{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/eventbridge/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EventBridge"],"_cs_severities":["low"],"_cs_tags":["aws","eventbridge","impact","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis detection identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules automate operational workflows and forward security-relevant events to services like Lambda, SNS, or security tools. Disabling or deleting a rule can break integrations, suppress detections, and reduce visibility, potentially allowing adversaries to impair monitoring, delay incident response, or hide malicious activity. The actions of \u003ccode\u003eDeleteRule\u003c/code\u003e or \u003ccode\u003eDisableRule\u003c/code\u003e are monitored to identify suspicious activity related to event rules within AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an AWS account with sufficient permissions to manage EventBridge rules, potentially through compromised credentials or an IAM role with excessive privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing EventBridge rules to identify those that are critical for security monitoring or incident response.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDisableRule\u003c/code\u003e API call to temporarily stop a targeted EventBridge rule from processing events.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes the \u003ccode\u003eDeleteRule\u003c/code\u003e API call to permanently remove the targeted EventBridge rule.\u003c/li\u003e\n\u003cli\u003eThe CloudTrail logs record the \u003ccode\u003eDisableRule\u003c/code\u003e or \u003ccode\u003eDeleteRule\u003c/code\u003e event, including the user identity, timestamp, and affected rule details.\u003c/li\u003e\n\u003cli\u003eIf the deleted or disabled rule was responsible for forwarding security events (e.g., CloudTrail findings, GuardDuty alerts) to a SIEM or other security tool, the flow of alerts is disrupted.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gap in monitoring to perform further malicious activities within the AWS environment without immediate detection.\u003c/li\u003e\n\u003cli\u003eThe final objective is to maintain persistence, escalate privileges, or exfiltrate data without triggering alerts, taking advantage of the disabled or deleted EventBridge rule.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling or deleting EventBridge rules can disrupt critical security monitoring and incident response workflows, creating blind spots in detection coverage. Depending on the affected rule, this can lead to delayed detection of security incidents, allowing attackers to perform malicious activities undetected. A successful attack could lead to data breaches, unauthorized access to resources, or other security compromises. The severity of the impact depends on the criticality of the disabled or deleted rule and the scope of its responsibilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect \u003ccode\u003eDeleteRule\u003c/code\u003e or \u003ccode\u003eDisableRule\u003c/code\u003e events within CloudTrail logs, and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003eevents:DisableRule\u003c/code\u003e and \u003ccode\u003eevents:DeleteRule\u003c/code\u003e permissions to a small set of administrative roles using IAM conditions to reduce the likelihood of silent impairment.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e to identify which principal performed the change.\u003c/li\u003e\n\u003cli\u003eRestore critical rules immediately by re-enabling disabled rules or recreating deleted rules from known-good baselines if the activity is unauthorized.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-eventbridge-rule-disabled-or-deleted/","summary":"Detection of Amazon EventBridge rule disabling or deletion events, which can disrupt operational workflows and security monitoring.","title":"AWS EventBridge Rule Disabled or Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-eventbridge-rule-disabled-or-deleted/"}],"language":"en","title":"CraftedSignal Threat Feed - EventBridge","version":"https://jsonfeed.org/version/1.1"}