AWS Route 53 Domain Transfer Lock Disabled

calendar May 22, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Route53 Use Case: Asset Visibility Tactic: Persistence  ·
Share on: linkedin copy

Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/05/10"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic", "Austin Songer"]
 9description = """
10Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this
11action unless intending to transfer the domain to a different registrar.
12"""
13false_positives = [
14    """
15    A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user
16    agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should
17    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18    """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS Route 53 Domain Transfer Lock Disabled"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
31    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
32]
33risk_score = 21
34rule_id = "12051077-0124-4394-9522-8f4f4db1d674"
35severity = "low"
36tags = [
37    "Domain: Cloud",
38    "Data Source: AWS",
39    "Data Source: Amazon Web Services",
40    "Data Source: AWS Route53",
41    "Use Case: Asset Visibility",
42    "Tactic: Persistence",
43]
44timestamp_override = "event.ingested"
45type = "query"
46
47query = '''
48event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1098"
56name = "Account Manipulation"
57reference = "https://attack.mitre.org/techniques/T1098/"
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66
67[rule.threat.tactic]
68id = "TA0006"
69name = "Credential Access"
70reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • Amazon Route 53 - Amazon Route 53

    The following actions are supported by Amazon Route 53:


    Read More

  • DisableDomainTransferLock - Amazon Route 53

    This operation removes the transfer lock on the domain (specifically the clientTransferProhibited status) to allow domain transfers. We recommend you refrain from performing this action unless you intend to transfer the domain to a different registrar. Successful submission returns an operation ID that you can use to track the progress and completion of the action. If the request is not completed successfully, the domain registrant will be notified by email.


    Read More

Related rules

to-top