{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cloudwatch/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","CloudWatch"],"_cs_severities":["high"],"_cs_tags":["aws","cloudwatch","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Splunk","Amazon"],"content_html":"\u003cp\u003eAttackers may delete CloudWatch log groups to remove evidence of their activities within an AWS environment. This action, identified through \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events in CloudTrail, allows them to evade detection and forensic analysis. The activity is detected by monitoring CloudTrail logs for successful log group deletions, excluding those initiated from the AWS console. This behavior is significant because it directly undermines the logging and monitoring infrastructure that defenders rely on for incident response and threat hunting. The original Splunk ES-CU analytic was published in 2026-05-05, but the underlying technique is still relevant.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing CloudWatch log groups using AWS CLI or API calls to identify potential targets for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised credentials or a compromised IAM role to execute the \u003ccode\u003eDeleteLogGroup\u003c/code\u003e API call via AWS CLI, SDK, or API.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDeleteLogGroup\u003c/code\u003e event with \u003ccode\u003eeventSource = logs.amazonaws.com\u003c/code\u003e and a successful \u003ccode\u003eerrorCode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process for multiple log groups to eliminate a broader range of forensic data.\u003c/li\u003e\n\u003cli\u003eThe CloudWatch log group is permanently deleted, removing any logs it contained from the defender\u0026rsquo;s visibility.\u003c/li\u003e\n\u003cli\u003eThe attacker continues their malicious activities, now with reduced risk of detection due to the absence of relevant logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of CloudWatch log groups allows attackers to operate with significantly reduced visibility. This can lead to delayed incident detection and response, increased dwell time, and greater potential for data exfiltration or system compromise. The deletion of logs hampers forensic investigations, making it difficult to determine the scope and impact of the attack. In environments with strict compliance requirements, such as those governed by HIPAA or PCI DSS, this can lead to significant penalties and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS CloudWatch Log Group Deletion\u0026rdquo; to your SIEM to detect unauthorized log group deletions using \u003ccode\u003eeventName = DeleteLogGroup\u003c/code\u003e and \u003ccode\u003eeventSource = logs.amazonaws.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging to capture \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events within your AWS environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteLogGroup\u003c/code\u003e events, especially those not initiated from the AWS console (\u003ccode\u003euserAgent !=console.amazonaws.com\u003c/code\u003e), as potential indicators of malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to limit the ability to delete CloudWatch log groups to only authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-cloudwatch-log-deletion/","summary":"Detection of AWS CloudWatch log group deletions via CloudTrail logs, excluding console-based actions, indicating potential defense evasion by attackers attempting to hide their tracks.","title":"AWS CloudWatch Log Group Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudwatch-log-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloudwatch","version":"https://jsonfeed.org/version/1.1"}