Analytics Story: AWS Defense Evasion

Description

Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.

Why it matters

Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs TTP
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Hunting
ASL AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
ASL AWS Defense Evasion Update Cloudtrail Impair Defenses, Disable or Modify Cloud Logs TTP
AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs TTP
AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion PutBucketLifecycle Disable or Modify Cloud Logs, Impair Defenses, Lifecycle-Triggered Deletion, Data Destruction Hunting
AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Update Cloudtrail Impair Defenses, Disable or Modify Cloud Logs TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail DeleteAlarms AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteDetector AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteIPSet AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteLogGroup AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteLogStream AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteRule AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteWebACL AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail PutBucketLifecycle AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail StopLogging AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail UpdateTrail AWS icon AWS aws:cloudtrail aws_cloudtrail

References


Source: GitHub | Version: 1