AWS Threat Hunting Ideas: RDS

Overview:

The following are threat hunting ideas for the RDS service.

Goal: Detect unauthorized creation of RDS instances that might be used for malicious purposes or unauthorized workloads.
CloudTrail Event: CreateDBInstance
Hunting Idea:
- Monitor for CreateDBInstance events from unusual users or during off-hours.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateDBInstance
- Correlate with other events to determine if the database instance is part of a larger attack.

Goal: Detect unauthorized attempts to delete critical databases to disrupt operations or cover malicious activity.
CloudTrail Event: DeleteDBInstance
Hunting Idea:
- Look for DeleteDBInstance events targeting critical databases.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteDBInstance
- Investigate if these deletions are followed by an immediate snapshot deletion to prevent recovery.

Goal: Detect changes to database security groups that might open it to unauthorized access.
CloudTrail Event: ModifyDBInstance
Hunting Idea:
- Monitor for modifications that add security groups with overly permissive rules (e.g., 0.0.0.0/0).
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBInstance
- Correlate with VPC Flow Logs to ensure the database is not being accessed from untrusted sources.

Goal: Detect attempts to steal data by creating or copying database snapshots.
CloudTrail Events: CreateDBSnapshot, CopyDBSnapshot
Hunting Idea:
- Monitor CreateDBSnapshot events for databases containing sensitive information.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateDBSnapshot
- Check if snapshots are being copied to other AWS accounts or unauthorized regions.

Goal: Detect unauthorized access to sensitive data by downloading log files.
CloudTrail Event: DownloadDBLogFilePortion
Hunting Idea:
- Monitor DownloadDBLogFilePortion events to ensure that database logs are not accessed by unauthorized users.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DownloadDBLogFilePortion
- Look for multiple download requests in a short time, indicating potential data scraping.

Goal: Detect changes to database parameters that could alter security settings.
CloudTrail Event: ModifyDBParameterGroup
Hunting Idea:
- Hunt for modifications to parameter groups that weaken security (e.g., disabling encryption or logging).
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBParameterGroup

Goal: Detect attackers modifying databases to allow public access.
CloudTrail Event: ModifyDBInstance
Hunting Idea:
- Monitor for ModifyDBInstance events that set the PubliclyAccessible attribute to true.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBInstance
- Correlate with connection attempts from untrusted IPs in VPC Flow Logs.

Hunting Idea:

Monitor for ModifyDBSnapshotAttribute events where snapshots are shared with external accounts.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ModifyDBSnapshotAttribute

Goal: Detect attackers trying to escalate privileges by associating IAM roles with the RDS instance.
CloudTrail Event: AddRoleToDBInstance

Hunting Idea:

Monitor for AddRoleToDBInstance events, especially if administrative roles are attached.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddRoleToDBInstance

Goal: Detect suspicious reboots that might indicate an attacker attempting to apply unauthorized changes.
CloudTrail Event: RebootDBInstance
Hunting Idea:
- Monitor for RebootDBInstance events and investigate if these are tied to recent modifications.
  aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=

Last updated 9 months ago