{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dynamodb/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DynamoDB"],"_cs_severities":["low"],"_cs_tags":["aws","dynamodb","exfiltration","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis rule identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action, potentially indicating exfiltration of sensitive information or data from DynamoDB tables. The \u0026quot;AWS DynamoDB Scan by Unusual User\u0026quot; rule, based on the original Elastic detection rule created on 2025/03/13 and last updated on 2026/04/10, monitors for the \u003ccode\u003eScan\u003c/code\u003e action in CloudTrail logs. The rule leverages a New Terms approach, flagging when this behavior is observed by a user or role for the first time within a specified history window. This allows for the detection of anomalous activity which might be missed by static threshold-based alerts. The scope is limited to AWS environments where CloudTrail logging is enabled for DynamoDB data events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or a rogue insider.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Usage:\u003c/strong\u003e The attacker leverages the compromised AWS credentials to interact with the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses AWS APIs or the AWS Management Console to discover DynamoDB tables within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If necessary, the attacker attempts to escalate privileges to gain access to tables they are not normally authorized to access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The attacker uses the \u003ccode\u003eScan\u003c/code\u003e operation against a DynamoDB table to collect data. The request parameters within the CloudTrail logs include details of the table being scanned.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging (Optional):\u003c/strong\u003e The attacker might stage the collected data in a temporary location within AWS, such as an S3 bucket.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the collected data outside the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker attempts to cover their tracks by deleting CloudTrail logs, although this action itself can be detectable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration can lead to significant data breaches, potentially affecting sensitive customer information, financial records, or proprietary business data. The impact includes financial losses due to regulatory fines, legal repercussions, reputational damage, and the cost of incident response. Even a successful attempt to discover DynamoDB tables may reveal information about the cloud environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable DynamoDB data events in CloudTrail to capture the \u003ccode\u003eScan\u003c/code\u003e action as mentioned in the setup notes.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect unusual DynamoDB Scan activity and tune it to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP, user identity, and the request parameters of the Scan action, as described in the rule's notes.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM policies associated with users and roles to restrict access to DynamoDB tables based on the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual API calls and access patterns, including the use of \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e for unusual activity.\u003c/li\u003e\n\u003cli\u003eLeverage the \u003ccode\u003erule.investigation_fields\u003c/code\u003e to build dashboards and hunting queries in your SIEM to support the triage process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-dynamodb-scan-unusual-user/","summary":"Detection of unusual DynamoDB scan activity in AWS environments, potentially indicating exfiltration of sensitive information by an adversary using compromised credentials or a rogue insider.","title":"AWS DynamoDB Scan by Unusual User","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-dynamodb-scan-unusual-user/"}],"language":"en","title":"CraftedSignal Threat Feed - DynamoDB","version":"https://jsonfeed.org/version/1.1"}