{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/splunk-add-on-for-amazon-web-services/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Splunk Add-on for Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying attempts to evade detection within AWS environments by monitoring \u003ccode\u003eUpdateTrail\u003c/code\u003e events in AWS CloudTrail logs. Attackers may modify CloudTrail settings with incorrect parameters, such as switching from multi-regional logging to single-region logging, to reduce the scope of logged activities. This tactic allows adversaries to operate undetected in compromised AWS environments, as their actions in other regions are not properly recorded. Detecting these configuration changes is critical for Security Operations Centers (SOCs) to maintain visibility and respond effectively to threats. The lack of comprehensive logging can significantly impede incident response and forensic investigations, allowing malicious activities to persist unnoticed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed API key (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS Management Console or uses the AWS CLI with the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker issues an \u003ccode\u003eUpdateTrail\u003c/code\u003e API call to modify the CloudTrail configuration (T1562.008).\u003c/li\u003e\n\u003cli\u003eThe attacker disables multi-region logging, restricting log collection to a single AWS region.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the S3 bucket used for log storage, potentially directing logs to an attacker-controlled location.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities within the AWS environment, knowing that these actions will not be comprehensively logged across all regions.\u003c/li\u003e\n\u003cli\u003eThese malicious activities could include lateral movement, data exfiltration, or resource compromise.\u003c/li\u003e\n\u003cli\u003eThe reduced logging scope hinders detection and response efforts, allowing the attacker to maintain persistence and achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful evasion of CloudTrail logging can lead to significant blind spots in security monitoring.  If an attacker successfully modifies CloudTrail settings, their subsequent actions within the AWS environment are less likely to be detected.  This can lead to prolonged dwell time, increased data exfiltration, and greater overall damage. Organizations relying on CloudTrail for compliance and security auditing may also face regulatory repercussions due to incomplete logging. The blast radius of a successful attack expands significantly when logging is impaired, affecting potentially all resources within the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your specific AWS environment to detect unauthorized CloudTrail modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eUpdateTrail\u003c/code\u003e events where the \u003ccode\u003eactor.user.uid\u003c/code\u003e is not a known administrator account (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for changes to multi-region logging settings and S3 bucket destinations (see references to \u003ccode\u003eapi.operation=UpdateTrail\u003c/code\u003e in the \u003ccode\u003esearch\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges to mitigate credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit CloudTrail configurations to ensure they align with security best practices and organizational policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-cloudtrail-update/","summary":"Attackers may attempt to evade detection by altering CloudTrail logging configurations, such as changing multi-regional logging to a single region, which impairs the logging of their activities and hinders incident response.","title":"AWS CloudTrail Update for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudtrail-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake","Splunk Add-on for Amazon Web Services"],"_cs_severities":["high"],"_cs_tags":["aws","network-acl","misconfiguration","cloud","security-group"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying misconfigured AWS Network ACLs (NACLs) that permit unrestricted traffic. AWS NACLs act as a firewall for controlling traffic in and out of subnets within a Virtual Private Cloud (VPC). When an NACL is configured to allow all ports and protocols from any IP address (0.0.0.0/0), it effectively bypasses security controls and exposes resources to potential threats. The activity is detected by monitoring AWS CloudTrail events for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e API calls. This configuration error can be introduced by administrators during initial setup or through misconfiguration during updates. Defenders should ensure that NACLs follow the principle of least privilege to limit the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker scans for publicly accessible services or resources.\u003c/li\u003e\n\u003cli\u003eAn administrator, either maliciously or accidentally, creates or modifies a Network ACL using the AWS Management Console, CLI, or API with overly permissive rules (allowing all traffic: \u003ccode\u003eruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe misconfigured NACL is applied to one or more subnets within the VPC.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the open ports and protocols to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or disrupts services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA misconfigured Network ACL that allows all traffic can have severe consequences. It can lead to unauthorized access to sensitive data, potential data breaches, service disruption, and further compromise of the AWS environment. The impact is particularly high if critical resources are located within the affected subnets. This type of misconfiguration violates security best practices and compliance requirements.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Network ACL Created with All Ports Open\u003c/code\u003e to your SIEM to detect this specific misconfiguration (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e, category: \u003ccode\u003enetwork_connection\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview existing Network ACL configurations to identify and remediate any overly permissive rules (check AWS console or use AWS CLI/API).\u003c/li\u003e\n\u003cli\u003eImplement automated checks to validate Network ACL configurations against security best practices.\u003c/li\u003e\n\u003cli\u003eEnsure that NACLs follow the principle of least privilege by only allowing necessary traffic (review NACL \u003ccode\u003eruleAction\u003c/code\u003e, \u003ccode\u003eegress\u003c/code\u003e, \u003ccode\u003eaclProtocol\u003c/code\u003e, and \u003ccode\u003ecidrBlock\u003c/code\u003e settings in CloudTrail logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of overly permissive NACL configurations to determine the root cause and potential impact (analyze CloudTrail logs for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e events).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-aws-nacls-all-open/","summary":"The analytic detects the creation or replacement of AWS Network Access Control Lists (ACLs) with rules that allow all traffic from a specified CIDR block, potentially exposing the network to unauthorized access and increasing the risk of data breaches.","title":"AWS Network ACL Created with All Ports Open","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-nacls-all-open/"}],"language":"en","title":"CraftedSignal Threat Feed — Splunk Add-on for Amazon Web Services","version":"https://jsonfeed.org/version/1.1"}