AWS Route 53 Domain Transfer Lock Disabled

  1[metadata]
  2creation_date = "2021/05/10"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this
 11action unless intending to transfer the domain to a different registrar.
 12"""
 13false_positives = [
 14    """
 15    A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user
 16    agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should
 17    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 18    """,
 19]
 20from = "now-60m"
 21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 22interval = "10m"
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS Route 53 Domain Transfer Lock Disabled"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating AWS Route 53 Domain Transfer Lock Disabled
 32
 33AWS Route 53's domain transfer lock is a security feature that prevents unauthorized domain transfers. Disabling this lock can expose domains to hijacking risks. Adversaries might exploit this by transferring domains to gain control over web traffic or disrupt services. The detection rule monitors successful lock disablement events, alerting analysts to potential unauthorized actions, thereby aiding in maintaining domain integrity.
 34
 35### Possible investigation steps
 36
 37- Review the AWS CloudTrail logs for the specific event.action: DisableDomainTransferLock to identify the user or service account responsible for the action.
 38- Check the event.provider: route53.amazonaws.com logs to gather additional context about the domain affected and any related activities around the time of the lock disablement.
 39- Verify the event.outcome: success to confirm that the lock was indeed successfully disabled and not just attempted.
 40- Investigate the account activity of the user identified in the logs to determine if there are any other suspicious actions or patterns that could indicate unauthorized access.
 41- Assess whether there was a legitimate business need for the domain transfer lock to be disabled, such as a planned domain transfer, by consulting with relevant stakeholders or reviewing change management records.
 42- Evaluate the current security posture of the affected domain, ensuring that other security measures are in place to mitigate potential risks from the lock being disabled.
 43
 44### False positive analysis
 45
 46- Routine domain management activities by authorized personnel can trigger alerts when they intentionally disable the transfer lock for legitimate domain transfers. To manage this, maintain a list of authorized personnel and their expected activities, and cross-reference alerts with this list.
 47- Scheduled domain transfers as part of business operations may result in false positives. Implement a process to document and pre-approve such transfers, allowing security teams to quickly verify and dismiss these alerts.
 48- Automated scripts or tools used for domain management might inadvertently disable the transfer lock during updates or maintenance. Ensure these tools are configured correctly and include logging to track their actions, allowing for quick identification and exclusion of benign activities.
 49- Changes in domain ownership or restructuring within the organization can lead to legitimate transfer lock disablement. Establish a communication protocol between IT and security teams to notify them of such changes in advance, reducing unnecessary alerts.
 50
 51### Response and remediation
 52
 53- Immediately verify the legitimacy of the domain transfer request by contacting the domain owner or the responsible team to confirm if the action was intentional.
 54- If the transfer lock was disabled without authorization, re-enable the transfer lock on the affected domain to prevent any unauthorized transfer attempts.
 55- Conduct a thorough review of AWS CloudTrail logs to identify any unauthorized access or suspicious activities related to the domain management account.
 56- Reset credentials and enforce multi-factor authentication (MFA) for all accounts with access to AWS Route 53 to prevent further unauthorized actions.
 57- Notify the security team and relevant stakeholders about the incident to ensure awareness and coordination for further investigation and response.
 58- Escalate the incident to higher management and legal teams if there is evidence of malicious intent or if the domain is critical to business operations.
 59- Implement additional monitoring and alerting for any future changes to domain transfer locks to ensure rapid detection and response to similar threats.
 60
 61## Setup
 62
 63The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 64references = [
 65    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
 66    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
 67]
 68risk_score = 21
 69rule_id = "12051077-0124-4394-9522-8f4f4db1d674"
 70severity = "low"
 71tags = [
 72    "Domain: Cloud",
 73    "Data Source: AWS",
 74    "Data Source: Amazon Web Services",
 75    "Data Source: AWS Route53",
 76    "Use Case: Asset Visibility",
 77    "Tactic: Persistence",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "query"
 82
 83query = '''
 84event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1098"
 92name = "Account Manipulation"
 93reference = "https://attack.mitre.org/techniques/T1098/"
 94
 95
 96[rule.threat.tactic]
 97id = "TA0003"
 98name = "Persistence"
 99reference = "https://attack.mitre.org/tactics/TA0003/"
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102
103[rule.threat.tactic]
104id = "TA0006"
105name = "Credential Access"
106reference = "https://attack.mitre.org/tactics/TA0006/"