LoFP / users may genuinely reset the rds password.

Techniques

• T1110
• T1586.003

Sample rules

ASL AWS Credential Access RDS Password reset

• source: splunk
• technicques:
  • T1110
  • T1586.003

Description

The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the ModifyDBInstance API call includes a new masterUserPassword parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.

Detection logic

`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster 
| spath input=api.request.data 
| search masterUserPassword=* 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data 
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_credential_access_rds_password_reset_filter`

AWS Credential Access RDS Password reset

• source: splunk
• technicques:
  • T1110
  • T1586.003

Description

The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the ModifyDBInstance API call includes a new masterUserPassword parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.

Detection logic

`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* 
| rename user_name as user 
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by signature dest user user_agent src vendor_account vendor_region vendor_product 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_credential_access_rds_password_reset_filter`