master password modification may occur during legitimate administrative recovery (e.g., a lost password, rotation event, or secrets manager reassociation). validate whether the change was expected, approved, and performed by authorized personnel. if known workflows routinely perform this action, consider adding targeted exceptions.

t1098
aws
elastic

Techniques

T1098

Sample rules

AWS RDS DB Instance or Cluster Password Modified

source: elastic
technicques:
- T1098

Description

Identifies the modification of the master password for an AWS RDS DB instance or cluster. Changing the master password is a legitimate recovery action when access is lost, but adversaries with sufficient permissions may modify it to regain access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment. Because RDS does not expose the password in API responses, this operation can meaningfully alter access pathways to sensitive data stores.

Detection logic

info where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.action in ("ModifyDBInstance", "ModifyDBCluster")
    and event.outcome == "success"
    and stringContains(aws.cloudtrail.request_parameters, "masterUserPassword=*")