diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml similarity index 51% rename from rules/integrations/aws/exfiltration_rds_snapshot_restored.toml rename to rules/integrations/aws/defense_evasion_rds_instance_restored.toml index fb21fe2f6..4a584d3a3 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,32 +2,29 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/20" [rule] -author = ["Austin Songer"] +author = ["Austin Songer", "Elastic"] description = """ -Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order -to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, -verify if the snapshot was shared with an unauthorized or unexpected AWS account. +An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations. """ false_positives = [ """ - Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts + Restoring DB instances may be done by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Instance restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-aws.cloudtrail-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" -name = "AWS RDS Snapshot Restored" -note = """## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +name = "AWS RDS DB Instance Restored" references = [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance", ] risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" @@ -36,18 +33,20 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and -event.outcome:success +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3") + and event.outcome == "success" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,12 +54,15 @@ id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" [[rule.threat.technique.subtechnique]] +id = "T1578.002" +name = "Create Cloud Instance" +reference = "https://attack.mitre.org/techniques/T1578/002/" +[[rule.threat.technique.subtechnique]] id = "T1578.004" name = "Revert Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/004/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion"