LoFP / users may genuinely reset the rds password.

Techniques

• T1110
• T1586
• T1586.003

Sample rules

AWS Credential Access RDS Password reset

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1110

Description

The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the ModifyDBInstance API call includes a new masterUserPassword parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.

Detection logic

`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* 
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_credential_access_rds_password_reset_filter`

ASL AWS Credential Access RDS Password reset

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1110

Description

The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the ModifyDBInstance API call includes a new masterUserPassword parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.

Detection logic

`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster 
| spath input=api.request.data 
| search masterUserPassword=* 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data 
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_credential_access_rds_password_reset_filter`