{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/log-deletion/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CloudWatch Logs"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudwatch","log-deletion","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis rule detects the deletion of an Amazon CloudWatch log stream using the \u0026quot;DeleteLogStream\u0026quot; API. CloudWatch log streams contain sequential log events crucial for monitoring applications, services, and AWS resources. Adversaries may delete these streams to cover their tracks after unauthorized actions, break ingestion pipelines feeding SIEM, alerting, or anomaly detection, or remove evidence before escalating privileges or moving laterally. This activity directly impacts security visibility, audit trails, and forensic evidence. The rule specifically looks for successful invocations of the \u003ccode\u003eDeleteLogStream\u003c/code\u003e API as recorded in CloudTrail logs, helping defenders identify potentially malicious actions within their AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available CloudWatch log streams to identify targets for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the \u003ccode\u003eDeleteLogStream\u003c/code\u003e API via the AWS CLI, SDK, or console.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDeleteLogStream\u003c/code\u003e API call is authenticated and authorized by AWS IAM.\u003c/li\u003e\n\u003cli\u003eCloudWatch permanently deletes the specified log stream, removing all associated log events.\u003c/li\u003e\n\u003cli\u003eThe deletion event is recorded in AWS CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting related CloudTrail logs (though this action would generate further alerts).\u003c/li\u003e\n\u003cli\u003eThe attacker continues lateral movement or completes their objective, relying on the reduced visibility to remain undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of CloudWatch log streams can severely impair an organization's ability to detect and respond to security incidents. Deleted log events are permanently removed, disrupting security visibility and breaking audit trails. The number of victims can range from single applications to entire AWS environments, depending on the scope of the attacker's access and the importance of the deleted log streams. This activity is particularly damaging in sectors heavily reliant on compliance and regulatory oversight.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of \u003ccode\u003eDeleteLogStream\u003c/code\u003e API calls in CloudTrail logs, and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e fields to identify the actor and origin of the request.\u003c/li\u003e\n\u003cli\u003eImplement IAM least-privilege principles for the \u003ccode\u003elogs:DeleteLogStream\u003c/code\u003e permission to minimize the blast radius of compromised accounts.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules to monitor CloudWatch Logs configuration changes, providing an additional layer of defense against unauthorized deletions.\u003c/li\u003e\n\u003cli\u003eEstablish guardrails using Service Control Policies (SCPs) to restrict log deletions to designated automation roles, preventing manual or accidental deletions from other accounts.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail and Config timelines for preceding suspicious events correlated to the IP address \u003ccode\u003e*\u003c/code\u003e observed making the deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cloudwatch-log-deletion/","summary":"Detection of Amazon CloudWatch log stream deletion via the 'DeleteLogStream' API, potentially indicating defense evasion or impact by adversaries aiming to conceal activity and disrupt security monitoring.","title":"AWS CloudWatch Log Stream Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-cloudwatch-log-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Log-Deletion","version":"https://jsonfeed.org/version/1.1"}