AWS Threat Hunting Ideas: RDS

Overview:

The following are threat hunting ideas for the RDS service.

1. Unauthorized Database Creation (CreateDBInstance)

Goal: Detect unauthorized creation of RDS instances that might be used for malicious purposes or unauthorized workloads.
CloudTrail Event: CreateDBInstance
Hunting Idea:
- Monitor for CreateDBInstance events from unusual users or during off-hours.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateDBInstance
- Correlate with other events to determine if the database instance is part of a larger attack.

2. Suspicious Database Deletion (DeleteDBInstance)

Goal: Detect unauthorized attempts to delete critical databases to disrupt operations or cover malicious activity.
CloudTrail Event: DeleteDBInstance
Hunting Idea:
- Look for DeleteDBInstance events targeting critical databases.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteDBInstance
- Investigate if these deletions are followed by an immediate snapshot deletion to prevent recovery.

3. Modifying Database Security Groups (ModifyDBInstance)

Goal: Detect changes to database security groups that might open it to unauthorized access.
CloudTrail Event: ModifyDBInstance
Hunting Idea:
- Monitor for modifications that add security groups with overly permissive rules (e.g., 0.0.0.0/0).
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBInstance
- Correlate with VPC Flow Logs to ensure the database is not being accessed from untrusted sources.

4. Snapshot Creation and Copy (CreateDBSnapshot/CopyDBSnapshot)

Goal: Detect attempts to steal data by creating or copying database snapshots.
CloudTrail Events: CreateDBSnapshot, CopyDBSnapshot
Hunting Idea:
- Monitor CreateDBSnapshot events for databases containing sensitive information.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateDBSnapshot
- Check if snapshots are being copied to other AWS accounts or unauthorized regions.

5. Suspected Data Exfiltration (DownloadDBLogFilePortion)

Goal: Detect unauthorized access to sensitive data by downloading log files.
CloudTrail Event: DownloadDBLogFilePortion
Hunting Idea:
- Monitor DownloadDBLogFilePortion events to ensure that database logs are not accessed by unauthorized users.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DownloadDBLogFilePortion
- Look for multiple download requests in a short time, indicating potential data scraping.

6. Unauthorized Parameter Group Changes (ModifyDBParameterGroup)

Goal: Detect changes to database parameters that could alter security settings.
CloudTrail Event: ModifyDBParameterGroup
Hunting Idea:
- Hunt for modifications to parameter groups that weaken security (e.g., disabling encryption or logging).
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBParameterGroup

7. Automated Backdoor Access (ModifyDBInstance to Enable Public Access)

Goal: Detect attackers modifying databases to allow public access.
CloudTrail Event: ModifyDBInstance
Hunting Idea:
- Monitor for ModifyDBInstance events that set the PubliclyAccessible attribute to true.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBInstance
- Correlate with connection attempts from untrusted IPs in VPC Flow Logs.

Goal: Detect unauthorized sharing of snapshots with other AWS accounts.
CloudTrail Event: ModifyDBSnapshotAttribute

Hunting Idea:

Monitor for ModifyDBSnapshotAttribute events where snapshots are shared with external accounts.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBSnapshotAttribute

9. Privilege Escalation through Role Association (AddRoleToDBInstance)

Goal: Detect attackers trying to escalate privileges by associating IAM roles with the RDS instance.
CloudTrail Event: AddRoleToDBInstance

Hunting Idea:

Monitor for AddRoleToDBInstance events, especially if administrative roles are attached.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddRoleToDBInstance

10. Database Configuration Rollbacks (RebootDBInstance)

Goal: Detect suspicious reboots that might indicate an attacker attempting to apply unauthorized changes.
CloudTrail Event: RebootDBInstance
Hunting Idea:
- Monitor for RebootDBInstance events and investigate if these are tied to recent modifications.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=

PreviousAWS Threat Hunting Ideas: SNS

Last updated 1 year ago

hashtagOverview:

hashtag1. Unauthorized Database Creation (CreateDBInstance)

hashtag2. Suspicious Database Deletion (DeleteDBInstance)

hashtag3. Modifying Database Security Groups (ModifyDBInstance)

hashtag4. Snapshot Creation and Copy (CreateDBSnapshot/CopyDBSnapshot)

hashtag5. Suspected Data Exfiltration (DownloadDBLogFilePortion)

hashtag6. Unauthorized Parameter Group Changes (ModifyDBParameterGroup)

hashtag7. Automated Backdoor Access (ModifyDBInstance to Enable Public Access)

hashtag8. Cross-Account Snapshot Sharing (ModifyDBSnapshotAttribute)

hashtag9. Privilege Escalation through Role Association (AddRoleToDBInstance)

hashtag10. Database Configuration Rollbacks (RebootDBInstance)