Skip to content

Exfiltrate RDS Snapshot by Sharing

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Exfiltration

Description

Shares a RDS Snapshot with an external AWS account to simulate an attacker exfiltrating a database.

Warm-up:

  • Create a RDS Instance (slow, around 10 minutes)
  • Create a RDS Snapshot

Detonation:

  • Call rds:ModifyDBSnapshotAttribute to share the snapshot with an external AWS account

Instructions

Detonate with Stratus Red Team
stratus detonate aws.exfiltration.rds-share-snapshot

Detection

Through CloudTrail's ModifyDBSnapshotAttribute event, when both:

  • requestParameters.attributeName is restore
  • and, requestParameters.launchPermission shows that the RDS snapshot was shared with a new or unknown AWS account, such as:
"requestParameters": {
  "dBSnapshotIdentifier": "my-db-snapshot",
  "attributeName": "restore"
  "valuesToAdd": ["193672423079"],
}

An attacker can also make an RDS snapshot completely public. In this case, the value of valuesToAdd is ["all"].