Restore Public AWS RDS Instance
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
Sigma rule (View on GitHub)
1title: Restore Public AWS RDS Instance
2id: c3f265c7-ff03-4056-8ab2-d486227b4599
3status: test
4description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
5references:
6 - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
7author: faloker
8date: 2020/02/12
9modified: 2022/10/09
10tags:
11 - attack.exfiltration
12 - attack.t1020
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection_source:
18 eventSource: rds.amazonaws.com
19 responseElements.publiclyAccessible: 'true'
20 eventName: RestoreDBInstanceFromDBSnapshot
21 condition: selection_source
22falsepositives:
23 - Unknown
24level: high
References
-
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu
Read More
Related rules
- Suspicious Inbox Forwarding
- Suspicious BlackCat-Related Exfiltration Command
- AWS EC2 Download Userdata
- AWS S3 Data Management Tampering
- AWS Snapshot Backup Exfiltration