From 58017b6b3fc08c720bf29ce75b62c5d7191ad6ec Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sat, 7 Dec 2024 01:19:18 +0200 Subject: [PATCH] Merge PR #5017 from @saakovv - Add `Modification or Deletion of an AWS RDS Cluster` new: Modification or Deletion of an AWS RDS Cluster --------- Co-authored-by: Ivan.Saakov Co-authored-by: nasbench Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../cloudtrail/aws_rds_dbcluster_actions.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml diff --git a/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml new file mode 100644 index 00000000000..875c8697180 --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml @@ -0,0 +1,27 @@ +title: Modification or Deletion of an AWS RDS Cluster +id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c +status: experimental +description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information. +references: + - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html + - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html + - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance +author: Ivan Saakov +date: 2024-12-06 +tags: + - attack.exfiltration + - attack.t1020 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: rds.amazonaws.com + eventName: + - ModifyDBCluster + - DeleteDBCluster + condition: selection +falsepositives: + - Verify if the modification or deletion was performed by an authorized administrator. + - Confirm if the modification or deletion was part of a planned change or maintenance activity. +level: high