Restore Public AWS RDS Instance

 1title: Restore Public AWS RDS Instance
 2id: c3f265c7-ff03-4056-8ab2-d486227b4599
 3status: test
 4description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
 5references:
 6    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
 7author: faloker
 8date: 2020-02-12
 9modified: 2022-10-09
10tags:
11    - attack.exfiltration
12    - attack.t1020
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection_source:
18        eventSource: rds.amazonaws.com
19        responseElements.publiclyAccessible: 'true'
20        eventName: RestoreDBInstanceFromDBSnapshot
21    condition: selection_source
22falsepositives:
23    - Unknown
24level: high

References

• pacu/pacu/modules/rds__explore_snapshots/main.py at 866376cd711666c775bbfcde0524c817f2c5b181 · RhinoSecurityLabs/pacu

  

  The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu

  
  Read More

Related rules

• AWS RDS Master Password Change
• PowerShell Script With File Hostname Resolving Capabilities
• PowerShell Script With File Upload Capabilities
• Suspicious Inbox Forwarding
• Suspicious BlackCat-Related Exfiltration Command