master password change is a legitimate means to regain access to a db instance in the case of a lost password. ensure that the instance should not be modified in this way before taking action.

t1098
aws
elastic

Techniques

T1098

Sample rules

AWS RDS DB Instance or Cluster Password Modified

source: elastic
technicques:
- T1098

Description

Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation.

Detection logic

any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.action in ("ModifyDBInstance", "ModifyDBCluster")
    and event.outcome == "success"
    and stringContains(aws.cloudtrail.request_parameters, "masterUserPassword=*")