AWS RDS Master Password Change
Detects the change of database master password. It may be a part of data exfiltration.
Sigma rule (View on GitHub)
1title: AWS RDS Master Password Change
2id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
3status: test
4description: Detects the change of database master password. It may be a part of data exfiltration.
5references:
6 - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
7author: faloker
8date: 2020-02-12
9modified: 2022-10-05
10tags:
11 - attack.exfiltration
12 - attack.t1020
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection_source:
18 eventSource: rds.amazonaws.com
19 responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
20 eventName: ModifyDBInstance
21 condition: selection_source
22falsepositives:
23 - Benign changes to a db instance
24level: medium
References
-
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu
Read More
Related rules
- PowerShell Script With File Hostname Resolving Capabilities
- PowerShell Script With File Upload Capabilities
- Restore Public AWS RDS Instance
- Suspicious Inbox Forwarding
- Suspicious BlackCat-Related Exfiltration Command