<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Log-Deletion - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/log-deletion/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/log-deletion/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS CloudWatch Log Stream Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-cloudwatch-log-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cloudwatch-log-deletion/</guid><description>Detection of Amazon CloudWatch log stream deletion via the 'DeleteLogStream' API, potentially indicating defense evasion or impact by adversaries aiming to conceal activity and disrupt security monitoring.</description><content:encoded><![CDATA[<p>This rule detects the deletion of an Amazon CloudWatch log stream using the &quot;DeleteLogStream&quot; API. CloudWatch log streams contain sequential log events crucial for monitoring applications, services, and AWS resources. Adversaries may delete these streams to cover their tracks after unauthorized actions, break ingestion pipelines feeding SIEM, alerting, or anomaly detection, or remove evidence before escalating privileges or moving laterally. This activity directly impacts security visibility, audit trails, and forensic evidence. The rule specifically looks for successful invocations of the <code>DeleteLogStream</code> API as recorded in CloudTrail logs, helping defenders identify potentially malicious actions within their AWS environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker enumerates available CloudWatch log streams to identify targets for deletion.</li>
<li>The attacker invokes the <code>DeleteLogStream</code> API via the AWS CLI, SDK, or console.</li>
<li>The <code>DeleteLogStream</code> API call is authenticated and authorized by AWS IAM.</li>
<li>CloudWatch permanently deletes the specified log stream, removing all associated log events.</li>
<li>The deletion event is recorded in AWS CloudTrail.</li>
<li>The attacker attempts to cover their tracks by deleting related CloudTrail logs (though this action would generate further alerts).</li>
<li>The attacker continues lateral movement or completes their objective, relying on the reduced visibility to remain undetected.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of CloudWatch log streams can severely impair an organization's ability to detect and respond to security incidents. Deleted log events are permanently removed, disrupting security visibility and breaking audit trails. The number of victims can range from single applications to entire AWS environments, depending on the scope of the attacker's access and the importance of the deleted log streams. This activity is particularly damaging in sectors heavily reliant on compliance and regulatory oversight.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect instances of <code>DeleteLogStream</code> API calls in CloudTrail logs, and tune it for your environment.</li>
<li>Investigate alerts generated by the Sigma rule, focusing on the <code>aws.cloudtrail.user_identity.arn</code> and <code>source.ip</code> fields to identify the actor and origin of the request.</li>
<li>Implement IAM least-privilege principles for the <code>logs:DeleteLogStream</code> permission to minimize the blast radius of compromised accounts.</li>
<li>Enable AWS Config rules to monitor CloudWatch Logs configuration changes, providing an additional layer of defense against unauthorized deletions.</li>
<li>Establish guardrails using Service Control Policies (SCPs) to restrict log deletions to designated automation roles, preventing manual or accidental deletions from other accounts.</li>
<li>Review CloudTrail and Config timelines for preceding suspicious events correlated to the IP address <code>*</code> observed making the deletion.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloudwatch</category><category>log-deletion</category><category>defense-evasion</category></item></channel></rss>