Exfiltrate RDS Snapshot by Sharing
slow idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Exfiltration
Description
Shares a RDS Snapshot with an external AWS account to simulate an attacker exfiltrating a database.
Warm-up:
- Create a RDS Instance (slow, around 10 minutes)
- Create a RDS Snapshot
Detonation:
- Call rds:ModifyDBSnapshotAttribute to share the snapshot with an external AWS account
Instructions
Detection
Through CloudTrail's ModifyDBSnapshotAttribute
event, when both:
requestParameters.attributeName
isrestore
- and,
requestParameters.launchPermission
shows that the RDS snapshot was shared with a new or unknown AWS account, such as:
"requestParameters": {
"dBSnapshotIdentifier": "my-db-snapshot",
"attributeName": "restore"
"valuesToAdd": ["193672423079"],
}
An attacker can also make an RDS snapshot completely public. In this case, the value of valuesToAdd
is ["all"]
.