{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1562.008/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS Config","AWS CloudTrail"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1562.008","aws"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting the disabling of AWS Config, a service that continuously monitors and records AWS resource configurations. An attacker might disable AWS Config to evade detection and prevent auditing of their malicious activities within the AWS environment. By deleting delivery channels or stopping the configuration recorder, an attacker can effectively blind the security team to changes made to AWS resources. This activity, if unauthorized, signifies a significant attempt to impair defenses. This brief provides detections based on AWS CloudTrail logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing AWS Config resources to identify the delivery channel and configuration recorder.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteDeliveryChannel\u003c/code\u003e API call to stop the delivery of configuration changes to the designated S3 bucket or SNS topic.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eStopConfigurationRecorder\u003c/code\u003e API call to halt the recording of configuration changes for AWS resources.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions within the AWS environment without the activity being recorded by AWS Config.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to delete CloudTrail logs, if they have sufficient permissions, to further cover their tracks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying malicious infrastructure, exfiltrating data, or disrupting services, without immediate detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of AWS Config allows attackers to operate undetected within an AWS environment. This can lead to a delayed response to security incidents, resulting in more significant data breaches, financial losses, or reputational damage. The number of affected AWS accounts and the scope of the damage depend on the attacker\u0026rsquo;s objectives and the duration of the undetected activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Config Disabling Channel/Recorder\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized disabling of AWS Config resources.\u003c/li\u003e\n\u003cli\u003eReview AWS IAM policies to ensure that only authorized personnel have the necessary permissions to modify or disable AWS Config settings.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for any attempts to disable or modify AWS Config resources, referencing the \u003ccode\u003eeventSource\u003c/code\u003e and \u003ccode\u003eeventName\u003c/code\u003e fields in the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-aws-config-disable/","summary":"Detection of AWS Config Service disabling, potentially indicating an attempt to impair defenses by stopping configuration recording and delivery.","title":"AWS Config Service Disabling Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-config-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1562.008","version":"https://jsonfeed.org/version/1.1"}