{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security-service/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudWatch","GuardDuty","Web Application Firewall","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion","security-service"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the tactic of adversaries deleting critical AWS security service configurations to evade detection. This includes deleting CloudWatch alarms, GuardDuty detectors, and Web Application Firewall (WAF) rules. The activity is identified through specific API calls such as \u0026ldquo;DeleteLogStream\u0026rdquo;, \u0026ldquo;DeleteDetector\u0026rdquo;, \u0026ldquo;DeleteIPSet\u0026rdquo;, \u0026ldquo;DeleteWebACL\u0026rdquo;, \u0026ldquo;DeleteRule\u0026rdquo;, \u0026ldquo;DeleteRuleGroup\u0026rdquo;, \u0026ldquo;DeleteLoggingConfiguration\u0026rdquo;, and \u0026ldquo;DeleteAlarms\u0026rdquo; within Amazon Security Lake logs. By successfully removing or impairing these services, attackers can operate undetected within an AWS environment, increasing the risk of data breaches, unauthorized access, and persistent compromise. The scope includes any AWS environment utilizing the mentioned security services and logging via Amazon Security Lake.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the AWS environment, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to obtain the necessary permissions to modify or delete security service configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing security configurations, such as CloudWatch alarms, GuardDuty detectors, and WAF rules, to identify targets for deletion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion - Service Deletion:\u003c/strong\u003e The attacker executes API calls like \u003ccode\u003eDeleteLogStream\u003c/code\u003e, \u003ccode\u003eDeleteDetector\u003c/code\u003e, \u003ccode\u003eDeleteIPSet\u003c/code\u003e, \u003ccode\u003eDeleteWebACL\u003c/code\u003e, \u003ccode\u003eDeleteRule\u003c/code\u003e, \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e, \u003ccode\u003eDeleteLoggingConfiguration\u003c/code\u003e, or \u003ccode\u003eDeleteAlarms\u003c/code\u003e to delete security service configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e With security monitoring impaired, the attacker establishes persistence mechanisms, such as creating new IAM users or roles with excessive permissions, or deploying backdoors within EC2 instances.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally through the AWS environment, accessing sensitive data and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could include data theft, disruption of services, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of AWS security services can have severe consequences, potentially affecting any organization using AWS. Consequences range from data breaches and unauthorized resource access to prolonged persistence of malicious actors within the AWS environment. The number of affected victims and the scope of damage depends on the scale of the AWS environment and the sensitivity of the data stored within. Organizations in all sectors are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the deletion of critical AWS security service configurations based on Amazon Security Lake logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of API calls related to the deletion of security services (e.g., \u0026ldquo;DeleteLogStream\u0026rdquo;, \u0026ldquo;DeleteDetector\u0026rdquo;) using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users and roles to reduce the risk of compromised credentials.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM policies to ensure that users and roles have only the necessary permissions to perform their duties.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual activity, such as unexpected API calls or changes to IAM policies.\u003c/li\u003e\n\u003cli\u003eRegularly audit AWS security configurations to ensure that they are properly configured and maintained.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-security-services-deletion/","summary":"Detection of deletion of critical AWS Security Services configurations like CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules to evade detection, potentially leading to data breaches and unauthorized access.","title":"AWS Security Services Configuration Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-security-services-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Security-Service","version":"https://jsonfeed.org/version/1.1"}