Skip to content

Exfiltrate RDS Snapshot by Sharing

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Exfiltration

Description

Shares a RDS Snapshot with an external AWS account to simulate an attacker exfiltrating a database.

Warm-up:

  • Create a RDS Instance (slow, around 10 minutes)
  • Create a RDS Snapshot

Detonation:

  • Call rds:ModifyDBSnapshotAttribute to share the snapshot with an external AWS account

Instructions

Detonate with Stratus Red Team
stratus detonate aws.exfiltration.rds-share-snapshot

Detection

Through CloudTrail's ModifyDBSnapshotAttribute event, when both:

  • requestParameters.attributeName is restore
  • and, requestParameters.launchPermission shows that the RDS snapshot was shared with a new or unknown AWS account, such as:
"requestParameters": {
  "dBSnapshotIdentifier": "my-db-snapshot",
  "attributeName": "restore"
  "valuesToAdd": ["193672423079"],
}

An attacker can also make an RDS snapshot completely public. In this case, the value of valuesToAdd is ["all"].

Detonation logs new!

The following CloudTrail events are generated when this technique is detonated1:

  • rds:ModifyDBSnapshotAttribute
View raw detonation logs 
[
   {
      "awsRegion": "meiso-eastwest-2r",
      "eventCategory": "Management",
      "eventID": "fef2bf02-bbea-4d0f-a91c-e6ccfe3fba46",
      "eventName": "ModifyDBSnapshotAttribute",
      "eventSource": "rds.amazonaws.com",
      "eventTime": "2024-08-01T12:38:06Z",
      "eventType": "AwsApiCall",
      "eventVersion": "1.08",
      "managementEvent": true,
      "readOnly": false,
      "recipientAccountId": "171471557522",
      "requestID": "3fd13676-52a0-4680-8491-71a8e28ea7f5",
      "requestParameters": {
         "attributeName": "restore",
         "dBSnapshotIdentifier": "exfiltration",
         "valuesToAdd": [
            "503161813013"
         ]
      },
      "responseElements": {
         "dBSnapshotAttributes": [
            {
               "attributeName": "restore",
               "attributeValues": [
                  "503161813013"
               ]
            }
         ],
         "dBSnapshotIdentifier": "exfiltration"
      },
      "sourceIPAddress": "204.10.215.184",
      "tlsDetails": {
         "cipherSuite": "TLS_AES_128_GCM_SHA256",
         "clientProvidedHostHeader": "rds.meiso-eastwest-2r.amazonaws.com",
         "tlsVersion": "TLSv1.3"
      },
      "userAgent": "stratus-red-team_5ca5319a-2127-4f13-a878-495bc59244b3",
      "userIdentity": {
         "accessKeyId": "AKIAIYTVC64GTXUFCS2X",
         "accountId": "171471557522",
         "arn": "arn:aws:iam::171471557522:user/christophe",
         "principalId": "AIDA3MGXB5NR71XRJU40",
         "type": "IAMUser",
         "userName": "christophe"
      }
   }
]

  1. These logs have been gathered from a real detonation of this technique in a test environment using Grimoire, and anonymized using LogLicker