Detectionhightest

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

falokerCreated Wed Feb 12Updated Sun Oct 09c3f265c7-ff03-4056-8ab2-d486227b4599cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection_source:
        eventSource: rds.amazonaws.com
        responseElements.publiclyAccessible: 'true'
        eventName: RestoreDBInstanceFromDBSnapshot
    condition: selection_source

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Techniques

T1020 · Automated Exfiltration

Rule Metadata

Rule ID

c3f265c7-ff03-4056-8ab2-d486227b4599

Status

test

Level

high

Type

Detection

Created

Wed Feb 12

Modified

Sun Oct 09

Author

faloker

Path

rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml

Raw Tags

attack.exfiltrationattack.t1020

View on GitHub