{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-security-lake/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic detects \u003ccode\u003eStopLogging\u003c/code\u003e events within AWS CloudTrail logs, which is a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker\u0026rsquo;s actions. The detection is based on Amazon Security Lake events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing CloudTrail configurations to identify the target log trails.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable logging by invoking the \u003ccode\u003eStopLogging\u003c/code\u003e API call on the CloudTrail service.\u003c/li\u003e\n\u003cli\u003eThe AWS CloudTrail service receives the \u003ccode\u003eStopLogging\u003c/code\u003e API request.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, the CloudTrail service processes the request, and logging is stopped for the specified trail.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities within the AWS environment without those actions being logged by CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete or modify existing CloudTrail log files to further cover their tracks (not directly detected by this analytic, but a likely follow-on action).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or resource compromise, without immediate detection due to the disabled logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful evasion of CloudTrail logging can severely impair incident response and forensic investigations. Without logs, identifying the scope and nature of the attack becomes significantly more challenging. Organizations may experience delayed breach detection, increased dwell time for attackers, and difficulty in recovering compromised resources. The impact can extend to compliance violations, as many regulatory frameworks require comprehensive audit logging. This is a high severity incident because it prevents security teams from understanding what an attacker did in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS CloudTrail StopLogging Event\u003c/code\u003e to your SIEM and tune for your environment to detect instances where CloudTrail logging is stopped.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eStopLogging\u003c/code\u003e events (as surfaced by the Sigma rule) to determine whether they are authorized administrative actions or potentially malicious.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual API calls and activities originating from the source IP addresses and user accounts identified in the \u003ccode\u003eASL AWS Defense Evasion Stop Logging Cloudtrail\u003c/code\u003e search results.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict IAM policies to minimize the potential for unauthorized users to disable CloudTrail logging to prevent future attempts at defense evasion.\u003c/li\u003e\n\u003cli\u003eIngest CloudTrail logs from Amazon Security Lake into Splunk, ensuring you are using the latest version of Splunk Add-on for Amazon Web Services to use the \u003ccode\u003eASL AWS Defense Evasion Stop Logging Cloudtrail\u003c/code\u003e search.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-cloudtrail-logging-stopped/","summary":"Detection of AWS CloudTrail `StopLogging` events indicating potential defense evasion by adversaries attempting to operate undetected within a compromised AWS environment by halting the logging of their malicious activities.","title":"AWS CloudTrail Logging Stopped for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudtrail-logging-stopped/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake","Splunk Add-on for Amazon Web Services"],"_cs_severities":["high"],"_cs_tags":["aws","network-acl","misconfiguration","cloud","security-group"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying misconfigured AWS Network ACLs (NACLs) that permit unrestricted traffic. AWS NACLs act as a firewall for controlling traffic in and out of subnets within a Virtual Private Cloud (VPC). When an NACL is configured to allow all ports and protocols from any IP address (0.0.0.0/0), it effectively bypasses security controls and exposes resources to potential threats. The activity is detected by monitoring AWS CloudTrail events for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e API calls. This configuration error can be introduced by administrators during initial setup or through misconfiguration during updates. Defenders should ensure that NACLs follow the principle of least privilege to limit the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker scans for publicly accessible services or resources.\u003c/li\u003e\n\u003cli\u003eAn administrator, either maliciously or accidentally, creates or modifies a Network ACL using the AWS Management Console, CLI, or API with overly permissive rules (allowing all traffic: \u003ccode\u003eruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe misconfigured NACL is applied to one or more subnets within the VPC.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the open ports and protocols to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or disrupts services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA misconfigured Network ACL that allows all traffic can have severe consequences. It can lead to unauthorized access to sensitive data, potential data breaches, service disruption, and further compromise of the AWS environment. The impact is particularly high if critical resources are located within the affected subnets. This type of misconfiguration violates security best practices and compliance requirements.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Network ACL Created with All Ports Open\u003c/code\u003e to your SIEM to detect this specific misconfiguration (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e, category: \u003ccode\u003enetwork_connection\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview existing Network ACL configurations to identify and remediate any overly permissive rules (check AWS console or use AWS CLI/API).\u003c/li\u003e\n\u003cli\u003eImplement automated checks to validate Network ACL configurations against security best practices.\u003c/li\u003e\n\u003cli\u003eEnsure that NACLs follow the principle of least privilege by only allowing necessary traffic (review NACL \u003ccode\u003eruleAction\u003c/code\u003e, \u003ccode\u003eegress\u003c/code\u003e, \u003ccode\u003eaclProtocol\u003c/code\u003e, and \u003ccode\u003ecidrBlock\u003c/code\u003e settings in CloudTrail logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of overly permissive NACL configurations to determine the root cause and potential impact (analyze CloudTrail logs for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e events).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-aws-nacls-all-open/","summary":"The analytic detects the creation or replacement of AWS Network Access Control Lists (ACLs) with rules that allow all traffic from a specified CIDR block, potentially exposing the network to unauthorized access and increasing the risk of data breaches.","title":"AWS Network ACL Created with All Ports Open","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-nacls-all-open/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense_evasion","s3"],"_cs_type":"threat","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis threat involves the modification of AWS S3 bucket lifecycle policies to expedite the deletion of CloudTrail logs. The technique focuses on configuring a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. By shortening the retention period, attackers aim to quickly eliminate CloudTrail logs, thereby covering their tracks and impeding forensic investigations. This activity is significant because it directly targets security logging, a critical component for threat detection and incident response. This technique can be used by various threat actors seeking to evade detection within AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the S3 bucket used to store CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses AWS CLI or the AWS Management Console to execute the \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e call modifies the lifecycle configuration of the S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe new lifecycle rule specifies a short expiration period (less than three days) for objects in the bucket.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs within the S3 bucket are automatically deleted after the specified expiration period.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s actions are no longer recorded in CloudTrail, hindering incident response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack leads to the rapid and irreversible deletion of CloudTrail logs. This can severely hamper incident response efforts, making it difficult to trace attacker actions, identify the scope of a breach, and conduct thorough forensic analysis. Organizations may be unable to meet compliance requirements related to data retention and audit logging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e events with short expiration periods in your SIEM.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e events modifying S3 bucket lifecycle policies (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for unusual API calls related to S3 bucket lifecycle management (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-aws-bucket-lifecycle-deletion/","summary":"An attacker modifies an AWS S3 bucket lifecycle policy to rapidly expire CloudTrail logs, hindering incident response and forensic analysis.","title":"AWS S3 Bucket Lifecycle Rule for Rapid Log Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-bucket-lifecycle-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Amazon Security Lake","version":"https://jsonfeed.org/version/1.1"}