SigmaHQ/rules/cloud/aws/aws_rds_change_master_password.yml

title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: experimental
description: Detects the change of database master password. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
modified: 2021/08/20
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
    service: cloudtrail
detection:
    selection_source:
        eventSource: rds.amazonaws.com
        responseElements.pendingModifiedValues.masterUserPassword: "*"
        eventName: ModifyDBInstance
    condition: selection_source
falsepositives:
    - Benign changes to a db instance
level: medium
tags:
    - attack.exfiltration
    - attack.t1020
Update rules titles 2020-02-12 21:09:16 +00:00			`title: AWS RDS Master Password Change`
Add rules to detect AWS RDS exfiltration 2020-02-12 20:21:52 +00:00			`id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2`
			`status: experimental`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`description: Detects the change of database master password. It may be a part of data exfiltration.`
Add rules to detect AWS RDS exfiltration 2020-02-12 20:21:52 +00:00			`author: faloker`
			`date: 2020/02/12`
Update AWS CloudTrail rules aws_ec2_disable_encryption.yml Remove `status: success` from selection criteria, not required aws_ec2_vm_export_failure.yml Remove filter3: ``` eventName: 'ConsoleLogin' responseElements\|contains: 'Failure' ``` Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'` aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml Update reference aws_sts_assumedrole_misuse.yml Rename to aws_sts_assumerole_misuse.yml Update references to "AssumedRole" to "AssumeRole" Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role` 2021-08-20 12:43:00 +00:00			`modified: 2021/08/20`
Add rules to detect AWS RDS exfiltration 2020-02-12 20:21:52 +00:00			`references:`
Update AWS CloudTrail rules aws_ec2_disable_encryption.yml Remove `status: success` from selection criteria, not required aws_ec2_vm_export_failure.yml Remove filter3: ``` eventName: 'ConsoleLogin' responseElements\|contains: 'Failure' ``` Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'` aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml Update reference aws_sts_assumedrole_misuse.yml Rename to aws_sts_assumerole_misuse.yml Update references to "AssumedRole" to "AssumeRole" Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role` 2021-08-20 12:43:00 +00:00			`- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py`
Add rules to detect AWS RDS exfiltration 2020-02-12 20:21:52 +00:00			`logsource:`
Correct the indentation 2020-02-12 20:48:46 +00:00			`service: cloudtrail`
Add rules to detect AWS RDS exfiltration 2020-02-12 20:21:52 +00:00			`detection:`
Correct the indentation 2020-02-12 20:48:46 +00:00			`selection_source:`
$frack113$ split PR 1802 fix rules 2021-08-09 13:41:40 +00:00			`eventSource: rds.amazonaws.com`
			`responseElements.pendingModifiedValues.masterUserPassword: "*"`
			`eventName: ModifyDBInstance`
			`condition: selection_source`
Add rules to detect AWS RDS exfiltration 2020-02-12 20:21:52 +00:00			`falsepositives:`
			`- Benign changes to a db instance`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`level: medium`
Add rules to detect AWS RDS exfiltration 2020-02-12 20:21:52 +00:00			`tags:`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`- attack.exfiltration`
Correct the indentation 2020-02-12 20:48:46 +00:00			`- attack.t1020`