{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloudtrail/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudWatch","AWS WAF","Route 53","GuardDuty","CloudWatch Logs","CloudTrail"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious attempts to impair or disable AWS security services through the deletion of critical resources. Attackers target services like GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility. The primary objective is to create blind spots within the AWS environment, allowing attackers to operate undetected. The activity is identified through specific API calls logged in CloudTrail, such as \u0026ldquo;DeleteLogStream\u0026rdquo; and \u0026ldquo;DeleteDetector.\u0026rdquo; This targeted approach significantly reduces the noise and ensures that only security-related deletions are flagged, enhancing the accuracy of the detection. Successful evasion can lead to privilege escalation or data exfiltration without triggering security alerts, severely compromising the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the AWS environment is achieved through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing security services, including GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs, to identify potential targets for impairment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses AWS CLI or API calls to attempt to delete GuardDuty detectors using \u003ccode\u003eDeleteDetector\u003c/code\u003e against \u003ccode\u003eguardduty.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete WAF rules, IP sets, or rule groups using \u003ccode\u003eDeleteIPSet\u003c/code\u003e, \u003ccode\u003eDeleteWebACL\u003c/code\u003e, \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e, or \u003ccode\u003eDeleteRule\u003c/code\u003e API calls targeting \u003ccode\u003ewafv2.amazonaws.com\u003c/code\u003e or \u003ccode\u003ewaf.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete CloudWatch logging configurations via the \u003ccode\u003eDeleteLoggingConfiguration\u003c/code\u003e API call from \u003ccode\u003ewafv2.amazonaws.com\u003c/code\u003e, \u003ccode\u003ewaf.amazonaws.com\u003c/code\u003e, or \u003ccode\u003eroute53.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker might attempt to delete CloudWatch alarms using the \u003ccode\u003eDeleteAlarms\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker disables critical security monitoring and logging functions, creating blind spots for defenders.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised environment to escalate privileges, move laterally, exfiltrate data, or deploy persistent backdoors without triggering security alerts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can severely compromise the security posture of the AWS environment. By disabling security services like GuardDuty and CloudWatch, attackers can operate undetected, escalate privileges, and exfiltrate sensitive data without triggering security alerts. The scope of the impact depends on the attacker\u0026rsquo;s objectives, the sensitivity of the data, and the extent of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging across all regions in your AWS environment to capture API calls and events necessary for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Defense Evasion via Security Service Deletion\u003c/code\u003e to your SIEM and tune for your environment using \u003ccode\u003euser_agent\u003c/code\u003e and \u003ccode\u003euser_arn\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user accounts involved and the specific resources being deleted.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configurations of your AWS security services, including GuardDuty detectors, WAF rules, and CloudWatch alarms, to ensure they are properly configured and protected from unauthorized deletion.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-security-service-impairment/","summary":"Detection of adversaries attempting to impair or disable AWS security services by deleting resources across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility.","title":"AWS Security Services Impairment via Deletion of Resources","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-security-service-impairment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Splunk Add-on for Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying attempts to evade detection within AWS environments by monitoring \u003ccode\u003eUpdateTrail\u003c/code\u003e events in AWS CloudTrail logs. Attackers may modify CloudTrail settings with incorrect parameters, such as switching from multi-regional logging to single-region logging, to reduce the scope of logged activities. This tactic allows adversaries to operate undetected in compromised AWS environments, as their actions in other regions are not properly recorded. Detecting these configuration changes is critical for Security Operations Centers (SOCs) to maintain visibility and respond effectively to threats. The lack of comprehensive logging can significantly impede incident response and forensic investigations, allowing malicious activities to persist unnoticed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed API key (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS Management Console or uses the AWS CLI with the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker issues an \u003ccode\u003eUpdateTrail\u003c/code\u003e API call to modify the CloudTrail configuration (T1562.008).\u003c/li\u003e\n\u003cli\u003eThe attacker disables multi-region logging, restricting log collection to a single AWS region.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the S3 bucket used for log storage, potentially directing logs to an attacker-controlled location.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities within the AWS environment, knowing that these actions will not be comprehensively logged across all regions.\u003c/li\u003e\n\u003cli\u003eThese malicious activities could include lateral movement, data exfiltration, or resource compromise.\u003c/li\u003e\n\u003cli\u003eThe reduced logging scope hinders detection and response efforts, allowing the attacker to maintain persistence and achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful evasion of CloudTrail logging can lead to significant blind spots in security monitoring.  If an attacker successfully modifies CloudTrail settings, their subsequent actions within the AWS environment are less likely to be detected.  This can lead to prolonged dwell time, increased data exfiltration, and greater overall damage. Organizations relying on CloudTrail for compliance and security auditing may also face regulatory repercussions due to incomplete logging. The blast radius of a successful attack expands significantly when logging is impaired, affecting potentially all resources within the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your specific AWS environment to detect unauthorized CloudTrail modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eUpdateTrail\u003c/code\u003e events where the \u003ccode\u003eactor.user.uid\u003c/code\u003e is not a known administrator account (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for changes to multi-region logging settings and S3 bucket destinations (see references to \u003ccode\u003eapi.operation=UpdateTrail\u003c/code\u003e in the \u003ccode\u003esearch\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges to mitigate credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit CloudTrail configurations to ensure they align with security best practices and organizational policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-cloudtrail-update/","summary":"Attackers may attempt to evade detection by altering CloudTrail logging configurations, such as changing multi-regional logging to a single region, which impairs the logging of their activities and hinders incident response.","title":"AWS CloudTrail Update for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudtrail-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic detects \u003ccode\u003eStopLogging\u003c/code\u003e events within AWS CloudTrail logs, which is a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker\u0026rsquo;s actions. The detection is based on Amazon Security Lake events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing CloudTrail configurations to identify the target log trails.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable logging by invoking the \u003ccode\u003eStopLogging\u003c/code\u003e API call on the CloudTrail service.\u003c/li\u003e\n\u003cli\u003eThe AWS CloudTrail service receives the \u003ccode\u003eStopLogging\u003c/code\u003e API request.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, the CloudTrail service processes the request, and logging is stopped for the specified trail.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities within the AWS environment without those actions being logged by CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete or modify existing CloudTrail log files to further cover their tracks (not directly detected by this analytic, but a likely follow-on action).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or resource compromise, without immediate detection due to the disabled logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful evasion of CloudTrail logging can severely impair incident response and forensic investigations. Without logs, identifying the scope and nature of the attack becomes significantly more challenging. Organizations may experience delayed breach detection, increased dwell time for attackers, and difficulty in recovering compromised resources. The impact can extend to compliance violations, as many regulatory frameworks require comprehensive audit logging. This is a high severity incident because it prevents security teams from understanding what an attacker did in the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS CloudTrail StopLogging Event\u003c/code\u003e to your SIEM and tune for your environment to detect instances where CloudTrail logging is stopped.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eStopLogging\u003c/code\u003e events (as surfaced by the Sigma rule) to determine whether they are authorized administrative actions or potentially malicious.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual API calls and activities originating from the source IP addresses and user accounts identified in the \u003ccode\u003eASL AWS Defense Evasion Stop Logging Cloudtrail\u003c/code\u003e search results.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict IAM policies to minimize the potential for unauthorized users to disable CloudTrail logging to prevent future attempts at defense evasion.\u003c/li\u003e\n\u003cli\u003eIngest CloudTrail logs from Amazon Security Lake into Splunk, ensuring you are using the latest version of Splunk Add-on for Amazon Web Services to use the \u003ccode\u003eASL AWS Defense Evasion Stop Logging Cloudtrail\u003c/code\u003e search.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-cloudtrail-logging-stopped/","summary":"Detection of AWS CloudTrail `StopLogging` events indicating potential defense evasion by adversaries attempting to operate undetected within a compromised AWS environment by halting the logging of their malicious activities.","title":"AWS CloudTrail Logging Stopped for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudtrail-logging-stopped/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","CloudTrail"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","aws-account"],"_cs_type":"advisory","_cs_vendors":["Splunk","Amazon"],"content_html":"\u003cp\u003eThis alert focuses on detecting the \u003ccode\u003eStopLogging\u003c/code\u003e event within AWS CloudTrail, a critical indicator of potential defense evasion. Attackers often disable CloudTrail logging to conceal their malicious activities, making it difficult for security teams to detect and respond to breaches effectively. The detection specifically looks for successful \u003ccode\u003eStopLogging\u003c/code\u003e events (\u003ccode\u003eerrorCode = success\u003c/code\u003e) originating from sources other than the AWS console (\u003ccode\u003euserAgent!=console.amazonaws.com\u003c/code\u003e). By identifying these instances, security teams can quickly investigate the reasons behind the logging stoppage, determine if it was authorized, and take appropriate action to prevent further unauthorized activities. This is especially critical for maintaining visibility and control over AWS environments, ensuring that malicious actions are not conducted without a trace.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker assumes a role or escalates privileges to gain sufficient permissions to manage CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the active CloudTrail trails within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eStopLogging\u003c/code\u003e API call against the identified CloudTrail trail.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eStopLogging\u003c/code\u003e event, recording the action, user, and source IP.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with malicious activities, such as data exfiltration, resource manipulation, or deploying backdoors, without being logged by CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove or modify existing security controls and monitoring configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker persists in the environment, potentially creating new identities or backdoors to maintain access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of CloudTrail logging can have severe consequences. It impairs incident response by removing the primary source of audit data. Without CloudTrail logs, security teams lose visibility into attacker activities, making it difficult to determine the scope and impact of the breach. Attackers can operate undetected, exfiltrate sensitive data, modify critical resources, and establish persistent backdoors. The impact can range from data breaches and financial losses to reputational damage and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of \u003ccode\u003eStopLogging\u003c/code\u003e events in AWS CloudTrail logs and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eStopLogging\u003c/code\u003e events, focusing on the user (\u003ccode\u003euser\u003c/code\u003e), source IP (\u003ccode\u003esrc\u003c/code\u003e), and reason for stopping logging.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all AWS accounts to prevent credential compromise (TTP: TA0001).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to minimize the impact of compromised credentials (TTP: TA0004).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit CloudTrail configurations to ensure logging is enabled and properly configured (TTP: TA0005).\u003c/li\u003e\n\u003cli\u003eImplement alerting for changes to CloudTrail configuration to detect unauthorized modifications (TTP: TA0005).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-cloudtrail-stop-logging/","summary":"Detection of AWS CloudTrail StopLogging events indicates a potential defense evasion attempt by an attacker to operate stealthily within a compromised AWS environment and hinder incident response.","title":"AWS CloudTrail Logging Stopped for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-cloudtrail-stop-logging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","bedrock","cloudtrail","logging","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic identifies attempts to delete AWS Bedrock model invocation logging configurations. The activity is detected by monitoring AWS CloudTrail logs for calls to the DeleteModelInvocationLogging API. Successful deletion of these logs could allow attackers to interact with AI models hosted on AWS Bedrock without leaving forensic traces. This may be indicative of an adversary who has compromised AWS credentials and is attempting to evade detection of their malicious actions. The impact could range from data exfiltration and prompt injection attacks to other unauthorized activities, all performed without generating audit records. This event should be considered a high-priority alert, as it directly impacts the ability to monitor and respond to potentially malicious use of AI models within the AWS environment. The detection leverages AWS CloudTrail logs and is based on the Splunk ES-CU analytic \u0026ldquo;AWS Bedrock Delete Model Invocation Logging Configuration\u0026rdquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through credential compromise or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates the existing AWS Bedrock model invocation logging configurations within the targeted AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e API call to disable or remove the logging configuration.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e event, capturing details such as the user, source IP, and timestamp.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to interact with AWS Bedrock models, potentially performing data exfiltration or prompt injection attacks.\u003c/li\u003e\n\u003cli\u003eBecause model invocation logging has been disabled, these interactions are not logged, hindering detection and incident response efforts.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to further cover their tracks by deleting or modifying other relevant CloudTrail logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access and manipulation of AI models hosted on AWS Bedrock. The deletion of model invocation logs allows attackers to hide their activities, making it difficult to detect and respond to incidents such as data exfiltration or prompt injection attacks. This can result in significant financial loss, reputational damage, and legal liabilities. The exact number of victims and the extent of the damage depend on the scope and duration of the attacker\u0026rsquo;s access to the AI models.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS Bedrock Logging Deletion\u003c/code\u003e to your SIEM to detect attempts to delete AWS Bedrock model invocation logging configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e events, focusing on unexpected users or source IPs, to validate legitimate administrative actions.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions and services, including Bedrock, to ensure comprehensive audit coverage.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise (T1685.002).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual API calls and access patterns to identify potential insider threats or compromised accounts.\u003c/li\u003e\n\u003cli\u003eReview and update IAM policies to enforce the principle of least privilege and restrict access to sensitive API actions, such as \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-bedrock-logging-deletion/","summary":"Detection of attempts to delete AWS Bedrock model invocation logging configurations, potentially indicating an adversary trying to remove audit trails of model interactions after credential compromise, to hide malicious AI model usage.","title":"AWS Bedrock Model Invocation Logging Deletion Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-logging-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to evade detection by manipulating AWS S3 bucket lifecycle rules to accelerate the deletion of CloudTrail logs. By using the \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e API to set a short expiration period (less than three days) on an S3 bucket containing CloudTrail logs, adversaries can effectively erase their activity history. This technique is particularly relevant as it directly impacts the ability of security teams to conduct thorough investigations and respond effectively to breaches. The tactic aims to impair forensic investigations by eliminating critical log data, thereby obscuring attacker actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the S3 bucket(s) used to store CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to call the \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e API, configuring a new lifecycle rule.\u003c/li\u003e\n\u003cli\u003eThe lifecycle rule is configured with an \u003ccode\u003eExpiration\u003c/code\u003e parameter, setting the \u003ccode\u003eDays\u003c/code\u003e value to a low number (e.g., 1 or 2 days).\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious activities within the AWS environment, knowing the logs will be quickly deleted.\u003c/li\u003e\n\u003cli\u003eThe S3 lifecycle policy automatically deletes the CloudTrail logs after the specified short expiration period.\u003c/li\u003e\n\u003cli\u003eSecurity analysts attempting to investigate the attacker\u0026rsquo;s activities find that the relevant CloudTrail logs are missing or incomplete, hindering their investigation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful manipulation of S3 bucket lifecycle rules can severely impede incident response efforts. By rapidly deleting CloudTrail logs, attackers can cover their tracks, making it difficult to trace their actions and understand the scope of the breach. This can lead to prolonged dwell time, increased data exfiltration, and greater overall damage. The impact is significant because it directly targets the visibility security teams rely on for threat detection and response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS S3 Bucket Lifecycle with Short Expiration\u003c/code\u003e to detect suspicious \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e API calls with expiration periods under three days.\u003c/li\u003e\n\u003cli\u003eEnable CloudTrail logging on all AWS accounts and ensure logs are stored in secure S3 buckets, as required for the detection rules to function.\u003c/li\u003e\n\u003cli\u003eReview and audit existing S3 bucket lifecycle policies to identify any rules with unusually short expiration periods.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users and roles to prevent unauthorized access and manipulation of S3 bucket lifecycle rules.\u003c/li\u003e\n\u003cli\u003eUse AWS IAM policies to restrict the ability of users and roles to modify S3 bucket lifecycle configurations, limiting the potential for abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-aws-s3-lifecycle-deletion/","summary":"Attackers may abuse the AWS S3 PutBucketLifecycle API to rapidly delete CloudTrail logs by setting short expiration periods on S3 buckets, hindering incident response and forensic investigations.","title":"AWS S3 Bucket Lifecycle Rule Abuse for Log Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-s3-lifecycle-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake","Splunk Add-on for Amazon Web Services"],"_cs_severities":["high"],"_cs_tags":["aws","network-acl","misconfiguration","cloud","security-group"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying misconfigured AWS Network ACLs (NACLs) that permit unrestricted traffic. AWS NACLs act as a firewall for controlling traffic in and out of subnets within a Virtual Private Cloud (VPC). When an NACL is configured to allow all ports and protocols from any IP address (0.0.0.0/0), it effectively bypasses security controls and exposes resources to potential threats. The activity is detected by monitoring AWS CloudTrail events for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e API calls. This configuration error can be introduced by administrators during initial setup or through misconfiguration during updates. Defenders should ensure that NACLs follow the principle of least privilege to limit the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker scans for publicly accessible services or resources.\u003c/li\u003e\n\u003cli\u003eAn administrator, either maliciously or accidentally, creates or modifies a Network ACL using the AWS Management Console, CLI, or API with overly permissive rules (allowing all traffic: \u003ccode\u003eruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe misconfigured NACL is applied to one or more subnets within the VPC.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the open ports and protocols to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or disrupts services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA misconfigured Network ACL that allows all traffic can have severe consequences. It can lead to unauthorized access to sensitive data, potential data breaches, service disruption, and further compromise of the AWS environment. The impact is particularly high if critical resources are located within the affected subnets. This type of misconfiguration violates security best practices and compliance requirements.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Network ACL Created with All Ports Open\u003c/code\u003e to your SIEM to detect this specific misconfiguration (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e, category: \u003ccode\u003enetwork_connection\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview existing Network ACL configurations to identify and remediate any overly permissive rules (check AWS console or use AWS CLI/API).\u003c/li\u003e\n\u003cli\u003eImplement automated checks to validate Network ACL configurations against security best practices.\u003c/li\u003e\n\u003cli\u003eEnsure that NACLs follow the principle of least privilege by only allowing necessary traffic (review NACL \u003ccode\u003eruleAction\u003c/code\u003e, \u003ccode\u003eegress\u003c/code\u003e, \u003ccode\u003eaclProtocol\u003c/code\u003e, and \u003ccode\u003ecidrBlock\u003c/code\u003e settings in CloudTrail logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of overly permissive NACL configurations to determine the root cause and potential impact (analyze CloudTrail logs for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e events).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-aws-nacls-all-open/","summary":"The analytic detects the creation or replacement of AWS Network Access Control Lists (ACLs) with rules that allow all traffic from a specified CIDR block, potentially exposing the network to unauthorized access and increasing the risk of data breaches.","title":"AWS Network ACL Created with All Ports Open","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-nacls-all-open/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense_evasion","s3"],"_cs_type":"threat","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis threat involves the modification of AWS S3 bucket lifecycle policies to expedite the deletion of CloudTrail logs. The technique focuses on configuring a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. By shortening the retention period, attackers aim to quickly eliminate CloudTrail logs, thereby covering their tracks and impeding forensic investigations. This activity is significant because it directly targets security logging, a critical component for threat detection and incident response. This technique can be used by various threat actors seeking to evade detection within AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the S3 bucket used to store CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses AWS CLI or the AWS Management Console to execute the \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e call modifies the lifecycle configuration of the S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe new lifecycle rule specifies a short expiration period (less than three days) for objects in the bucket.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs within the S3 bucket are automatically deleted after the specified expiration period.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s actions are no longer recorded in CloudTrail, hindering incident response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack leads to the rapid and irreversible deletion of CloudTrail logs. This can severely hamper incident response efforts, making it difficult to trace attacker actions, identify the scope of a breach, and conduct thorough forensic analysis. Organizations may be unable to meet compliance requirements related to data retention and audit logging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e events with short expiration periods in your SIEM.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e events modifying S3 bucket lifecycle policies (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for unusual API calls related to S3 bucket lifecycle management (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-aws-bucket-lifecycle-deletion/","summary":"An attacker modifies an AWS S3 bucket lifecycle policy to rapidly expire CloudTrail logs, hindering incident response and forensic analysis.","title":"AWS S3 Bucket Lifecycle Rule for Rapid Log Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-bucket-lifecycle-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bedrock","CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","bedrock","cloudtrail","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic focuses on detecting the deletion of AWS Bedrock GuardRails. AWS Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies. GuardRails within Bedrock are security controls designed to prevent harmful, biased, or inappropriate AI outputs. The deletion of these guardrails, detected through AWS CloudTrail logs, could indicate a malicious actor attempting to bypass security measures after compromising credentials. This could potentially enable harmful or malicious model outputs, leading to the generation of offensive content, extraction of sensitive information, or circumvention of prompt injection defenses. This activity matters to defenders as it highlights a potential attempt to manipulate AI model behavior for malicious purposes, requiring immediate investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account with sufficient privileges to manage Bedrock resources, possibly through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS environment, establishing a session.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies existing AWS Bedrock GuardRails configurations using AWS APIs or the AWS Management Console.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API call via the AWS CLI, SDK, or Management Console, specifying the \u003ccode\u003eguardrailIdentifier\u003c/code\u003e of the targeted GuardRail.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e event, including details such as the user identity, source IP address, and GuardRail identifier.\u003c/li\u003e\n\u003cli\u003eThe GuardRail is successfully deleted, removing the configured safety controls for the Bedrock models.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-unprotected Bedrock models to generate harmful content, extract sensitive information, or bypass other security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data generated from the unprotected model to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Bedrock GuardRails could allow attackers to manipulate AI models for malicious purposes. This could lead to the generation of offensive or harmful content, extraction of sensitive information, or bypassing prompt injection defenses. Organizations utilizing AWS Bedrock may experience reputational damage, data breaches, and regulatory compliance issues. While specific victim numbers are unavailable, the impact could be significant depending on the sensitivity of the data processed by the models.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions, specifically capturing Bedrock service events to ensure the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API calls are logged (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect AWS Bedrock GuardRails Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized GuardRail deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteGuardrail\u003c/code\u003e events to determine the legitimacy of the action and identify potential credential compromise or malicious intent (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement an allowlist for expected administrators who regularly manage GuardRails configurations to reduce false positives (known_false_positives).\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003esrc\u003c/code\u003e IP addresses from which \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API calls are made to identify potentially suspicious or unauthorized access points (rule and RBA).\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all AWS accounts, especially those with privileges to manage Bedrock resources, to mitigate credential compromise (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-aws-bedrock-guardrails-deletion/","summary":"Detection of AWS Bedrock GuardRails deletion, which are security controls to prevent harmful AI outputs, could indicate an adversary attempting to remove safety measures after credential compromise to enable malicious model outputs.","title":"AWS Bedrock GuardRails Deletion Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-guardrails-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — CloudTrail","version":"https://jsonfeed.org/version/1.1"}