The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further.
- Type: TTP
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2022-08-07
- Author: Gowthamaraj Rajendran, Splunk
- ID: 6153c5ea-ed30-4878-81e6-21ecdb198189
Kill Chain Phase
- CIS 3
- CIS 5
- CIS 16
1 2 3 4 5 `cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as DB by sourceIPAddress awsRegion eventName userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`
The SPL above uses the following Macros:
aws_credential_access_rds_password_reset_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
Users may genuinely reset the RDS password.
Associated Analytic Story
|49.0||70||70||$DB$ password has been reset from IP $sourceIPAddress$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1