Rules Contributing to Suspicious AWS RDS Event

The following rules are used to identify suspicious activity related to AWS RDS Event. Any one or more of these will trigger Suspicious AWS RDS Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

Rule ID

aws_1

Query

{'selection_source': {'eventSource': 'rds.amazonaws.com', 'responseElements_publiclyAccessible': True, 'eventName': 'RestoreDBInstanceFromDBSnapshot'}, 'condition': 'selection_source'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,c3f265c7-ff03-4056-8ab2-d486227b4599

Author: faloker

Tactics, Techniques, and Procedures

TA0010, T1020

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/02/12 high

  • Unknown

AWS RDS Master Password Change

Detects the change of database master password. It may be a part of data exfiltration.

Rule ID

aws_14

Query

{'selection_source': {'eventSource': 'rds.amazonaws.com', 'responseElements_pendingModifiedValues_masterUserPassword|contains': '*', 'eventName': 'ModifyDBInstance'}, 'condition': 'selection_source'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,8a63cdd4-6207-414a-85bc-7e032bd3c1a2

Author: faloker

Tactics, Techniques, and Procedures

TA0010, T1020

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2020/02/12 medium

  • Benign changes to a db instance

AWS RDS Snapshot Export

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

Rule ID

aws_21

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'StartExportTask'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0010, T1567

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/06/06 low

  • Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS RDS Cluster Creation

Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.

Rule ID

aws_36

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': ['CreateDBCluster', 'CreateGlobalCluster']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1133

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/20 low

  • Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS RDS Snapshot Restored

Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.

Rule ID

aws_59

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'RestoreDBInstanceFromDBSnapshot', 'responseElements_publiclyAccessible': False}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1578

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/06/29 medium

  • Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS RDS Instance/Cluster Stoppage

Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.

Rule ID

aws_60

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': ['StopDBCluster', 'StopDBInstance']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1489

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/20 medium

  • Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS Deletion of RDS Instance or Cluster

Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.

Rule ID

aws_64

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': ['DeleteDBCluster', 'DeleteGlobalCluster', 'DeleteDBInstance']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1485

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/21 medium

  • Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS RDS Security Group Deletion

Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.

Rule ID

aws_65

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'DeleteDBSecurityGroup'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1531

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/06/05 low

  • An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS RDS Instance Creation

Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.

Rule ID

aws_68

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'CreateDBInstance'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/06/06 low

  • A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS RDS Snapshot Created

A copy of an AWS RDS database has been created.

Rule ID

aws_97

Query

{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'CreateDBSnapshot'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0009, T1074

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/01/05 medium N/A

AWS RDS Security Group Modified

A RDS security group has been modified.

Rule ID

aws_103

Query

{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'AuthorizeDBSecurityGroupIngress'}, 'selection3': {'eventName': 'RevokeDBSecurityGroupIngress'}, 'selection4': {'eventName': 'AuthorizeDBSecurityGroupEgress'}, 'selection5': {'eventName': 'RevokeDBSecurityGroupEgress'}, 'selection6': {'userAgent': 'cloudformation.amazonaws.com'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5) and not selection6'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/01/05 medium N/A