☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview:
  • 1. Unauthorized Database Creation (CreateDBInstance)
  • 2. Suspicious Database Deletion (DeleteDBInstance)
  • 3. Modifying Database Security Groups (ModifyDBInstance)
  • 4. Snapshot Creation and Copy (CreateDBSnapshot/CopyDBSnapshot)
  • 5. Suspected Data Exfiltration (DownloadDBLogFilePortion)
  • 6. Unauthorized Parameter Group Changes (ModifyDBParameterGroup)
  • 7. Automated Backdoor Access (ModifyDBInstance to Enable Public Access)
  • 8. Cross-Account Snapshot Sharing (ModifyDBSnapshotAttribute)
  • 9. Privilege Escalation through Role Association (AddRoleToDBInstance)
  • 10. Database Configuration Rollbacks (RebootDBInstance)
  1. Threat Hunting in AWS
  2. AWS Threat Hunting Ideas

AWS Threat Hunting Ideas: RDS

Overview:

The following are threat hunting ideas for the RDS service.

1. Unauthorized Database Creation (CreateDBInstance)

  • Goal: Detect unauthorized creation of RDS instances that might be used for malicious purposes or unauthorized workloads.

  • CloudTrail Event: CreateDBInstance

  • Hunting Idea:

    • Monitor for CreateDBInstance events from unusual users or during off-hours.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateDBInstance

    • Correlate with other events to determine if the database instance is part of a larger attack.

2. Suspicious Database Deletion (DeleteDBInstance)

  • Goal: Detect unauthorized attempts to delete critical databases to disrupt operations or cover malicious activity.

  • CloudTrail Event: DeleteDBInstance

  • Hunting Idea:

    • Look for DeleteDBInstance events targeting critical databases.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteDBInstance

    • Investigate if these deletions are followed by an immediate snapshot deletion to prevent recovery.

3. Modifying Database Security Groups (ModifyDBInstance)

  • Goal: Detect changes to database security groups that might open it to unauthorized access.

  • CloudTrail Event: ModifyDBInstance

  • Hunting Idea:

    • Monitor for modifications that add security groups with overly permissive rules (e.g., 0.0.0.0/0).

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBInstance

    • Correlate with VPC Flow Logs to ensure the database is not being accessed from untrusted sources.

4. Snapshot Creation and Copy (CreateDBSnapshot/CopyDBSnapshot)

  • Goal: Detect attempts to steal data by creating or copying database snapshots.

  • CloudTrail Events: CreateDBSnapshot, CopyDBSnapshot

  • Hunting Idea:

    • Monitor CreateDBSnapshot events for databases containing sensitive information.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateDBSnapshot

    • Check if snapshots are being copied to other AWS accounts or unauthorized regions.

5. Suspected Data Exfiltration (DownloadDBLogFilePortion)

  • Goal: Detect unauthorized access to sensitive data by downloading log files.

  • CloudTrail Event: DownloadDBLogFilePortion

  • Hunting Idea:

    • Monitor DownloadDBLogFilePortion events to ensure that database logs are not accessed by unauthorized users.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DownloadDBLogFilePortion

    • Look for multiple download requests in a short time, indicating potential data scraping.

6. Unauthorized Parameter Group Changes (ModifyDBParameterGroup)

  • Goal: Detect changes to database parameters that could alter security settings.

  • CloudTrail Event: ModifyDBParameterGroup

  • Hunting Idea:

    • Hunt for modifications to parameter groups that weaken security (e.g., disabling encryption or logging).

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBParameterGroup

7. Automated Backdoor Access (ModifyDBInstance to Enable Public Access)

  • Goal: Detect attackers modifying databases to allow public access.

  • CloudTrail Event: ModifyDBInstance

  • Hunting Idea:

    • Monitor for ModifyDBInstance events that set the PubliclyAccessible attribute to true.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBInstance

    • Correlate with connection attempts from untrusted IPs in VPC Flow Logs.

8. Cross-Account Snapshot Sharing (ModifyDBSnapshotAttribute)

  • Goal: Detect unauthorized sharing of snapshots with other AWS accounts.

  • CloudTrail Event: ModifyDBSnapshotAttribute

  • Hunting Idea:

    • Monitor for ModifyDBSnapshotAttribute events where snapshots are shared with external accounts.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBSnapshotAttribute

9. Privilege Escalation through Role Association (AddRoleToDBInstance)

  • Goal: Detect attackers trying to escalate privileges by associating IAM roles with the RDS instance.

  • CloudTrail Event: AddRoleToDBInstance

  • Hunting Idea:

    • Monitor for AddRoleToDBInstance events, especially if administrative roles are attached.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddRoleToDBInstance

10. Database Configuration Rollbacks (RebootDBInstance)

  • Goal: Detect suspicious reboots that might indicate an attacker attempting to apply unauthorized changes.

  • CloudTrail Event: RebootDBInstance

  • Hunting Idea:

    • Monitor for RebootDBInstance events and investigate if these are tied to recent modifications.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=
PreviousAWS Threat Hunting Ideas: SNS

Last updated 8 months ago