restoring db instances may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. instance restoration by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1578
aws
elastic

Techniques

T1578

Sample rules

AWS RDS DB Instance Restored

source: elastic
technicques:
- T1578

Description

An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS RestoreDBInstanceFromDBSnapshot or RestoreDBInstanceFromS3 API operations.

Detection logic

any where event.dataset == "aws.cloudtrail" 
    and event.provider == "rds.amazonaws.com" 
    and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3") 
    and event.outcome == "success"