[Rule Tuning] AWS RDS Snapshot Restored (#3809)
* [Tuning] AWS RDS Instance Restored
-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added
* Update defense_evasion_rds_instance_restored.toml
* Update defense_evasion_rds_instance_restored.toml
* removed investigation guide place holder
* deprecated old rule because of name change
* change rule_id
* Revert "change rule_id"
This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.
* Revert "deprecated old rule because of name change"
This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.
(cherry picked from commit f62644887e)
This commit is contained in:
Isai
committed by
github-actions[bot]
github-actions[bot]
parent
28f67e3ace
commit
d47d87386c
+19
-17
@@ -2,32 +2,29 @@
|
||||
creation_date = "2021/06/29"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/20"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer"]
|
||||
author = ["Austin Songer", "Elastic"]
|
||||
description = """
|
||||
Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order
|
||||
to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified,
|
||||
verify if the snapshot was shared with an unauthorized or unexpected AWS account.
|
||||
An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent,
|
||||
and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts
|
||||
Restoring DB instances may be done by a system or network administrator. Verify whether the user identity, user agent,
|
||||
and/or hostname should be making changes in your environment. Instance restoration by unfamiliar users or hosts
|
||||
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
||||
""",
|
||||
]
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
language = "kuery"
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS RDS Snapshot Restored"
|
||||
note = """## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
name = "AWS RDS DB Instance Restored"
|
||||
references = [
|
||||
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html",
|
||||
"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html",
|
||||
"https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py",
|
||||
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204"
|
||||
@@ -36,18 +33,20 @@ tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: AWS RDS",
|
||||
"Use Case: Asset Visibility",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and
|
||||
event.outcome:success
|
||||
any where event.dataset == "aws.cloudtrail"
|
||||
and event.provider == "rds.amazonaws.com"
|
||||
and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3")
|
||||
and event.outcome == "success"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
@@ -55,12 +54,15 @@ id = "T1578"
|
||||
name = "Modify Cloud Compute Infrastructure"
|
||||
reference = "https://attack.mitre.org/techniques/T1578/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1578.002"
|
||||
name = "Create Cloud Instance"
|
||||
reference = "https://attack.mitre.org/techniques/T1578/002/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1578.004"
|
||||
name = "Revert Cloud Instance"
|
||||
reference = "https://attack.mitre.org/techniques/T1578/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
Reference in New Issue
Block a user