
19index = ["filebeat-*", "logs-aws.cloudtrail-*"]
20language = "eql"
21license = "Elastic License v2"
22name = "AWS RDS DB Instance Restored"
23references = [
24    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html",
25    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html",
26    "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py",
27    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance",
28]
29risk_score = 47
30rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204"
31severity = "medium"
32tags = [
33    "Domain: Cloud",
34    "Data Source: AWS",
35    "Data Source: Amazon Web Services",
36    "Data Source: AWS RDS",
37    "Use Case: Asset Visibility",
38    "Tactic: Defense Evasion",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44any where event.dataset == "aws.cloudtrail" 
45    and event.provider == "rds.amazonaws.com" 
46    and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3") 
47    and event.outcome == "success"
48'''
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1578"
54name = "Modify Cloud Compute Infrastructure"
55reference = "https://attack.mitre.org/techniques/T1578/"
56[[rule.threat.technique.subtechnique]]
57id = "T1578.002"
58name = "Create Cloud Instance"
59reference = "https://attack.mitre.org/techniques/T1578/002/"
60[[rule.threat.technique.subtechnique]]
61id = "T1578.004"
62name = "Revert Cloud Instance"
63reference = "https://attack.mitre.org/techniques/T1578/004/"
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top