AWS Security Services Impairment via Deletion Operations
Attackers attempt to impair or disable AWS security services such as GuardDuty, WAF, CloudWatch, Route 53 and CloudWatch Logs by deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms and log streams, in order to evade detection and operate undetected.
This threat brief focuses on adversaries attempting to impair or disable AWS security services to evade detection and maintain persistence within a compromised environment. The activity involves deleting critical security components across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These operations include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. The attacks leverage valid AWS credentials (either compromised or belonging to a rogue insider) to make legitimate API calls that have the effect of disabling security monitoring. The impact can be significant, as successful impairment of these services allows attackers to operate undetected, potentially escalating privileges, exfiltrating sensitive data, or deploying ransomware without triggering security alerts. This activity is observed via AWS CloudTrail logs, specifically monitoring for "Delete" operations targeting core security services. The scope of this threat covers any AWS environment utilizing these services.
Attack Chain
- The attacker gains initial access to the AWS environment, either through compromised credentials, a rogue insider, or exploiting a misconfiguration.
- The attacker enumerates existing AWS security services to identify potential targets for impairment, such as GuardDuty detectors, WAF ACLs, or CloudWatch alarms.
- The attacker attempts to delete GuardDuty detectors using the
DeleteDetectorAPI call (eventSource: guardduty.amazonaws.com). - The attacker removes AWS WAF rule groups, IP sets, and Web ACLs using the
DeleteRuleGroup,DeleteIPSet, andDeleteWebACLAPI calls (eventSource: wafv2.amazonaws.com, waf.amazonaws.com). - The attacker deletes CloudWatch logging configurations and alarms using the
DeleteLoggingConfiguration(eventSource: route53.amazonaws.com, wafv2.amazonaws.com, waf.amazonaws.com) andDeleteAlarmsAPI calls. - The attacker may delete CloudWatch Log Streams using the
DeleteLogStreamAPI call. - With security services impaired, the attacker performs malicious activities, such as data exfiltration, lateral movement, or deploying ransomware, with reduced risk of detection.
- The attacker attempts to maintain persistence within the AWS environment by creating new IAM users or roles or modifying existing ones.
Impact
Successful execution of this attack can lead to a significant degradation of the AWS environment's security posture. This allows attackers to operate undetected, escalating privileges, and exfiltrating data or deploying ransomware without triggering security alerts. Organizations may face significant financial losses, reputational damage, and regulatory penalties due to data breaches and service disruptions. Observed damage includes disabled security logging, deleted detection rules, and a general loss of visibility into malicious activity within the AWS environment. The number of potential victims is vast, encompassing any organization utilizing the affected AWS security services.
Recommendation
- Enable AWS CloudTrail logging and ensure logs are being ingested into your SIEM to monitor for API calls related to deleting security services.
- Deploy the Sigma rule "AWS Defense Evasion Impair Security Services" to your SIEM to detect attempts to disable security services. Tune the rule for known-good administrator activity (e.g., filtering based on user agent or ARN) to reduce false positives.
- Implement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of compromised credentials.
- Enforce the principle of least privilege by granting users only the necessary permissions to perform their tasks, minimizing the potential impact of compromised credentials.
- Review and audit IAM policies regularly to identify and remediate overly permissive permissions that could be abused by attackers.
- Implement infrastructure-as-code practices and version control for AWS infrastructure to easily detect and revert unauthorized changes.
Detection coverage 3
AWS Defense Evasion Impair Security Services
highDetects attempts to impair or disable AWS security services by monitoring deletion operations across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs.
AWS CloudWatch Alarm Deletion
mediumDetects the deletion of CloudWatch Alarms which could indicate an attempt to evade detection.
AWS Log Stream Deletion
mediumDetects the deletion of CloudWatch Log Streams.
Detection queries are available on the platform. Get full rules →