Detectionmediumtest

AWS RDS Master Password Change

Detects the change of database master password. It may be a part of data exfiltration.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

falokerCreated Wed Feb 12Updated Wed Oct 058a63cdd4-6207-414a-85bc-7e032bd3c1a2cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection_source:
        eventSource: rds.amazonaws.com
        responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
        eventName: ModifyDBInstance
    condition: selection_source

False Positives

Benign changes to a db instance

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Techniques

T1020 · Automated Exfiltration

Rule Metadata

Rule ID

8a63cdd4-6207-414a-85bc-7e032bd3c1a2

Status

test

Level

medium

Type

Detection

Created

Wed Feb 12

Modified

Wed Oct 05

Author

faloker

Path

rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml

Raw Tags

attack.exfiltrationattack.t1020

View on GitHub