Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
Sigma rule (View on GitHub)
1title: Modification or Deletion of an AWS RDS Cluster
2id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
3status: experimental
4description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
5references:
6 - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html
7 - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html
8 - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
9author: Ivan Saakov
10date: 2024-12-06
11tags:
12 - attack.exfiltration
13 - attack.t1020
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection:
19 eventSource: rds.amazonaws.com
20 eventName:
21 - ModifyDBCluster
22 - DeleteDBCluster
23 condition: selection
24falsepositives:
25 - Verify if the modification or deletion was performed by an authorized administrator.
26 - Confirm if the modification or deletion was part of a planned change or maintenance activity.
27level: high
References
-
Modifies the settings of an Amazon Aurora DB cluster or a Multi-AZ DB cluster. You can change one or more settings by specifying these parameters and the new values in the request.
Read More -
The DeleteDBCluster action deletes a previously provisioned DB cluster. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the specified DB cluster are not deleted.
Read More -
RDS - Relational Database Service For more information about RDS check: rds:ModifyDBInstance With that permission an attacker can modify the password of the master user, and the login inside the da...
Read More
Related rules
- AWS RDS Master Password Change
- PowerShell Script With File Hostname Resolving Capabilities
- PowerShell Script With File Upload Capabilities
- Restore Public AWS RDS Instance
- Suspicious Inbox Forwarding