<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dynamodb - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/dynamodb/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/dynamodb/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS DynamoDB Table Export to S3 Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-dynamodb-exfiltration/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-dynamodb-exfiltration/</guid><description>Detects the initial export of an AWS DynamoDB table to S3, potentially indicating reconnaissance or exfiltration by a compromised account or insider threat.</description><content:encoded><![CDATA[<p>This alert detects the ExportTableToPointInTime operation in AWS CloudTrail logs, specifically when a user or role performs this action for the first time. Adversaries may leverage this operation to collect sensitive data or exfiltrate entire DynamoDB tables to S3 buckets for unauthorized access or analysis. This activity can be a precursor to data breaches or indicative of compromised credentials. The detection focuses on the initial observation of this action to reduce false positives and highlight potentially anomalous behavior that requires investigation. The targeted logs are AWS CloudTrail logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exposed IAM role.</li>
<li>The attacker enumerates DynamoDB tables within the AWS environment to identify targets containing sensitive information.</li>
<li>The attacker executes the <code>ExportTableToPointInTime</code> API call to export a DynamoDB table to an S3 bucket. This requires appropriate IAM permissions.</li>
<li>The exported data is stored in the designated S3 bucket in a format suitable for offline analysis.</li>
<li>The attacker accesses the exported data from the S3 bucket.</li>
<li>The attacker exfiltrates the data from the S3 bucket.</li>
<li>The attacker analyzes or uses the exfiltrated data for malicious purposes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could lead to the exfiltration of sensitive data stored in DynamoDB tables, including customer information, financial records, or proprietary business data. This can result in significant financial losses, reputational damage, and legal liabilities for the affected organization. The number of affected records would depend on the size of the exported DynamoDB table. Organizations in all sectors are potentially at risk if they use DynamoDB to store sensitive information.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect First Time DynamoDB Table Export to S3</code> to your SIEM, focusing on the <code>aws.cloudtrail</code> data stream, to identify initial instances of this activity.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the <code>aws.cloudtrail.user_identity.arn</code>, <code>source.ip</code>, and <code>aws.cloudtrail.request_parameters</code> fields to understand the context of the export operation.</li>
<li>Review IAM policies to ensure that users and roles have the appropriate least-privilege access to DynamoDB tables, preventing unauthorized export operations.</li>
<li>Monitor the <code>cloud.account.id</code> and <code>user.name</code> fields flagged by the new_terms rule to ensure that only authorized accounts and users are performing DynamoDB table exports.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>aws</category><category>dynamodb</category><category>exfiltration</category></item><item><title>AWS DynamoDB Scan by Unusual User</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-dynamodb-scan-unusual-user/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-dynamodb-scan-unusual-user/</guid><description>Detection of unusual DynamoDB scan activity in AWS environments, potentially indicating exfiltration of sensitive information by an adversary using compromised credentials or a rogue insider.</description><content:encoded><![CDATA[<p>This rule identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action, potentially indicating exfiltration of sensitive information or data from DynamoDB tables. The &quot;AWS DynamoDB Scan by Unusual User&quot; rule, based on the original Elastic detection rule created on 2025/03/13 and last updated on 2026/04/10, monitors for the <code>Scan</code> action in CloudTrail logs. The rule leverages a New Terms approach, flagging when this behavior is observed by a user or role for the first time within a specified history window. This allows for the detection of anomalous activity which might be missed by static threshold-based alerts. The scope is limited to AWS environments where CloudTrail logging is enabled for DynamoDB data events.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or a rogue insider.</li>
<li><strong>Credential Usage:</strong> The attacker leverages the compromised AWS credentials to interact with the AWS environment.</li>
<li><strong>Discovery:</strong> The attacker uses AWS APIs or the AWS Management Console to discover DynamoDB tables within the environment.</li>
<li><strong>Privilege Escalation (Optional):</strong> If necessary, the attacker attempts to escalate privileges to gain access to tables they are not normally authorized to access.</li>
<li><strong>Data Collection:</strong> The attacker uses the <code>Scan</code> operation against a DynamoDB table to collect data. The request parameters within the CloudTrail logs include details of the table being scanned.</li>
<li><strong>Staging (Optional):</strong> The attacker might stage the collected data in a temporary location within AWS, such as an S3 bucket.</li>
<li><strong>Exfiltration:</strong> The attacker exfiltrates the collected data outside the AWS environment.</li>
<li><strong>Covering Tracks:</strong> The attacker attempts to cover their tracks by deleting CloudTrail logs, although this action itself can be detectable.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exfiltration can lead to significant data breaches, potentially affecting sensitive customer information, financial records, or proprietary business data. The impact includes financial losses due to regulatory fines, legal repercussions, reputational damage, and the cost of incident response. Even a successful attempt to discover DynamoDB tables may reveal information about the cloud environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable DynamoDB data events in CloudTrail to capture the <code>Scan</code> action as mentioned in the setup notes.</li>
<li>Deploy the provided Sigma rule to detect unusual DynamoDB Scan activity and tune it to reduce false positives.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the source IP, user identity, and the request parameters of the Scan action, as described in the rule's notes.</li>
<li>Review and harden IAM policies associated with users and roles to restrict access to DynamoDB tables based on the principle of least privilege.</li>
<li>Monitor CloudTrail logs for unusual API calls and access patterns, including the use of <code>aws.cloudtrail.user_identity.access_key_id</code> for unusual activity.</li>
<li>Leverage the <code>rule.investigation_fields</code> to build dashboards and hunting queries in your SIEM to support the triage process.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>aws</category><category>dynamodb</category><category>exfiltration</category><category>cloudtrail</category></item></channel></rss>