{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-cloudwatch/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS GuardDuty","AWS WAF","AWS CloudWatch","AWS CloudWatch Logs","AWS Route 53"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on adversaries attempting to impair or disable AWS security services to evade detection and maintain persistence within a compromised environment. The activity involves deleting critical security components across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These operations include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. The attacks leverage valid AWS credentials (either compromised or belonging to a rogue insider) to make legitimate API calls that have the effect of disabling security monitoring. The impact can be significant, as successful impairment of these services allows attackers to operate undetected, potentially escalating privileges, exfiltrating sensitive data, or deploying ransomware without triggering security alerts. This activity is observed via AWS CloudTrail logs, specifically monitoring for \u0026quot;Delete\u0026quot; operations targeting core security services. The scope of this threat covers any AWS environment utilizing these services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the AWS environment, either through compromised credentials, a rogue insider, or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing AWS security services to identify potential targets for impairment, such as GuardDuty detectors, WAF ACLs, or CloudWatch alarms.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete GuardDuty detectors using the \u003ccode\u003eDeleteDetector\u003c/code\u003e API call (eventSource: guardduty.amazonaws.com).\u003c/li\u003e\n\u003cli\u003eThe attacker removes AWS WAF rule groups, IP sets, and Web ACLs using the \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e, \u003ccode\u003eDeleteIPSet\u003c/code\u003e, and \u003ccode\u003eDeleteWebACL\u003c/code\u003e API calls (eventSource: wafv2.amazonaws.com, waf.amazonaws.com).\u003c/li\u003e\n\u003cli\u003eThe attacker deletes CloudWatch logging configurations and alarms using the \u003ccode\u003eDeleteLoggingConfiguration\u003c/code\u003e (eventSource: route53.amazonaws.com, wafv2.amazonaws.com, waf.amazonaws.com) and \u003ccode\u003eDeleteAlarms\u003c/code\u003e API calls.\u003c/li\u003e\n\u003cli\u003eThe attacker may delete CloudWatch Log Streams using the \u003ccode\u003eDeleteLogStream\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eWith security services impaired, the attacker performs malicious activities, such as data exfiltration, lateral movement, or deploying ransomware, with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence within the AWS environment by creating new IAM users or roles or modifying existing ones.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to a significant degradation of the AWS environment's security posture. This allows attackers to operate undetected, escalating privileges, and exfiltrating data or deploying ransomware without triggering security alerts. Organizations may face significant financial losses, reputational damage, and regulatory penalties due to data breaches and service disruptions. Observed damage includes disabled security logging, deleted detection rules, and a general loss of visibility into malicious activity within the AWS environment. The number of potential victims is vast, encompassing any organization utilizing the affected AWS security services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and ensure logs are being ingested into your SIEM to monitor for API calls related to deleting security services.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS Defense Evasion Impair Security Services\u0026quot; to your SIEM to detect attempts to disable security services. Tune the rule for known-good administrator activity (e.g., filtering based on user agent or ARN) to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of compromised credentials.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting users only the necessary permissions to perform their tasks, minimizing the potential impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eReview and audit IAM policies regularly to identify and remediate overly permissive permissions that could be abused by attackers.\u003c/li\u003e\n\u003cli\u003eImplement infrastructure-as-code practices and version control for AWS infrastructure to easily detect and revert unauthorized changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-security-services-impairment/","summary":"Attackers attempt to impair or disable AWS security services such as GuardDuty, WAF, CloudWatch, Route 53 and CloudWatch Logs by deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms and log streams, in order to evade detection and operate undetected.","title":"AWS Security Services Impairment via Deletion Operations","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-security-services-impairment/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS CloudWatch"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAttackers may delete CloudWatch log groups to remove evidence of their malicious activities within an AWS environment. This action is detected by monitoring CloudTrail logs for \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events. The deletion of log groups, especially when performed outside of normal administrative tasks, can be a strong indicator of an attacker attempting to evade detection and hide their tracks. The targeting scope includes organizations leveraging AWS CloudWatch for logging and monitoring. This behavior can significantly impede incident response efforts, making it difficult to reconstruct attack timelines and identify compromised resources. Detecting and responding to such events is critical for maintaining security visibility and control within the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability in an exposed service.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing CloudWatch log groups to identify those containing valuable audit or security-related logs.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS API using stolen or generated credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a \u003ccode\u003eDeleteLogGroup\u003c/code\u003e API call via the AWS CLI, SDK, or API directly, targeting specific log groups. The request is crafted to successfully delete the log group.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDeleteLogGroup\u003c/code\u003e event, recording details such as the user, timestamp, and target log group.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat the process to delete multiple log groups, systematically removing traces of their activity.\u003c/li\u003e\n\u003cli\u003eThe successful deletion of the CloudWatch log group removes logs crucial for forensic analysis and incident response.\u003c/li\u003e\n\u003cli\u003eThe attacker continues their malicious activities, now with a reduced risk of detection due to the absence of logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of CloudWatch log groups allows attackers to operate with significantly reduced visibility. This can lead to delayed incident detection, increased dwell time, and greater potential for data exfiltration or system compromise. Organizations relying on CloudWatch logs for security monitoring and compliance are particularly vulnerable. The impact includes hindering forensic investigations, impeding incident response efforts, and potentially violating compliance requirements.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS CloudWatch Log Group Deletion\u003c/code\u003e to detect attempts to delete CloudWatch log groups based on CloudTrail events.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events, especially those originating from unusual IP addresses or user accounts.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to restrict the ability to delete CloudWatch log groups to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unauthorized API calls and suspicious activity related to CloudWatch.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce least privilege principles for all IAM roles and users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudwatch-log-deletion/","summary":"The deletion of AWS CloudWatch log groups, detected via CloudTrail logs, indicates a potential defense evasion attempt by adversaries aiming to remove audit trails and hinder incident response.","title":"AWS CloudWatch Log Group Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudwatch-log-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS CloudWatch","version":"https://jsonfeed.org/version/1.1"}