AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
Sigma rule (View on GitHub)
1title: AWS Route 53 Domain Transferred to Another Account
2id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
3status: test
4description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
5references:
6 - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
7author: Elastic, Austin Songer @austinsonger
8date: 2021-07-22
9modified: 2022-10-09
10tags:
11 - attack.persistence
12 - attack.credential-access
13 - attack.privilege-escalation
14 - attack.t1098
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection:
20 eventSource: route53.amazonaws.com
21 eventName: TransferDomainToAnotherAwsAccount
22 condition: selection
23falsepositives:
24 - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
25level: low
References
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- Change to Authentication Method
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain