AWS RDS DB Instance or Cluster Password Modified

  1[metadata]
  2creation_date = "2024/06/27"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/07/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation. 
 11"""
 12false_positives = [
 13    """
 14    Master password change is a legitimate means to regain access to a DB instance in the case of a lost password. Ensure that the instance should not be modified in this way before taking action.
 15    """,
 16]
 17from = "now-6m"
 18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 19language = "eql"
 20license = "Elastic License v2"
 21name = "AWS RDS DB Instance or Cluster Password Modified"
 22note = """
 23## Triage and Analysis
 24
 25### Investigating AWS RDS DB Instance or Cluster Password Modified
 26
 27This rule identifies when an RDS DB instance or cluster password is modified. While changing the master password is a legitimate means to regain access in the case of a lost password, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment.
 28
 29#### Possible Investigation Steps
 30
 31- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
 32- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the masterUserPassword parameter was changed.
 33    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance.
 34- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it.
 35- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
 36- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
 37- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.
 38### False Positive Analysis
 39
 40- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks.
 41- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 42
 43### Response and Remediation
 44
 45- **Immediate Review and Reversal**: If the change was unauthorized, update the instance password. If the master user password was managed with AWS Secrets Manager, determine whether the `manageMasterUserPassword` attribute was changed to false and revert if necessary.
 46- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
 47- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.
 48- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access.
 49- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
 50
 51### Additional Information:
 52
 53For further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:
 54- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)
 55- [Amazon RDS and Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)
 56"""
 57references = [
 58    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html",
 59    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html",
 60    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance",
 61]
 62risk_score = 47
 63rule_id = "f2015527-7c46-4bb9-80db-051657ddfb69"
 64severity = "medium"
 65tags = [
 66    "Domain: Cloud",
 67    "Data Source: AWS",
 68    "Data Source: Amazon Web Services",
 69    "Data Source: AWS RDS",
 70    "Resources: Investigation Guide",
 71    "Use Case: Threat Detection",
 72    "Tactic: Persistence",
 73    "Tactic: Privilege Escalation",
 74    "Tactic: Defense Evasion",
 75]
 76timestamp_override = "event.ingested"
 77type = "eql"
 78
 79query = '''
 80any where event.dataset == "aws.cloudtrail"
 81    and event.provider == "rds.amazonaws.com"
 82    and event.action in ("ModifyDBInstance", "ModifyDBCluster")
 83    and event.outcome == "success"
 84    and stringContains(aws.cloudtrail.request_parameters, "masterUserPassword=*")
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1098"
 92name = "Account Manipulation"
 93reference = "https://attack.mitre.org/techniques/T1098/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1098.001"
 96name = "Additional Cloud Credentials"
 97reference = "https://attack.mitre.org/techniques/T1098/001/"
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106[rule.threat.tactic]
107id = "TA0004"
108name = "Privilege Escalation"
109reference = "https://attack.mitre.org/tactics/TA0004/"
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"