{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-route-53-resolver/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Route 53 Resolver"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","route53","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAmazon Route 53 Resolver query logs offer crucial insights into DNS activity across VPCs, encompassing lookups from EC2 instances, containers, and Lambda functions. The deletion of a query log configuration immediately halts DNS query and response logging for the associated VPC, creating a monitoring gap. This activity is often associated with defense evasion, where attackers attempt to remove logging to obscure their actions. This detection identifies successful invocations of the \u003ccode\u003eDeleteResolverQueryLogConfig\u003c/code\u003e API call within AWS CloudTrail logs. The scope of impact can range from individual VPCs to entire AWS environments, depending on the breadth of the deleted configuration. Defenders should prioritize investigation to determine whether the deletion was authorized and to identify potential malicious activity that may have been obscured.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised credentials or an IAM role to interact with the AWS Management Console, CLI, or SDK.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a Route 53 Resolver Query Log Configuration that is actively logging DNS queries for one or more VPCs.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the \u003ccode\u003eDeleteResolverQueryLogConfig\u003c/code\u003e API call, specifying the ID of the target query log configuration.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteResolverQueryLogConfig\u003c/code\u003e event with a successful outcome.\u003c/li\u003e\n\u003cli\u003eDNS query and response logging immediately ceases for the VPCs associated with the deleted configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as DNS tunneling or command and control communication, without being logged.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise, without detection via DNS logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a significant reduction in DNS visibility across affected VPCs. Depending on the scope, this can impact a few resources or an entire AWS environment. The immediate consequence is the cessation of DNS query logging, which can obscure ongoing malicious activity, such as command-and-control communication, data exfiltration attempts, or reconnaissance efforts. The lack of DNS data hinders incident response and forensic investigations, making it difficult to identify the scope and impact of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Route 53 Resolver Query Log Configuration Deleted\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview IAM permissions and restrict the \u003ccode\u003eroute53resolver:DeleteResolverQueryLogConfig\u003c/code\u003e action to a minimal set of privileged roles.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules to detect and alert on missing or deleted Route 53 Resolver Query Log Configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any deletion of Resolver Query Log Configurations to determine if it was authorized and corresponds to expected operational changes.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e for any unusual IAM roles or user accounts performing the deletion action as identified in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRe-create the deleted Resolver Query Log Configuration and re-associate it with the affected VPCs to restore DNS visibility immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-14T12:00:00Z","date_published":"2024-05-14T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-route53-resolver-deletion/","summary":"Detection of the deletion of an Amazon Route 53 Resolver Query Log Configuration, potentially stopping DNS query and response logging for associated VPCs, which can be used by adversaries to evade detection and suppress forensic evidence.","title":"AWS Route 53 Resolver Query Log Configuration Deleted","url":"https://feed.craftedsignal.io/briefs/2024-05-route53-resolver-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Route 53 Resolver","version":"https://jsonfeed.org/version/1.1"}