AWS CloudTrail Log Deletion for Defense Evasion

This brief focuses on the detection of AWS CloudTrail log deletion, a tactic used by adversaries to evade detection within compromised AWS environments. The detection identifies DeleteTrail events within CloudTrail logs, specifically excluding those originating from the AWS console. This activity is crucial for defenders because successful deletion of CloudTrail logs allows attackers to cover their tracks, making it significantly more difficult to trace malicious activities. This can lead to prolonged unauthorized access, further exploitation, and delayed incident response. The detection logic looks for the DeleteTrail event name and filters out events where the user agent is the AWS console.

Attack Chain

1. The attacker gains unauthorized access to an AWS account with sufficient privileges.
2. The attacker identifies that CloudTrail is enabled and logging activities.
3. The attacker attempts to disable or delete the CloudTrail trail to remove evidence of their actions, using the DeleteTrail API call.
4. The attacker crafts the DeleteTrail request, ensuring it does not originate from the AWS Management Console to avoid detection based on user agent.
5. The DeleteTrail API call is executed, successfully deleting the CloudTrail log.
6. CloudTrail logs, which would normally record the attacker’s subsequent actions, are no longer available for analysis.
7. The attacker proceeds with their malicious objectives, such as data exfiltration, resource hijacking, or deployment of malware, without leaving a readily accessible audit trail.
8. The attacker successfully covers their tracks, hindering incident responders’ ability to investigate and remediate the breach effectively.

Impact

Successful deletion of CloudTrail logs severely impairs an organization’s ability to detect and respond to security incidents within their AWS environment. This can lead to a significant delay in incident response, allowing attackers to maintain persistent access and further compromise systems. The absence of logs hinders forensic investigations, making it difficult to determine the scope and impact of the breach. This can result in financial losses, reputational damage, and legal liabilities.

Recommendation

• Deploy the Sigma rule provided in this brief to your SIEM and tune it for your specific environment to detect DeleteTrail events.
• Investigate any detected DeleteTrail events that do not originate from the AWS console, as this may indicate malicious activity.
• Implement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of unauthorized access.
• Monitor CloudTrail configuration changes using AWS Config to detect and alert on unauthorized modifications to CloudTrail settings.
• Enable and configure AWS CloudTrail log file validation to detect any tampering with CloudTrail log files.