[New Rule] AWS RDS Snapshot Shared with Another Account (#3831)
* [New Rule] AWS RDS DB Snapshot Shared with Another Account ... * Update exfiltration_rds_snapshot_shared_with_another_account.toml * edit threat matrix format * Apply suggestions from code review * Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Isai
@@ -0,0 +1,100 @@
|
||||
[metadata]
|
||||
creation_date = "2024/06/25"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/06/25"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
DB snapshot sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
|
||||
""",
|
||||
]
|
||||
from = "now-10m"
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS RDS DB Snapshot Shared with Another Account"
|
||||
note = """
|
||||
## Triage and Analysis
|
||||
|
||||
### Investigating AWS RDS DB Snapshot Shared with Another Account
|
||||
|
||||
This rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control.
|
||||
|
||||
#### Possible Investigation Steps
|
||||
|
||||
- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
|
||||
- **Review the Sharing Event**: Identify the DB snapshot involved and review the event details. Look for `ModifyDBSnapshotAttribute` or `ModifyDBClusterSnapshotAttribute` actions where the snapshot attributes were changed to include additional user accounts.
|
||||
- **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared.
|
||||
- **Verify the Shared Snapshot**: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it.
|
||||
- **Validate External Account**: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources.
|
||||
- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
|
||||
- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
|
||||
- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.
|
||||
|
||||
### False Positive Analysis
|
||||
|
||||
- **Legitimate Backup Actions**: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks.
|
||||
- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
|
||||
|
||||
### Response and Remediation
|
||||
|
||||
- **Immediate Review and Reversal**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.
|
||||
- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
|
||||
- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.
|
||||
- **Policy Update**: Review and possibly update your organization’s policies on DB snapshot sharing to tighten control and prevent unauthorized access.
|
||||
- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
|
||||
|
||||
### Additional Information:
|
||||
|
||||
For further guidance on managing DB backups and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.BackupRestore.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security:
|
||||
- [AWS RDS DB Snapshot Sharing](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html)
|
||||
- [AWS RDS ModifyDBSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html)
|
||||
- [AWS RDS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot)
|
||||
"""
|
||||
references = [
|
||||
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html",
|
||||
"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html",
|
||||
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "4577ef08-61d1-4458-909f-25a4b10c87fe"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: AWS RDS",
|
||||
"Resources: Investigation Guide",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Exfiltration",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
any where event.dataset == "aws.cloudtrail"
|
||||
and event.provider == "rds.amazonaws.com"
|
||||
and event.outcome == "success"
|
||||
and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute")
|
||||
and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore")
|
||||
and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]")
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1537"
|
||||
name = "Transfer Data to Cloud Account"
|
||||
reference = "https://attack.mitre.org/techniques/T1537/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0010"
|
||||
name = "Exfiltration"
|
||||
reference = "https://attack.mitre.org/tactics/TA0010/"
|
||||
|
||||
Reference in New Issue
Block a user