{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/flow-logs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Compute Cloud (EC2)"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","defense-evasion","vpc","flow-logs"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAn adversary with sufficient privileges within an AWS environment may attempt to delete VPC Flow Logs. These logs are crucial for monitoring network traffic within a VPC, and their removal can significantly impede incident response and forensic investigations. The deletion is accomplished by making a \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e API call. This action is often taken to remove evidence of malicious activity, such as lateral movement, command and control communication, or data exfiltration. The impact of this activity can be severe, potentially allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the AWS environment through compromised credentials or an exploited vulnerability (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the AWS environment to gain the necessary permissions to delete VPC Flow Logs (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or AWS Management Console to execute the \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the specific Flow Log IDs that need to be deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS API using stolen or generated credentials.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e API call is made, specifying the Flow Log IDs to be deleted.\u003c/li\u003e\n\u003cli\u003eAWS processes the request and deletes the specified VPC Flow Logs.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the deletion of the Flow Logs to ensure that their actions are no longer being logged.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of VPC Flow Logs prevents security teams from detecting malicious activity within the AWS environment. Without these logs, it becomes significantly more difficult to investigate security incidents, track attacker movements, and understand the scope of a compromise. This can lead to delayed incident response, increased dwell time for attackers, and greater overall damage. The absence of flow logs severely limits network visibility, hindering any attempt to reconstruct events or identify compromised assets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;AWS VPC Flow Logs Deleted\u0026rdquo; to detect instances of \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e API calls (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for \u003ccode\u003eDeleteFlowLogs\u003c/code\u003e events and investigate any unexpected occurrences (reference: logsource).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to restrict IAM users and roles from having the \u003ccode\u003eec2:DeleteFlowLogs\u003c/code\u003e permission unless absolutely necessary.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit IAM policies to ensure that permissions are appropriately scoped and not overly permissive.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-vpc-flow-logs-deleted/","summary":"An adversary may delete VPC Flow Logs in AWS EC2 by calling the DeleteFlowLogs API to evade detection and hinder forensic investigations.","title":"AWS VPC Flow Logs Deletion for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-vpc-flow-logs-deleted/"}],"language":"en","title":"CraftedSignal Threat Feed — Flow-Logs","version":"https://jsonfeed.org/version/1.1"}