{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloudwatch/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudWatch","AWS WAF","Route 53","GuardDuty","CloudWatch Logs","CloudTrail"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious attempts to impair or disable AWS security services through the deletion of critical resources. Attackers target services like GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility. The primary objective is to create blind spots within the AWS environment, allowing attackers to operate undetected. The activity is identified through specific API calls logged in CloudTrail, such as \u0026ldquo;DeleteLogStream\u0026rdquo; and \u0026ldquo;DeleteDetector.\u0026rdquo; This targeted approach significantly reduces the noise and ensures that only security-related deletions are flagged, enhancing the accuracy of the detection. Successful evasion can lead to privilege escalation or data exfiltration without triggering security alerts, severely compromising the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the AWS environment is achieved through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing security services, including GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs, to identify potential targets for impairment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses AWS CLI or API calls to attempt to delete GuardDuty detectors using \u003ccode\u003eDeleteDetector\u003c/code\u003e against \u003ccode\u003eguardduty.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete WAF rules, IP sets, or rule groups using \u003ccode\u003eDeleteIPSet\u003c/code\u003e, \u003ccode\u003eDeleteWebACL\u003c/code\u003e, \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e, or \u003ccode\u003eDeleteRule\u003c/code\u003e API calls targeting \u003ccode\u003ewafv2.amazonaws.com\u003c/code\u003e or \u003ccode\u003ewaf.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete CloudWatch logging configurations via the \u003ccode\u003eDeleteLoggingConfiguration\u003c/code\u003e API call from \u003ccode\u003ewafv2.amazonaws.com\u003c/code\u003e, \u003ccode\u003ewaf.amazonaws.com\u003c/code\u003e, or \u003ccode\u003eroute53.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker might attempt to delete CloudWatch alarms using the \u003ccode\u003eDeleteAlarms\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker disables critical security monitoring and logging functions, creating blind spots for defenders.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised environment to escalate privileges, move laterally, exfiltrate data, or deploy persistent backdoors without triggering security alerts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can severely compromise the security posture of the AWS environment. By disabling security services like GuardDuty and CloudWatch, attackers can operate undetected, escalate privileges, and exfiltrate sensitive data without triggering security alerts. The scope of the impact depends on the attacker\u0026rsquo;s objectives, the sensitivity of the data, and the extent of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging across all regions in your AWS environment to capture API calls and events necessary for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Defense Evasion via Security Service Deletion\u003c/code\u003e to your SIEM and tune for your environment using \u003ccode\u003euser_agent\u003c/code\u003e and \u003ccode\u003euser_arn\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user accounts involved and the specific resources being deleted.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configurations of your AWS security services, including GuardDuty detectors, WAF rules, and CloudWatch alarms, to ensure they are properly configured and protected from unauthorized deletion.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-security-service-impairment/","summary":"Detection of adversaries attempting to impair or disable AWS security services by deleting resources across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility.","title":"AWS Security Services Impairment via Deletion of Resources","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-security-service-impairment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudWatch","GuardDuty","Web Application Firewall","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","security-service"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the tactic of adversaries deleting critical AWS security service configurations to evade detection. This includes deleting CloudWatch alarms, GuardDuty detectors, and Web Application Firewall (WAF) rules. The activity is identified through specific API calls such as \u0026ldquo;DeleteLogStream\u0026rdquo;, \u0026ldquo;DeleteDetector\u0026rdquo;, \u0026ldquo;DeleteIPSet\u0026rdquo;, \u0026ldquo;DeleteWebACL\u0026rdquo;, \u0026ldquo;DeleteRule\u0026rdquo;, \u0026ldquo;DeleteRuleGroup\u0026rdquo;, \u0026ldquo;DeleteLoggingConfiguration\u0026rdquo;, and \u0026ldquo;DeleteAlarms\u0026rdquo; within Amazon Security Lake logs. By successfully removing or impairing these services, attackers can operate undetected within an AWS environment, increasing the risk of data breaches, unauthorized access, and persistent compromise. The scope includes any AWS environment utilizing the mentioned security services and logging via Amazon Security Lake.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the AWS environment, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to obtain the necessary permissions to modify or delete security service configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing security configurations, such as CloudWatch alarms, GuardDuty detectors, and WAF rules, to identify targets for deletion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion - Service Deletion:\u003c/strong\u003e The attacker executes API calls like \u003ccode\u003eDeleteLogStream\u003c/code\u003e, \u003ccode\u003eDeleteDetector\u003c/code\u003e, \u003ccode\u003eDeleteIPSet\u003c/code\u003e, \u003ccode\u003eDeleteWebACL\u003c/code\u003e, \u003ccode\u003eDeleteRule\u003c/code\u003e, \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e, \u003ccode\u003eDeleteLoggingConfiguration\u003c/code\u003e, or \u003ccode\u003eDeleteAlarms\u003c/code\u003e to delete security service configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e With security monitoring impaired, the attacker establishes persistence mechanisms, such as creating new IAM users or roles with excessive permissions, or deploying backdoors within EC2 instances.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally through the AWS environment, accessing sensitive data and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could include data theft, disruption of services, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of AWS security services can have severe consequences, potentially affecting any organization using AWS. Consequences range from data breaches and unauthorized resource access to prolonged persistence of malicious actors within the AWS environment. The number of affected victims and the scope of damage depends on the scale of the AWS environment and the sensitivity of the data stored within. Organizations in all sectors are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the deletion of critical AWS security service configurations based on Amazon Security Lake logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of API calls related to the deletion of security services (e.g., \u0026ldquo;DeleteLogStream\u0026rdquo;, \u0026ldquo;DeleteDetector\u0026rdquo;) using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users and roles to reduce the risk of compromised credentials.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM policies to ensure that users and roles have only the necessary permissions to perform their duties.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual activity, such as unexpected API calls or changes to IAM policies.\u003c/li\u003e\n\u003cli\u003eRegularly audit AWS security configurations to ensure that they are properly configured and maintained.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-security-services-deletion/","summary":"Detection of deletion of critical AWS Security Services configurations like CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules to evade detection, potentially leading to data breaches and unauthorized access.","title":"AWS Security Services Configuration Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-security-services-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","CloudWatch"],"_cs_severities":["high"],"_cs_tags":["aws","cloudwatch","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Splunk","Amazon"],"content_html":"\u003cp\u003eAttackers may delete CloudWatch log groups to remove evidence of their activities within an AWS environment. This action, identified through \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events in CloudTrail, allows them to evade detection and forensic analysis. The activity is detected by monitoring CloudTrail logs for successful log group deletions, excluding those initiated from the AWS console. This behavior is significant because it directly undermines the logging and monitoring infrastructure that defenders rely on for incident response and threat hunting. The original Splunk ES-CU analytic was published in 2026-05-05, but the underlying technique is still relevant.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing CloudWatch log groups using AWS CLI or API calls to identify potential targets for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised credentials or a compromised IAM role to execute the \u003ccode\u003eDeleteLogGroup\u003c/code\u003e API call via AWS CLI, SDK, or API.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDeleteLogGroup\u003c/code\u003e event with \u003ccode\u003eeventSource = logs.amazonaws.com\u003c/code\u003e and a successful \u003ccode\u003eerrorCode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process for multiple log groups to eliminate a broader range of forensic data.\u003c/li\u003e\n\u003cli\u003eThe CloudWatch log group is permanently deleted, removing any logs it contained from the defender\u0026rsquo;s visibility.\u003c/li\u003e\n\u003cli\u003eThe attacker continues their malicious activities, now with reduced risk of detection due to the absence of relevant logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of CloudWatch log groups allows attackers to operate with significantly reduced visibility. This can lead to delayed incident detection and response, increased dwell time, and greater potential for data exfiltration or system compromise. The deletion of logs hampers forensic investigations, making it difficult to determine the scope and impact of the attack. In environments with strict compliance requirements, such as those governed by HIPAA or PCI DSS, this can lead to significant penalties and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS CloudWatch Log Group Deletion\u0026rdquo; to your SIEM to detect unauthorized log group deletions using \u003ccode\u003eeventName = DeleteLogGroup\u003c/code\u003e and \u003ccode\u003eeventSource = logs.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging to capture \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events within your AWS environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events, especially those not initiated from the AWS console (\u003ccode\u003euserAgent !=console.amazonaws.com\u003c/code\u003e), as potential indicators of malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to limit the ability to delete CloudWatch log groups to only authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-cloudwatch-log-deletion/","summary":"Detection of AWS CloudWatch log group deletions via CloudTrail logs, excluding console-based actions, indicating potential defense evasion by attackers attempting to hide their tracks.","title":"AWS CloudWatch Log Group Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudwatch-log-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — CloudWatch","version":"https://jsonfeed.org/version/1.1"}