{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/datadestruction/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS RDS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","rds","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert identifies instances where the deletionProtection feature of an AWS RDS DB instance or cluster is disabled. Deletion protection is a security mechanism that prevents accidental or unauthorized deletion of RDS resources. An adversary with sufficient permissions within a compromised AWS environment may disable this protection to pave the way for destructive activities, including the deletion of databases that hold sensitive or business-critical information. The detection focuses on explicit modifications setting \u003ccode\u003edeletionProtection\u003c/code\u003e to \u003ccode\u003efalse\u003c/code\u003e on RDS DB instances or clusters. This activity is often a precursor to a \u003ccode\u003eDeleteDBInstance\u003c/code\u003e or \u003ccode\u003eDeleteDBCluster\u003c/code\u003e action.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains access to an AWS account with sufficient privileges to modify RDS instances or clusters, potentially through compromised credentials or an insider threat.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS Management Console, CLI, or API using the compromised credentials or assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e API call to target a specific RDS DB instance or cluster.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e API call, the attacker sets the \u003ccode\u003edeletionProtection\u003c/code\u003e parameter to \u003ccode\u003efalse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e event with \u003ccode\u003edeletionProtection=false\u003c/code\u003e in the \u003ccode\u003erequestParameters\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may then initiate a \u003ccode\u003eDeleteDBInstance\u003c/code\u003e or \u003ccode\u003eDeleteDBCluster\u003c/code\u003e API call to remove the targeted RDS resource.\u003c/li\u003e\n\u003cli\u003eThe database instance or cluster is deleted, resulting in data loss and potential disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling deletion protection on AWS RDS instances or clusters can lead to the unauthorized or accidental deletion of critical databases. Successful execution of this attack can result in significant data loss, business disruption, and potential financial repercussions. The impact can range from temporary service outages to permanent data loss, depending on the affected systems and backup policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS RDS Deletion Protection Disabled via CloudTrail\u003c/code\u003e to your SIEM and tune for your environment to detect when deletion protection is disabled (refer to the rule definition below).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e to determine the IAM principal that made the change, and validate whether this principal normally performs RDS lifecycle operations as outlined in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImmediately re-enable deletion protection (\u003ccode\u003edeletionProtection=true\u003c/code\u003e) on the affected DB instance or cluster if the change was unauthorized, as described in the remediation steps in the overview.\u003c/li\u003e\n\u003cli\u003eRestrict who can modify \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e destructive settings, such as deletion protection, backup retention, and public accessibility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T14:30:00Z","date_published":"2024-07-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/","summary":"An adversary may disable deletion protection on an AWS RDS DB instance or cluster as a precursor to destructive actions, such as deleting databases containing sensitive data.","title":"AWS RDS DB Instance or Cluster Deletion Protection Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon RDS"],"_cs_severities":["medium"],"_cs_tags":["aws","rds","snapshot","backup","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis rule detects the deletion of AWS RDS DB snapshots or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting \u0026quot;backupRetentionPeriod=0\u0026quot; has a similar impact by preventing future restore points. A threat actor with sufficient AWS permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion. The rule focuses on successful snapshot deletions and backup disabling events within AWS RDS. The scope includes any AWS environment utilizing RDS for database services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to an AWS account with sufficient permissions to manage RDS instances and snapshots, possibly through compromised credentials or an IAM role with excessive privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available RDS DB instances and snapshots within the target AWS account using AWS CLI or API calls (e.g., \u003ccode\u003eDescribeDBSnapshots\u003c/code\u003e, \u003ccode\u003eDescribeDBInstances\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies target DB instances and their associated snapshots that are critical for recovery or contain valuable forensic data.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes RDS DB snapshots using the \u003ccode\u003eDeleteDBSnapshot\u003c/code\u003e API call, effectively removing restore points.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the DB instance configuration using the \u003ccode\u003eModifyDBInstance\u003c/code\u003e API call, setting \u003ccode\u003ebackupRetentionPeriod\u003c/code\u003e to 0 to disable automated backups and prevent future restore points.\u003c/li\u003e\n\u003cli\u003eThe attacker may then delete the RDS instance itself using DeleteDBInstance.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting relevant CloudTrail logs or disabling CloudTrail logging.\u003c/li\u003e\n\u003cli\u003eThe attacker's objective is to prevent restoration to a known-good state and destroy forensic evidence of attacker actions, potentially as part of a ransomware attack or data exfiltration attempt.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of RDS snapshots or disabling of backups can lead to significant data loss and prolonged downtime, making recovery from security incidents or operational failures difficult or impossible. This can impact business continuity, data integrity, and regulatory compliance. The precise impact depends on the criticality of the affected databases and the availability of alternative backup mechanisms. If successful, this can result in total data loss for the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003eDeleteDBSnapshot\u003c/code\u003e, \u003ccode\u003eDeleteDBClusterSnapshot\u003c/code\u003e, or \u003ccode\u003eModifyDBInstance\u003c/code\u003e events setting \u003ccode\u003ebackupRetentionPeriod=0\u003c/code\u003e in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eRestrict IAM permissions for \u003ccode\u003erds:DeleteDBSnapshot\u003c/code\u003e, \u003ccode\u003erds:DeleteDBClusterSnapshot\u003c/code\u003e, and \u003ccode\u003erds:ModifyDBInstance\u003c/code\u003e (especially backup and deletion-related parameters) to a small set of privileged roles, as described in the remediation steps.\u003c/li\u003e\n\u003cli\u003eUse AWS Config rules and/or Security Hub controls to detect instances with \u003ccode\u003ebackupRetentionPeriod=0\u003c/code\u003e, as recommended in the hardening and preventive controls section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/","summary":"The deletion of AWS RDS DB snapshots or disabling backups via configuration changes can inhibit recovery, destroy forensic evidence, and prepare for destructive actions by adversaries.","title":"AWS RDS Snapshot Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Key Management Service (KMS)"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","kms","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAWS KMS keys are critical for encryption across various AWS services like S3, EBS, and RDS. Disabling or scheduling a KMS key for deletion disrupts encryption and decryption workflows, potentially rendering data unrecoverable. The Elastic detection rule published on 2026-04-10 identifies attempts to disable or schedule the deletion of an AWS customer-managed KMS Key. These actions are typically rare, privileged, and tightly controlled, making unexpected instances high-risk. Adversaries might target KMS keys to sabotage recovery, impede forensic analysis, or destroy evidence. Defenders should prioritize monitoring KMS key lifecycle changes due to their potential for significant impact on data availability and business operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain the necessary KMS permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to execute the \u003ccode\u003eDisableKey\u003c/code\u003e command, specifying the ARN of the target KMS key.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses the AWS CLI or API to execute the \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e command, specifying the ARN of the target KMS key and a pending window in days.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDisableKey\u003c/code\u003e or \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e event with a status of \u0026quot;success\u0026quot;.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eDisableKey\u003c/code\u003e was used, dependent services immediately begin failing or experience decryption errors.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e was used, the key enters a pending deletion state for the specified number of days.\u003c/li\u003e\n\u003cli\u003eUpon deletion, all data encrypted with the key becomes unrecoverable, leading to data loss and disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling or deleting KMS keys can have severe consequences, potentially impacting numerous AWS services relying on the key for encryption, including S3, EBS, RDS, Secrets Manager, and Lambda. This can lead to data unavailability, service disruptions, and irreversible data loss. The scope of impact depends on the criticality of the data protected by the key and the number of services affected. Successful execution of this attack can impede incident response efforts and result in significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;AWS KMS Customer Managed Key Disabled or Scheduled for Deletion\u0026quot; Sigma rule to detect unauthorized KMS key lifecycle changes (rule.name).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eDisableKey\u003c/code\u003e and \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e events to detect potentially malicious activity (index).\u003c/li\u003e\n\u003cli\u003eRestrict AWS KMS lifecycle permissions (\u003ccode\u003ekms:DisableKey\u003c/code\u003e, \u003ccode\u003ekms:ScheduleKeyDeletion\u003c/code\u003e) to a minimal set of privileged users and roles (references).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for administrators with KMS key management permissions to prevent unauthorized access (Security Best Practices reference).\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules for KMS key state monitoring to continuously assess the configuration of KMS keys and detect deviations from desired states (Security Best Practices reference).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-deletion/","summary":"An adversary may disable or schedule the deletion of an AWS customer-managed KMS Key to cause irreversible data loss, disrupt business operations, impede incident response, or hide evidence of prior activity.","title":"AWS KMS Customer Managed Key Disabled or Scheduled for Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon RDS","Amazon Aurora"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","rds","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThe deletion of Amazon RDS DB instances, Aurora clusters, or global database clusters can lead to permanent data loss and major service disruption. This activity is often carried out by adversaries who have gained sufficient permissions within an AWS environment. The motivation behind such actions can range from impeding recovery efforts following a ransomware attack, destroying critical evidence to hinder forensic investigations, or directly inflicting operational impact on the targeted environment. Defenders should be aware that these actions are irreversible without backups, making swift detection and validation essential to mitigate potential damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the AWS environment, potentially through compromised credentials or an IAM role with excessive permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing RDS DB instances, Aurora clusters, or global database clusters within the target AWS account to identify valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the deletionProtection setting on the target RDS resource to \u003ccode\u003efalse\u003c/code\u003e to allow deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker may disable or modify backup configurations to prevent recovery options, such as setting backupRetentionPeriod to \u003ccode\u003e0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteDBInstance\u003c/code\u003e, \u003ccode\u003eDeleteDBCluster\u003c/code\u003e, or \u003ccode\u003eDeleteGlobalCluster\u003c/code\u003e API call to initiate the deletion process.\u003c/li\u003e\n\u003cli\u003eIf configured, the attacker may attempt to delete any final snapshots created during the deletion process to further hinder recovery.\u003c/li\u003e\n\u003cli\u003eThe targeted RDS resource is permanently deleted, resulting in data loss and potential service disruption.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to cover their tracks by deleting relevant CloudTrail logs or modifying IAM policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of RDS DB instances or clusters can lead to significant data loss, disrupting critical business operations. Depending on the size and importance of the deleted resources, organizations may face substantial financial losses, reputational damage, and regulatory penalties. If backups are unavailable or have also been compromised, data recovery may be impossible, leading to long-term business disruption. The impact can affect organizations of any size that rely on AWS RDS for data storage and retrieval.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS RDS DB Instance or Cluster Deleted\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized RDS resource deletions.\u003c/li\u003e\n\u003cli\u003eEnable deletionProtection on all critical RDS instances and clusters to prevent accidental or malicious deletion.\u003c/li\u003e\n\u003cli\u003eEnforce MFA for IAM users with RDS privileges to reduce the risk of compromised credentials (reference the additional information links).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for changes to deletionProtection settings and backup retention policies.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit IAM policies to ensure that users and roles have only the necessary permissions.\u003c/li\u003e\n\u003cli\u003eImplement a process for validating unexpected RDS resource deletions with the service owner or database administrator.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to correlate with CloudTrail logs in case CLI or SDK tools are used for deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/","summary":"An adversary with sufficient permissions may delete RDS resources such as DB instances or clusters to impede recovery, destroy evidence, or inflict operational impact on the environment.","title":"AWS RDS DB Instance or Cluster Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Datadestruction","version":"https://jsonfeed.org/version/1.1"}