AWS Route 53 Domain Transferred to Another Account
Identifies when a request has been made to transfer a Route 53 domain to another AWS account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/10"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = "Identifies when a request has been made to transfer a Route 53 domain to another AWS account."
10false_positives = [
11 """
12 A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user
13 identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar
14 users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
15 rule.
16 """,
17]
18from = "now-60m"
19index = ["filebeat-*", "logs-aws.cloudtrail-*"]
20interval = "10m"
21language = "kuery"
22license = "Elastic License v2"
23name = "AWS Route 53 Domain Transferred to Another Account"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating AWS Route 53 Domain Transferred to Another Account
30
31AWS Route 53 is a scalable domain name system (DNS) web service designed to route end-user requests to internet applications. Transferring a domain to another AWS account can be legitimate but may also indicate unauthorized access or account manipulation. Adversaries might exploit this to gain persistent control over a domain. The detection rule monitors successful domain transfer requests, flagging potential misuse by correlating specific AWS CloudTrail events, thus aiding in identifying unauthorized domain transfers.
32
33### Possible investigation steps
34
35- Review the AWS CloudTrail logs to identify the specific event with event.action:TransferDomainToAnotherAwsAccount and event.outcome:success to gather details about the domain transfer request.
36- Verify the identity of the AWS account to which the domain was transferred by examining the event details, including the account ID and any associated user or role information.
37- Check the AWS account's activity history for any unusual or unauthorized access patterns around the time of the domain transfer event.
38- Contact the domain's original owner or administrator to confirm whether the transfer was authorized and legitimate.
39- Investigate any recent changes in IAM policies or permissions that might have allowed unauthorized users to initiate the domain transfer.
40- Assess the potential impact of the domain transfer on your organization's operations and security posture, considering the domain's role in your infrastructure.
41
42### False positive analysis
43
44- Routine domain transfers between accounts within the same organization can trigger alerts. To manage this, create exceptions for known internal account transfers by whitelisting specific account IDs involved in regular transfers.
45- Scheduled domain management activities by IT teams may result in false positives. Coordinate with IT to document and schedule these activities, then exclude them from alerts during these periods.
46- Automated scripts or tools used for domain management might inadvertently trigger alerts. Identify these scripts and their associated user accounts, and configure exceptions for these known, benign activities.
47- Transfers related to mergers or acquisitions can be mistaken for unauthorized actions. Ensure that such events are communicated to the security team in advance, allowing them to temporarily adjust monitoring rules to accommodate these legitimate transfers.
48
49### Response and remediation
50
51- Immediately revoke any unauthorized access to the AWS account by changing the credentials and access keys associated with the account where the domain was transferred.
52- Contact AWS Support to report the unauthorized domain transfer and request assistance in reversing the transfer if it was not authorized.
53- Review AWS CloudTrail logs to identify any other suspicious activities or unauthorized access attempts around the time of the domain transfer.
54- Implement multi-factor authentication (MFA) for all AWS accounts to enhance security and prevent unauthorized access.
55- Conduct a thorough audit of IAM roles and permissions to ensure that only authorized users have the ability to transfer domains.
56- Notify relevant stakeholders, including IT security teams and domain administrators, about the incident and the steps being taken to remediate it.
57- Enhance monitoring and alerting for similar events by configuring additional AWS CloudWatch alarms or integrating with a Security Information and Event Management (SIEM) system to detect future unauthorized domain transfer attempts.
58
59## Setup
60
61The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
62references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"]
63risk_score = 21
64rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13"
65severity = "low"
66tags = [
67 "Domain: Cloud",
68 "Data Source: AWS",
69 "Data Source: Amazon Web Services",
70 "Data Source: AWS Route53",
71 "Use Case: Asset Visibility",
72 "Tactic: Persistence",
73 "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "query"
77
78query = '''
79event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1098"
87name = "Account Manipulation"
88reference = "https://attack.mitre.org/techniques/T1098/"
89
90
91[rule.threat.tactic]
92id = "TA0003"
93name = "Persistence"
94reference = "https://attack.mitre.org/tactics/TA0003/"
95[[rule.threat]]
96framework = "MITRE ATT&CK"
97
98[rule.threat.tactic]
99id = "TA0006"
100name = "Credential Access"
101reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS Route 53 Domain Transferred to Another Account
AWS Route 53 is a scalable domain name system (DNS) web service designed to route end-user requests to internet applications. Transferring a domain to another AWS account can be legitimate but may also indicate unauthorized access or account manipulation. Adversaries might exploit this to gain persistent control over a domain. The detection rule monitors successful domain transfer requests, flagging potential misuse by correlating specific AWS CloudTrail events, thus aiding in identifying unauthorized domain transfers.
Possible investigation steps
- Review the AWS CloudTrail logs to identify the specific event with event.action:TransferDomainToAnotherAwsAccount and event.outcome:success to gather details about the domain transfer request.
- Verify the identity of the AWS account to which the domain was transferred by examining the event details, including the account ID and any associated user or role information.
- Check the AWS account's activity history for any unusual or unauthorized access patterns around the time of the domain transfer event.
- Contact the domain's original owner or administrator to confirm whether the transfer was authorized and legitimate.
- Investigate any recent changes in IAM policies or permissions that might have allowed unauthorized users to initiate the domain transfer.
- Assess the potential impact of the domain transfer on your organization's operations and security posture, considering the domain's role in your infrastructure.
False positive analysis
- Routine domain transfers between accounts within the same organization can trigger alerts. To manage this, create exceptions for known internal account transfers by whitelisting specific account IDs involved in regular transfers.
- Scheduled domain management activities by IT teams may result in false positives. Coordinate with IT to document and schedule these activities, then exclude them from alerts during these periods.
- Automated scripts or tools used for domain management might inadvertently trigger alerts. Identify these scripts and their associated user accounts, and configure exceptions for these known, benign activities.
- Transfers related to mergers or acquisitions can be mistaken for unauthorized actions. Ensure that such events are communicated to the security team in advance, allowing them to temporarily adjust monitoring rules to accommodate these legitimate transfers.
Response and remediation
- Immediately revoke any unauthorized access to the AWS account by changing the credentials and access keys associated with the account where the domain was transferred.
- Contact AWS Support to report the unauthorized domain transfer and request assistance in reversing the transfer if it was not authorized.
- Review AWS CloudTrail logs to identify any other suspicious activities or unauthorized access attempts around the time of the domain transfer.
- Implement multi-factor authentication (MFA) for all AWS accounts to enhance security and prevent unauthorized access.
- Conduct a thorough audit of IAM roles and permissions to ensure that only authorized users have the ability to transfer domains.
- Notify relevant stakeholders, including IT security teams and domain administrators, about the incident and the steps being taken to remediate it.
- Enhance monitoring and alerting for similar events by configuring additional AWS CloudWatch alarms or integrating with a Security Information and Event Management (SIEM) system to detect future unauthorized domain transfer attempts.
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route53 private hosted zone associated with a VPC
- AWS RDS Cluster Creation
- AWS RDS Instance Creation
- AWS Redshift Cluster Creation