<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon CloudWatch - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-cloudwatch/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 04 Jan 2024 18:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-cloudwatch/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS CloudWatch Log Group Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-04-aws-cloudwatch-log-deletion/</link><pubDate>Thu, 04 Jan 2024 18:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-04-aws-cloudwatch-log-deletion/</guid><description>Detection of Amazon CloudWatch Log Group deletion via the 'DeleteLogGroup' API by non-AWS Internal user agents, potentially indicating defense evasion or disruption of logging pipelines.</description><content:encoded><![CDATA[<p>The deletion of Amazon CloudWatch Log Groups, which store operational and security logs for AWS services and custom applications, can significantly impact security monitoring and incident response capabilities. This activity, detected via the 'DeleteLogGroup' API call, can be leveraged by adversaries to conceal malicious activities, disable log forwarding, and generally impede incident response efforts. The focus of this detection is on identifying successful 'DeleteLogGroup' events originating from non-AWS Internal user agents, potentially signifying defense evasion or disruption of logging pipelines. Defenders should prioritize investigation into the source, user agent, and surrounding activity to determine legitimacy.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or privilege escalation.</li>
<li>The attacker enumerates existing CloudWatch Log Groups to identify targets for deletion.</li>
<li>The attacker issues a 'DeleteLogGroup' API call using the AWS CLI, SDK, or console.</li>
<li>The CloudWatch service authenticates and authorizes the request based on the attacker's IAM permissions.</li>
<li>If authorized, the specified Log Group, including all associated log streams and historical log data, is permanently deleted.</li>
<li>The deletion event is recorded in CloudTrail logs.</li>
<li>Security monitoring pipelines and alerting mechanisms dependent on the deleted log group cease to function.</li>
<li>The attacker's malicious activity within the environment becomes more difficult to detect and investigate due to the absence of logs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Deletion of CloudWatch Log Groups can severely impair an organization's security posture. The loss of historical log data can hinder forensic investigations and make it difficult to reconstruct attack timelines. Disruption of security monitoring pipelines can lead to delayed detection of ongoing threats. Affected sectors include any organization leveraging AWS for its infrastructure and security logging, with victim counts dependent on the scope of the compromised AWS accounts. The risk score is 47.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS CloudWatch Log Group Deletion&quot; to your SIEM and tune for your environment to detect unauthorized deletions of CloudWatch log groups.</li>
<li>Investigate any alerts generated by the &quot;AWS CloudWatch Log Group Deletion&quot; rule, focusing on the source IP and user agent (<code>source.ip</code>, <code>user_agent.original</code>) to determine if the deletion was legitimate.</li>
<li>Enforce least privilege on <code>logs:DeleteLogGroup</code> to restrict which IAM identities can delete log groups.</li>
<li>Configure AWS Config rules to alert on missing or modified log groups to ensure that deletions are detected and investigated promptly.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloudwatch</category><category>aws</category><category>logging</category></item></channel></rss>