{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/aws-account/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","CloudTrail"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","aws-account"],"_cs_type":"advisory","_cs_vendors":["Splunk","Amazon"],"content_html":"\u003cp\u003eThis alert focuses on detecting the \u003ccode\u003eStopLogging\u003c/code\u003e event within AWS CloudTrail, a critical indicator of potential defense evasion. Attackers often disable CloudTrail logging to conceal their malicious activities, making it difficult for security teams to detect and respond to breaches effectively. The detection specifically looks for successful \u003ccode\u003eStopLogging\u003c/code\u003e events (\u003ccode\u003eerrorCode = success\u003c/code\u003e) originating from sources other than the AWS console (\u003ccode\u003euserAgent!=console.amazonaws.com\u003c/code\u003e). By identifying these instances, security teams can quickly investigate the reasons behind the logging stoppage, determine if it was authorized, and take appropriate action to prevent further unauthorized activities. This is especially critical for maintaining visibility and control over AWS environments, ensuring that malicious actions are not conducted without a trace.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker assumes a role or escalates privileges to gain sufficient permissions to manage CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the active CloudTrail trails within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eStopLogging\u003c/code\u003e API call against the identified CloudTrail trail.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eStopLogging\u003c/code\u003e event, recording the action, user, and source IP.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with malicious activities, such as data exfiltration, resource manipulation, or deploying backdoors, without being logged by CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove or modify existing security controls and monitoring configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker persists in the environment, potentially creating new identities or backdoors to maintain access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of CloudTrail logging can have severe consequences. It impairs incident response by removing the primary source of audit data. Without CloudTrail logs, security teams lose visibility into attacker activities, making it difficult to determine the scope and impact of the breach. Attackers can operate undetected, exfiltrate sensitive data, modify critical resources, and establish persistent backdoors. The impact can range from data breaches and financial losses to reputational damage and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of \u003ccode\u003eStopLogging\u003c/code\u003e events in AWS CloudTrail logs and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eStopLogging\u003c/code\u003e events, focusing on the user (\u003ccode\u003euser\u003c/code\u003e), source IP (\u003ccode\u003esrc\u003c/code\u003e), and reason for stopping logging.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all AWS accounts to prevent credential compromise (TTP: TA0001).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to minimize the impact of compromised credentials (TTP: TA0004).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit CloudTrail configurations to ensure logging is enabled and properly configured (TTP: TA0005).\u003c/li\u003e\n\u003cli\u003eImplement alerting for changes to CloudTrail configuration to detect unauthorized modifications (TTP: TA0005).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-cloudtrail-stop-logging/","summary":"Detection of AWS CloudTrail StopLogging events indicates a potential defense evasion attempt by an attacker to operate stealthily within a compromised AWS environment and hinder incident response.","title":"AWS CloudTrail Logging Stopped for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-cloudtrail-stop-logging/"}],"language":"en","title":"CraftedSignal Threat Feed — Aws-Account","version":"https://jsonfeed.org/version/1.1"}