{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1562.004/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1562.004","bitbucket"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eAttackers may target Bitbucket audit log configurations to reduce or eliminate logging, thereby hindering incident response and forensic investigations. Modifying audit settings is a defense evasion technique that allows malicious actors to operate with less visibility. This activity typically occurs post-compromise. This brief focuses on detecting such modifications. Visibility of audit events requires at least \u0026ldquo;Basic\u0026rdquo; log level configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Bitbucket instance, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Bitbucket web interface or uses the Bitbucket API.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the audit log configuration settings within the Bitbucket administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the audit log settings, such as disabling logging for specific event categories or reducing the log retention period.\u003c/li\u003e\n\u003cli\u003eThe Bitbucket server processes the configuration change request.\u003c/li\u003e\n\u003cli\u003eAudit events related to the configuration change are logged (if auditing is still enabled for such events).\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as creating unauthorized repositories or exfiltrating source code, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the Bitbucket audit log configuration allows attackers to operate with significantly reduced visibility. This can lead to delayed detection of breaches, prolonged dwell time, and increased data exfiltration. Without proper audit logging, organizations will struggle to identify the scope and impact of a compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Bitbucket Audit Log Configuration Updated\u0026rdquo; Sigma rule to your SIEM to detect changes to audit log configurations (logsource: bitbucket, service: audit).\u003c/li\u003e\n\u003cli\u003eEnsure Bitbucket audit logging is enabled at the \u0026ldquo;Basic\u0026rdquo; level or higher, as lower levels may not capture configuration changes (logsource: bitbucket, service: audit).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of audit log configuration changes to determine if they are authorized (Sigma rule: \u0026ldquo;Bitbucket Audit Log Configuration Updated\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-bitbucket-audit-config-mod/","summary":"An attacker may modify the Bitbucket audit log configuration to impair security monitoring and evade detection.","title":"Bitbucket Audit Log Configuration Modified","url":"https://feed.craftedsignal.io/briefs/2024-10-bitbucket-audit-config-mod/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1562.004","version":"https://jsonfeed.org/version/1.1"}