detection.wiki

Detection rules › Panther

AWS Public RDS Restore

Severity
high
Log types
AWS.CloudTrail
Reference
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html
Source
github.com/panther-labs/panther-analysis

Detects the recovery of a new public database instance from a snapshot. It may be part of data exfiltration.

MITRE ATT&CK coverage

TacticTechniques
ExfiltrationT1020 Automated Exfiltration

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body yaml

AnalysisType: rule
Description: Detects the recovery of a new public database instance from a snapshot. It may be part of data exfiltration.
DisplayName: "AWS Public RDS Restore"
Enabled: true
Filename: aws_rds_publicrestore.py
Reports:
  MITRE ATT&CK:
    - TA0010:T1020
Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html
Severity: High
Tests:
  - ExpectedResult: false
    Log:
      awsRegion: us-east-1
      eventID: 797163d3-5726-441d-80a7-6eeb7464acd4
      eventName: CreateDBInstance
      eventSource: rds.amazonaws.com
      eventTime: "2018-07-30T22:14:06Z"
      eventType: AwsApiCall
      eventVersion: "1.04"
      recipientAccountId: "123456789012"
      requestID: daf2e3f5-96a3-4df7-a026-863f96db793e
      requestParameters:
        allocatedStorage: 20
        dBInstanceClass: db.m1.small
        dBInstanceIdentifier: test-instance
        enableCloudwatchLogsExports:
          - audit
          - error
          - general
          - slowquery
        engine: mysql
        masterUserPassword: "****"
        masterUsername: myawsuser
      responseElements:
        allocatedStorage: 20
        autoMinorVersionUpgrade: true
        backupRetentionPeriod: 1
        cACertificateIdentifier: rds-ca-2015
        copyTagsToSnapshot: false
        dBInstanceArn: arn:aws:rds:us-east-1:123456789012:db:test-instance
        dBInstanceClass: db.m1.small
        dBInstanceIdentifier: test-instance
        dBInstanceStatus: creating
        dBParameterGroups:
          - dBParameterGroupName: default.mysql8.0
            parameterApplyStatus: in-sync
        dBSecurityGroups: []
        dBSubnetGroup:
          dBSubnetGroupDescription: default
          dBSubnetGroupName: default
          subnetGroupStatus: Complete
          subnets:
            - subnetAvailabilityZone:
                name: us-east-1b
              subnetIdentifier: subnet-cbfff283
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1e
              subnetIdentifier: subnet-d7c825e8
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1f
              subnetIdentifier: subnet-6746046b
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1c
              subnetIdentifier: subnet-bac383e0
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1d
              subnetIdentifier: subnet-42599426
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1a
              subnetIdentifier: subnet-da327bf6
              subnetStatus: Active
          vpcId: vpc-136a4c6a
        dbInstancePort: 0
        dbiResourceId: db-ETDZIIXHEWY5N7GXVC4SH7H5IA
        domainMemberships: []
        engine: mysql
        engineVersion: 8.0.28
        iAMDatabaseAuthenticationEnabled: false
        licenseModel: general-public-license
        masterUsername: myawsuser
        monitoringInterval: 0
        multiAZ: false
        optionGroupMemberships:
          - optionGroupName: default:mysql-8-0
            status: in-sync
        pendingModifiedValues:
          masterUserPassword: "****"
          pendingCloudwatchLogsExports:
            logTypesToEnable:
              - audit
              - error
              - general
              - slowquery
        performanceInsightsEnabled: false
        preferredBackupWindow: 10:27-10:57
        preferredMaintenanceWindow: sat:05:47-sat:06:17
        publiclyAccessible: true
        readReplicaDBInstanceIdentifiers: []
        storageEncrypted: false
        storageType: standard
        vpcSecurityGroups:
          - status: active
            vpcSecurityGroupId: sg-f839b688
      sourceIPAddress: 192.0.2.0
      userAgent: aws-cli/1.15.42 Python/3.6.1 Darwin/17.7.0 botocore/1.10.42
      userIdentity:
        accessKeyId: AKIAI44QH8DHBEXAMPLE
        accountId: "123456789012"
        arn: arn:aws:iam::123456789012:user/johndoe
        principalId: AKIAIOSFODNN7EXAMPLE
        type: IAMUser
        userName: johndoe
    Name: Not-Restore-RDS-Request
  - ExpectedResult: false
    Log:
      awsRegion: us-east-1
      eventID: 797163d3-5726-441d-80a7-6eeb7464acd4
      eventName: RestoreDBInstanceFromDBSnapshot
      eventSource: rds.amazonaws.com
      eventTime: "2018-07-30T22:14:06Z"
      eventType: AwsApiCall
      eventVersion: "1.04"
      recipientAccountId: "123456789012"
      requestID: daf2e3f5-96a3-4df7-a026-863f96db793e
      requestParameters:
        allocatedStorage: 20
        dBInstanceClass: db.m1.small
        dBInstanceIdentifier: test-instance
        enableCloudwatchLogsExports:
          - audit
          - error
          - general
          - slowquery
        engine: mysql
        masterUserPassword: "****"
        masterUsername: myawsuser
      responseElements:
        allocatedStorage: 20
        autoMinorVersionUpgrade: true
        backupRetentionPeriod: 1
        cACertificateIdentifier: rds-ca-2015
        copyTagsToSnapshot: false
        dBInstanceArn: arn:aws:rds:us-east-1:123456789012:db:test-instance
        dBInstanceClass: db.m1.small
        dBInstanceIdentifier: test-instance
        dBInstanceStatus: creating
        dBParameterGroups:
          - dBParameterGroupName: default.mysql8.0
            parameterApplyStatus: in-sync
        dBSecurityGroups: []
        dBSubnetGroup:
          dBSubnetGroupDescription: default
          dBSubnetGroupName: default
          subnetGroupStatus: Complete
          subnets:
            - subnetAvailabilityZone:
                name: us-east-1b
              subnetIdentifier: subnet-cbfff283
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1e
              subnetIdentifier: subnet-d7c825e8
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1f
              subnetIdentifier: subnet-6746046b
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1c
              subnetIdentifier: subnet-bac383e0
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1d
              subnetIdentifier: subnet-42599426
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1a
              subnetIdentifier: subnet-da327bf6
              subnetStatus: Active
          vpcId: vpc-136a4c6a
        dbInstancePort: 0
        dbiResourceId: db-ETDZIIXHEWY5N7GXVC4SH7H5IA
        domainMemberships: []
        engine: mysql
        engineVersion: 8.0.28
        iAMDatabaseAuthenticationEnabled: false
        licenseModel: general-public-license
        masterUsername: myawsuser
        monitoringInterval: 0
        multiAZ: false
        optionGroupMemberships:
          - optionGroupName: default:mysql-8-0
            status: in-sync
        pendingModifiedValues:
          masterUserPassword: "****"
          pendingCloudwatchLogsExports:
            logTypesToEnable:
              - audit
              - error
              - general
              - slowquery
        performanceInsightsEnabled: false
        preferredBackupWindow: 10:27-10:57
        preferredMaintenanceWindow: sat:05:47-sat:06:17
        publiclyAccessible: false
        readReplicaDBInstanceIdentifiers: []
        storageEncrypted: false
        storageType: standard
        vpcSecurityGroups:
          - status: active
            vpcSecurityGroupId: sg-f839b688
      sourceIPAddress: 192.0.2.0
      userAgent: aws-cli/1.15.42 Python/3.6.1 Darwin/17.7.0 botocore/1.10.42
      userIdentity:
        accessKeyId: AKIAI44QH8DHBEXAMPLE
        accountId: "123456789012"
        arn: arn:aws:iam::123456789012:user/johndoe
        principalId: AKIAIOSFODNN7EXAMPLE
        type: IAMUser
        userName: johndoe
    Name: RDS-Restore-Not-Public
  - ExpectedResult: true
    Log:
      awsRegion: us-east-1
      eventID: 797163d3-5726-441d-80a7-6eeb7464acd4
      eventName: RestoreDBInstanceFromDBSnapshot
      eventSource: rds.amazonaws.com
      eventTime: "2018-07-30T22:14:06Z"
      eventType: AwsApiCall
      eventVersion: "1.04"
      recipientAccountId: "123456789012"
      requestID: daf2e3f5-96a3-4df7-a026-863f96db793e
      requestParameters:
        allocatedStorage: 20
        dBInstanceClass: db.m1.small
        dBInstanceIdentifier: test-instance
        enableCloudwatchLogsExports:
          - audit
          - error
          - general
          - slowquery
        engine: mysql
        masterUserPassword: "****"
        masterUsername: myawsuser
      responseElements:
        allocatedStorage: 20
        autoMinorVersionUpgrade: true
        backupRetentionPeriod: 1
        cACertificateIdentifier: rds-ca-2015
        copyTagsToSnapshot: false
        dBInstanceArn: arn:aws:rds:us-east-1:123456789012:db:test-instance
        dBInstanceClass: db.m1.small
        dBInstanceIdentifier: test-instance
        dBInstanceStatus: creating
        dBParameterGroups:
          - dBParameterGroupName: default.mysql8.0
            parameterApplyStatus: in-sync
        dBSecurityGroups: []
        dBSubnetGroup:
          dBSubnetGroupDescription: default
          dBSubnetGroupName: default
          subnetGroupStatus: Complete
          subnets:
            - subnetAvailabilityZone:
                name: us-east-1b
              subnetIdentifier: subnet-cbfff283
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1e
              subnetIdentifier: subnet-d7c825e8
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1f
              subnetIdentifier: subnet-6746046b
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1c
              subnetIdentifier: subnet-bac383e0
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1d
              subnetIdentifier: subnet-42599426
              subnetStatus: Active
            - subnetAvailabilityZone:
                name: us-east-1a
              subnetIdentifier: subnet-da327bf6
              subnetStatus: Active
          vpcId: vpc-136a4c6a
        dbInstancePort: 0
        dbiResourceId: db-ETDZIIXHEWY5N7GXVC4SH7H5IA
        domainMemberships: []
        engine: mysql
        engineVersion: 8.0.28
        iAMDatabaseAuthenticationEnabled: false
        licenseModel: general-public-license
        masterUsername: myawsuser
        monitoringInterval: 0
        multiAZ: false
        optionGroupMemberships:
          - optionGroupName: default:mysql-8-0
            status: in-sync
        pendingModifiedValues:
          masterUserPassword: "****"
          pendingCloudwatchLogsExports:
            logTypesToEnable:
              - audit
              - error
              - general
              - slowquery
        performanceInsightsEnabled: false
        preferredBackupWindow: 10:27-10:57
        preferredMaintenanceWindow: sat:05:47-sat:06:17
        publiclyAccessible: true
        readReplicaDBInstanceIdentifiers: []
        storageEncrypted: false
        storageType: standard
        vpcSecurityGroups:
          - status: active
            vpcSecurityGroupId: sg-f839b688
      sourceIPAddress: 192.0.2.0
      userAgent: aws-cli/1.15.42 Python/3.6.1 Darwin/17.7.0 botocore/1.10.42
      userIdentity:
        accessKeyId: AKIAI44QH8DHBEXAMPLE
        accountId: "123456789012"
        arn: arn:aws:iam::123456789012:user/johndoe
        principalId: AKIAIOSFODNN7EXAMPLE
        type: IAMUser
        userName: johndoe
    Name: RDS-Restore-Public
DedupPeriodMinutes: 60
LogTypes:
  - AWS.CloudTrail
RuleID: "AWS.RDS.PublicRestore"
Threshold: 1

Detection logic

Condition

eventSource eq "rds.amazonaws.com"
eventName eq "RestoreDBInstanceFromDBSnapshot"
responseElements.publiclyAccessible is_not_null

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
eventNameeq
  • RestoreDBInstanceFromDBSnapshot
eventSourceeq
  • rds.amazonaws.com
responseElements.publiclyAccessibleis_not_null
  • (no value, null check)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field
eventName
eventSource
awsRegion
recipientAccountId
sourceIPAddress
userAgent
userIdentity