{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloudwatch-logs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudWatch","AWS WAF","Route 53","GuardDuty","CloudWatch Logs","CloudTrail"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious attempts to impair or disable AWS security services through the deletion of critical resources. Attackers target services like GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility. The primary objective is to create blind spots within the AWS environment, allowing attackers to operate undetected. The activity is identified through specific API calls logged in CloudTrail, such as \u0026ldquo;DeleteLogStream\u0026rdquo; and \u0026ldquo;DeleteDetector.\u0026rdquo; This targeted approach significantly reduces the noise and ensures that only security-related deletions are flagged, enhancing the accuracy of the detection. Successful evasion can lead to privilege escalation or data exfiltration without triggering security alerts, severely compromising the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the AWS environment is achieved through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing security services, including GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs, to identify potential targets for impairment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses AWS CLI or API calls to attempt to delete GuardDuty detectors using \u003ccode\u003eDeleteDetector\u003c/code\u003e against \u003ccode\u003eguardduty.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete WAF rules, IP sets, or rule groups using \u003ccode\u003eDeleteIPSet\u003c/code\u003e, \u003ccode\u003eDeleteWebACL\u003c/code\u003e, \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e, or \u003ccode\u003eDeleteRule\u003c/code\u003e API calls targeting \u003ccode\u003ewafv2.amazonaws.com\u003c/code\u003e or \u003ccode\u003ewaf.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete CloudWatch logging configurations via the \u003ccode\u003eDeleteLoggingConfiguration\u003c/code\u003e API call from \u003ccode\u003ewafv2.amazonaws.com\u003c/code\u003e, \u003ccode\u003ewaf.amazonaws.com\u003c/code\u003e, or \u003ccode\u003eroute53.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker might attempt to delete CloudWatch alarms using the \u003ccode\u003eDeleteAlarms\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker disables critical security monitoring and logging functions, creating blind spots for defenders.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised environment to escalate privileges, move laterally, exfiltrate data, or deploy persistent backdoors without triggering security alerts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can severely compromise the security posture of the AWS environment. By disabling security services like GuardDuty and CloudWatch, attackers can operate undetected, escalate privileges, and exfiltrate sensitive data without triggering security alerts. The scope of the impact depends on the attacker\u0026rsquo;s objectives, the sensitivity of the data, and the extent of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging across all regions in your AWS environment to capture API calls and events necessary for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Defense Evasion via Security Service Deletion\u003c/code\u003e to your SIEM and tune for your environment using \u003ccode\u003euser_agent\u003c/code\u003e and \u003ccode\u003euser_arn\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user accounts involved and the specific resources being deleted.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configurations of your AWS security services, including GuardDuty detectors, WAF rules, and CloudWatch alarms, to ensure they are properly configured and protected from unauthorized deletion.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-security-service-impairment/","summary":"Detection of adversaries attempting to impair or disable AWS security services by deleting resources across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility.","title":"AWS Security Services Impairment via Deletion of Resources","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-security-service-impairment/"}],"language":"en","title":"CraftedSignal Threat Feed — CloudWatch Logs","version":"https://jsonfeed.org/version/1.1"}