Attack Chain

1. Initial Access: The attacker gains initial access to the AWS environment, potentially through compromised credentials or exploiting a vulnerability.
2. Privilege Escalation: The attacker escalates privileges to obtain the necessary permissions to modify or delete security service configurations.
3. Discovery: The attacker enumerates existing security configurations, such as CloudWatch alarms, GuardDuty detectors, and WAF rules, to identify targets for deletion.
4. Defense Evasion - Service Deletion: The attacker executes API calls like DeleteLogStream, DeleteDetector, DeleteIPSet, DeleteWebACL, DeleteRule, DeleteRuleGroup, DeleteLoggingConfiguration, or DeleteAlarms to delete security service configurations.
5. Persistence: With security monitoring impaired, the attacker establishes persistence mechanisms, such as creating new IAM users or roles with excessive permissions, or deploying backdoors within EC2 instances.
6. Lateral Movement: The attacker moves laterally through the AWS environment, accessing sensitive data and resources.
7. Data Exfiltration: The attacker exfiltrates sensitive data from the compromised AWS environment.
8. Impact: The attacker achieves their objective, which could include data theft, disruption of services, or financial gain.

Impact

Successful deletion of AWS security services can have severe consequences, potentially affecting any organization using AWS. Consequences range from data breaches and unauthorized resource access to prolonged persistence of malicious actors within the AWS environment. The number of affected victims and the scope of damage depends on the scale of the AWS environment and the sensitivity of the data stored within. Organizations in all sectors are potentially at risk.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect the deletion of critical AWS security service configurations based on Amazon Security Lake logs.
• Investigate any identified instances of API calls related to the deletion of security services (e.g., “DeleteLogStream”, “DeleteDetector”) using the provided Sigma rule.
• Implement multi-factor authentication (MFA) for all IAM users and roles to reduce the risk of compromised credentials.
• Review and restrict IAM policies to ensure that users and roles have only the necessary permissions to perform their duties.
• Monitor CloudTrail logs for unusual activity, such as unexpected API calls or changes to IAM policies.
• Regularly audit AWS security configurations to ensure that they are properly configured and maintained.