AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
Sigma rule (View on GitHub)
1title: AWS Route 53 Domain Transferred to Another Account
2id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
3status: test
4description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
5references:
6 - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
7author: Elastic, Austin Songer @austinsonger
8date: 2021/07/22
9modified: 2022/10/09
10tags:
11 - attack.persistence
12 - attack.credential_access
13 - attack.t1098
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection:
19 eventSource: route53.amazonaws.com
20 eventName: TransferDomainToAnotherAwsAccount
21 condition: selection
22falsepositives:
23 - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
24level: low
References
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- Change to Authentication Method
- AWS IAM Backdoor Users Keys
- Google Workspace Granted Domain API Access
- Google Workspace User Granted Admin Privileges