CloudWatch — CraftedSignal Threat Feed

AWS Security Services Impairment via Deletion of Resources

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on the detection of malicious attempts to impair or disable AWS security services through the deletion of critical resources. Attackers target services like GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility. The primary objective is to create blind spots within the AWS environment, allowing attackers to operate undetected. The activity is identified through specific API calls logged in CloudTrail, such as “DeleteLogStream” and “DeleteDetector.” This targeted approach significantly reduces the noise and ensures that only security-related deletions are flagged, enhancing the accuracy of the detection. Successful evasion can lead to privilege escalation or data exfiltration without triggering security alerts, severely compromising the AWS environment.

Attack Chain

Initial access to the AWS environment is achieved through compromised credentials or a misconfigured IAM role.
The attacker enumerates existing security services, including GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs, to identify potential targets for impairment.
The attacker uses AWS CLI or API calls to attempt to delete GuardDuty detectors using DeleteDetector against guardduty.amazonaws.com.
The attacker attempts to delete WAF rules, IP sets, or rule groups using DeleteIPSet, DeleteWebACL, DeleteRuleGroup, or DeleteRule API calls targeting wafv2.amazonaws.com or waf.amazonaws.com.
The attacker attempts to delete CloudWatch logging configurations via the DeleteLoggingConfiguration API call from wafv2.amazonaws.com, waf.amazonaws.com, or route53.amazonaws.com.
The attacker might attempt to delete CloudWatch alarms using the DeleteAlarms event.
If successful, the attacker disables critical security monitoring and logging functions, creating blind spots for defenders.
The attacker leverages the compromised environment to escalate privileges, move laterally, exfiltrate data, or deploy persistent backdoors without triggering security alerts.

Impact

Successful execution of this attack can severely compromise the security posture of the AWS environment. By disabling security services like GuardDuty and CloudWatch, attackers can operate undetected, escalate privileges, and exfiltrate sensitive data without triggering security alerts. The scope of the impact depends on the attacker’s objectives, the sensitivity of the data, and the extent of the compromise.

Recommendation

Enable AWS CloudTrail logging across all regions in your AWS environment to capture API calls and events necessary for detection.
Deploy the Sigma rule AWS Defense Evasion via Security Service Deletion to your SIEM and tune for your environment using user_agent and user_arn fields.
Investigate any alerts generated by the Sigma rule, focusing on the user accounts involved and the specific resources being deleted.
Regularly review and validate the configurations of your AWS security services, including GuardDuty detectors, WAF rules, and CloudWatch alarms, to ensure they are properly configured and protected from unauthorized deletion.
Implement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of credential compromise.

AWS Security Services Configuration Deletion

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses the tactic of adversaries deleting critical AWS security service configurations to evade detection. This includes deleting CloudWatch alarms, GuardDuty detectors, and Web Application Firewall (WAF) rules. The activity is identified through specific API calls such as “DeleteLogStream”, “DeleteDetector”, “DeleteIPSet”, “DeleteWebACL”, “DeleteRule”, “DeleteRuleGroup”, “DeleteLoggingConfiguration”, and “DeleteAlarms” within Amazon Security Lake logs. By successfully removing or impairing these services, attackers can operate undetected within an AWS environment, increasing the risk of data breaches, unauthorized access, and persistent compromise. The scope includes any AWS environment utilizing the mentioned security services and logging via Amazon Security Lake.

Attack Chain

Initial Access: The attacker gains initial access to the AWS environment, potentially through compromised credentials or exploiting a vulnerability.
Privilege Escalation: The attacker escalates privileges to obtain the necessary permissions to modify or delete security service configurations.
Discovery: The attacker enumerates existing security configurations, such as CloudWatch alarms, GuardDuty detectors, and WAF rules, to identify targets for deletion.
Defense Evasion - Service Deletion: The attacker executes API calls like DeleteLogStream, DeleteDetector, DeleteIPSet, DeleteWebACL, DeleteRule, DeleteRuleGroup, DeleteLoggingConfiguration, or DeleteAlarms to delete security service configurations.
Persistence: With security monitoring impaired, the attacker establishes persistence mechanisms, such as creating new IAM users or roles with excessive permissions, or deploying backdoors within EC2 instances.
Lateral Movement: The attacker moves laterally through the AWS environment, accessing sensitive data and resources.
Data Exfiltration: The attacker exfiltrates sensitive data from the compromised AWS environment.
Impact: The attacker achieves their objective, which could include data theft, disruption of services, or financial gain.

Impact

Successful deletion of AWS security services can have severe consequences, potentially affecting any organization using AWS. Consequences range from data breaches and unauthorized resource access to prolonged persistence of malicious actors within the AWS environment. The number of affected victims and the scope of damage depends on the scale of the AWS environment and the sensitivity of the data stored within. Organizations in all sectors are potentially at risk.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the deletion of critical AWS security service configurations based on Amazon Security Lake logs.
Investigate any identified instances of API calls related to the deletion of security services (e.g., “DeleteLogStream”, “DeleteDetector”) using the provided Sigma rule.
Implement multi-factor authentication (MFA) for all IAM users and roles to reduce the risk of compromised credentials.
Review and restrict IAM policies to ensure that users and roles have only the necessary permissions to perform their duties.
Monitor CloudTrail logs for unusual activity, such as unexpected API calls or changes to IAM policies.
Regularly audit AWS security configurations to ensure that they are properly configured and maintained.

AWS CloudWatch Log Group Deletion for Defense Evasion

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may delete CloudWatch log groups to remove evidence of their activities within an AWS environment. This action, identified through DeleteLogGroup events in CloudTrail, allows them to evade detection and forensic analysis. The activity is detected by monitoring CloudTrail logs for successful log group deletions, excluding those initiated from the AWS console. This behavior is significant because it directly undermines the logging and monitoring infrastructure that defenders rely on for incident response and threat hunting. The original Splunk ES-CU analytic was published in 2026-05-05, but the underlying technique is still relevant.

Attack Chain

An attacker gains unauthorized access to an AWS account.
The attacker enumerates existing CloudWatch log groups using AWS CLI or API calls to identify potential targets for deletion.
The attacker uses compromised credentials or a compromised IAM role to execute the DeleteLogGroup API call via AWS CLI, SDK, or API.
CloudTrail logs the DeleteLogGroup event with eventSource = logs.amazonaws.com and a successful errorCode.
The attacker may repeat this process for multiple log groups to eliminate a broader range of forensic data.
The CloudWatch log group is permanently deleted, removing any logs it contained from the defender’s visibility.
The attacker continues their malicious activities, now with reduced risk of detection due to the absence of relevant logs.

Impact

Successful deletion of CloudWatch log groups allows attackers to operate with significantly reduced visibility. This can lead to delayed incident detection and response, increased dwell time, and greater potential for data exfiltration or system compromise. The deletion of logs hampers forensic investigations, making it difficult to determine the scope and impact of the attack. In environments with strict compliance requirements, such as those governed by HIPAA or PCI DSS, this can lead to significant penalties and reputational damage.

Recommendation

Deploy the Sigma rule “AWS CloudWatch Log Group Deletion” to your SIEM to detect unauthorized log group deletions using eventName = DeleteLogGroup and eventSource = logs.amazonaws.com.
Enable AWS CloudTrail logging to capture DeleteLogGroup events within your AWS environment.
Investigate any detected DeleteLogGroup events, especially those not initiated from the AWS console (userAgent !=console.amazonaws.com), as potential indicators of malicious activity.
Implement strict IAM policies to limit the ability to delete CloudWatch log groups to only authorized personnel.