LoFP / benign changes to a db instance

Techniques

• t1020

Sample rules

AWS RDS Master Password Change

• source: sigma
• technicques:
  • t1020

Description

Detects the change of database master password. It may be a part of data exfiltration.

Detection logic

condition: selection_source
selection_source:
  eventName: ModifyDBInstance
  eventSource: rds.amazonaws.com
  responseElements.pendingModifiedValues.masterUserPassword|contains: '*'