CloudWatch Logs — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/cloudwatch-logs/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000AWS Security Services Impairment via Deletion of Resourceshttps://feed.craftedsignal.io/briefs/2024-01-03-aws-security-service-impairment/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-aws-security-service-impairment/Detection of adversaries attempting to impair or disable AWS security services by deleting resources across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility.This threat brief focuses on the detection of malicious attempts to impair or disable AWS security services through the deletion of critical resources. Attackers target services like GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility. The primary objective is to create blind spots within the AWS environment, allowing attackers to operate undetected. The activity is identified through specific API calls logged in CloudTrail, such as “DeleteLogStream” and “DeleteDetector.” This targeted approach significantly reduces the noise and ensures that only security-related deletions are flagged, enhancing the accuracy of the detection. Successful evasion can lead to privilege escalation or data exfiltration without triggering security alerts, severely compromising the AWS environment.

Attack Chain

  1. Initial access to the AWS environment is achieved through compromised credentials or a misconfigured IAM role.
  2. The attacker enumerates existing security services, including GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs, to identify potential targets for impairment.
  3. The attacker uses AWS CLI or API calls to attempt to delete GuardDuty detectors using DeleteDetector against guardduty.amazonaws.com.
  4. The attacker attempts to delete WAF rules, IP sets, or rule groups using DeleteIPSet, DeleteWebACL, DeleteRuleGroup, or DeleteRule API calls targeting wafv2.amazonaws.com or waf.amazonaws.com.
  5. The attacker attempts to delete CloudWatch logging configurations via the DeleteLoggingConfiguration API call from wafv2.amazonaws.com, waf.amazonaws.com, or route53.amazonaws.com.
  6. The attacker might attempt to delete CloudWatch alarms using the DeleteAlarms event.
  7. If successful, the attacker disables critical security monitoring and logging functions, creating blind spots for defenders.
  8. The attacker leverages the compromised environment to escalate privileges, move laterally, exfiltrate data, or deploy persistent backdoors without triggering security alerts.

Impact

Successful execution of this attack can severely compromise the security posture of the AWS environment. By disabling security services like GuardDuty and CloudWatch, attackers can operate undetected, escalate privileges, and exfiltrate sensitive data without triggering security alerts. The scope of the impact depends on the attacker’s objectives, the sensitivity of the data, and the extent of the compromise.

Recommendation

  • Enable AWS CloudTrail logging across all regions in your AWS environment to capture API calls and events necessary for detection.
  • Deploy the Sigma rule AWS Defense Evasion via Security Service Deletion to your SIEM and tune for your environment using user_agent and user_arn fields.
  • Investigate any alerts generated by the Sigma rule, focusing on the user accounts involved and the specific resources being deleted.
  • Regularly review and validate the configurations of your AWS security services, including GuardDuty detectors, WAF rules, and CloudWatch alarms, to ensure they are properly configured and protected from unauthorized deletion.
  • Implement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of credential compromise.
]]>highadvisoryawscloudtraildefense-evasioncloud