IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
AWS RDS DB Instance Restored
editAWS RDS DB Instance Restored
editAn adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS RestoreDBInstanceFromDBSnapshot
or RestoreDBInstanceFromS3
API operations.
Rule type: eql
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS RDS
- Use Case: Asset Visibility
- Tactic: Defense Evasion
Version: 207
Rule authors:
- Austin Songer
- Elastic
Rule license: Elastic License v2
Rule query
editany where event.dataset == "aws.cloudtrail" and event.provider == "rds.amazonaws.com" and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3") and event.outcome == "success"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Modify Cloud Compute Infrastructure
- ID: T1578
- Reference URL: https://attack.mitre.org/techniques/T1578/
-
Sub-technique:
- Name: Create Cloud Instance
- ID: T1578.002
- Reference URL: https://attack.mitre.org/techniques/T1578/002/
-
Sub-technique:
- Name: Revert Cloud Instance
- ID: T1578.004
- Reference URL: https://attack.mitre.org/techniques/T1578/004/