Merge pull request #1726 from austinsonger/aws_route_53_domain_transferred_to_another_account.yml

Aws route 53 domain transferred to another account.yml
2024-11-07 09:48:58 +00:00 · 2021-07-27 08:02:27 +02:00 · 2021-07-27 08:02:27 +02:00 · e49f4c86b6
commit e49f4c86b6
parent 7cacc57313 0a07795a4e
2 changed files with 22 additions and 34 deletions
--- a/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml
+++ b/rules/cloud/aws_route_53_domain_transferred_to_another_account.yml
@ -0,0 +1,22 @@
+title: AWS Route 53 Domain Transferred to Another Account
+id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
+description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
+author: Elastic, Austin Songer
+status: experimental
+date: 2021/07/22
+references:
+    - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
+logsource:
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: route53.amazonaws.com
+        eventName: TransferDomainToAnotherAwsAccount
+    condition: selection
+tags:
+    - attack.persistence
+    - attack.credential_access
+    - attack.t1098
+falsepositives:
+- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low
--- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml
+++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml
@ -1,34 +0,0 @@
-title: DNS-over-HTTPS Enabled by Registry
-id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
-date: 2021/07/22
-description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
-author: Austin Songer
-status: experimental
-references:
-    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
-    - https://github.com/elastic/detection-rules/issues/1371
-    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-    - attack.t1112
-logsource:
-  product: windows
-  category: registry_event
-detection:
-    selection1:
-        TargetObject:
-            - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
-        Details: 'DWORD (1)'
-    selection2:
-        TargetObject:
-            - 'HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
-        Details: 'DWORD (secure)'
-    selection3:
-        TargetObject:
-            - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS'
-        Details: 'DWORD (1)'
-    condition: selection1 or selection2 or selection3
-falsepositives:
- Unlikely
-level: medium