Bitbucket Audit Log Configuration Modified

Attackers may target Bitbucket audit log configurations to reduce or eliminate logging, thereby hindering incident response and forensic investigations. Modifying audit settings is a defense evasion technique that allows malicious actors to operate with less visibility. This activity typically occurs post-compromise. This brief focuses on detecting such modifications. Visibility of audit events requires at least “Basic” log level configuration.

Attack Chain

1. An attacker gains unauthorized access to a Bitbucket instance, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker authenticates to the Bitbucket web interface or uses the Bitbucket API.
3. The attacker navigates to the audit log configuration settings within the Bitbucket administration panel.
4. The attacker modifies the audit log settings, such as disabling logging for specific event categories or reducing the log retention period.
5. The Bitbucket server processes the configuration change request.
6. Audit events related to the configuration change are logged (if auditing is still enabled for such events).
7. The attacker performs malicious activities, such as creating unauthorized repositories or exfiltrating source code, with reduced risk of detection.

Impact

Successful modification of the Bitbucket audit log configuration allows attackers to operate with significantly reduced visibility. This can lead to delayed detection of breaches, prolonged dwell time, and increased data exfiltration. Without proper audit logging, organizations will struggle to identify the scope and impact of a compromise.

Recommendation

• Deploy the “Bitbucket Audit Log Configuration Updated” Sigma rule to your SIEM to detect changes to audit log configurations (logsource: bitbucket, service: audit).
• Ensure Bitbucket audit logging is enabled at the “Basic” level or higher, as lower levels may not capture configuration changes (logsource: bitbucket, service: audit).
• Investigate any detected instances of audit log configuration changes to determine if they are authorized (Sigma rule: “Bitbucket Audit Log Configuration Updated”).