AWS CloudWatch Alarm Deletion for Defense Evasion
Successful deletion of Amazon CloudWatch alarms via the `DeleteAlarms` API, potentially indicating an adversary attempting to impair visibility, silence alerts, and evade detection after malicious activity within an AWS environment.
The deletion of CloudWatch alarms can be indicative of malicious activity within an AWS environment. CloudWatch alarms are crucial for monitoring metrics and triggering alerts when predefined thresholds are exceeded. Adversaries might delete these alarms to impair visibility, silence alerts, and evade detection following unauthorized access or other malicious operations. This behavior typically occurs during the post-exploitation or cleanup phases as the attacker attempts to remove traces of their compromise or disable automated incident response mechanisms. The focus of this brief is on identifying successful calls to the DeleteAlarms API in AWS CloudTrail logs. It is important to differentiate between legitimate alarm deletions performed during scheduled maintenance or automated infrastructure deployments, and those indicative of malicious intent. This activity can be detected through analysis of CloudTrail logs, focusing on the DeleteAlarms event.
Attack Chain
- Initial Access: An attacker gains unauthorized access to an AWS account through compromised credentials or exploiting a misconfigured IAM role (T1078).
- Privilege Escalation: The attacker attempts to elevate their privileges within the AWS environment to gain sufficient permissions to modify CloudWatch alarms (T1068).
- Discovery: The attacker uses AWS CLI or API calls to enumerate existing CloudWatch alarms and identify potential targets for deletion (T1082).
- Defense Evasion: The attacker executes the
DeleteAlarmsAPI call to remove specific CloudWatch alarms, effectively disabling monitoring and alerting capabilities (T1562.001). - Persistence: The attacker may create new, less sensitive alarms or modify existing alarms to maintain a minimal level of monitoring while evading detection (T1543.004).
- Lateral Movement: With alarms disabled, the attacker moves laterally to other AWS resources or accounts without triggering immediate alerts (TA0008).
- Data Exfiltration/Impact: The attacker proceeds with their objectives, such as exfiltrating sensitive data or causing disruption, while the disabled alarms prevent or delay detection (TA0010).
Impact
Successful deletion of CloudWatch alarms can severely degrade an organization's ability to detect and respond to security incidents in their AWS environment. This can lead to delayed detection of data breaches, unauthorized access, or service disruptions. The impact can range from compliance violations and financial losses to reputational damage. The number of alarms deleted and their criticality determines the severity of the impact. If critical security alarms are removed, an attacker can operate undetected for extended periods, maximizing the potential damage.
Recommendation
- Deploy the Sigma rule
AWS CloudWatch Alarm Deletionto your SIEM, ingestingfilebeat-*andlogs-aws.cloudtrail-*indices, and tune for your environment to detect suspicious alarm deletions. - Investigate any detected
DeleteAlarmsevents by examining theaws.cloudtrail.user_identity.arn,source.ip, anduser_agent.originalfields as suggested in the rule's description. - Implement AWS Config rules to monitor alarm existence and alert on
DeleteAlarmsAPI calls as recommended in the rule's note. - Restrict permissions to
cloudwatch:DeleteAlarmsand enforce MFA for users performing monitoring configuration changes to reduce the attack surface.
Detection coverage 2
AWS CloudWatch Alarm Deletion
mediumDetects the deletion of one or more Amazon CloudWatch alarms using the DeleteAlarms API, potentially indicating defense evasion.
AWS CloudWatch Alarm Deletion from Unusual Source IP
mediumDetects CloudWatch alarm deletions originating from source IPs not commonly associated with AWS management.
Detection queries are available on the platform. Get full rules →