Rules Contributing to Suspicious AWS Route 53 Activity Alert

The following rules are used to identify suspicious activity within AWS Route 53 logs. Any one or more of these will trigger Suspicious AWS Route 53 Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS Route53 private hosted zone associated with a VPC

Identifies when a Route53 private hosted zone has been associated with VPC.

More details

Rule ID

aws_32

Query

{'selection1': {'eventSource': 'route53.amazonaws.com'}, 'selection2': {'eventName': 'AssociateVPCWithHostedZone'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/07/19	low	A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule.

AWS Route 53 Domain Transfer Lock Disabled

Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

More details

Rule ID

aws_35

Query

{'selection1': {'eventSource': 'route53.amazonaws.com'}, 'selection2': {'eventName': 'DisableDomainTransferLock'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/05/10	low	A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS Route 53 Domain Transferred to Another Account

Identifies when a request has been made to transfer a Route 53 domain to another AWS account.

More details

Rule ID

aws_63

Query

{'selection1': {'eventSource': 'route53.amazonaws.com'}, 'selection2': {'eventName': 'TransferDomainToAnotherAwsAccount'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/05/10	low	A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.