LoFP LoFP / while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.

Techniques

Sample rules

ASL AWS Defense Evasion Impair Security Services

Description

The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like “DeleteLogStream” and “DeleteDetector.” This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment.

Detection logic

`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region 
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_defense_evasion_impair_security_services_filter`

AWS Defense Evasion Impair Security Services

Description

The following analytic detects attempts to delete critical AWS security service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages CloudTrail logs to identify specific API calls like “DeleteLogStream” and “DeleteDetector.” This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment.

Detection logic

`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") 
| stats count min(_time) as firstTime max(_time) as lastTime values(eventName)  as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|  `aws_defense_evasion_impair_security_services_filter`

AWS Defense Evasion PutBucketLifecycle

Description

The following analytic detects PutBucketLifecycle events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.

Detection logic

`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success 
|  spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days 
|  spath path=requestParameters{}.bucketName output=bucket_name 
| stats count min(_time) as firstTime max(_time) as lastTime  by src region eventName userAgent user_arn aws_account_id expiration_days  bucket_name user_type
| `security_content_ctime(firstTime)` 
|  `security_content_ctime(lastTime)` 
| where expiration_days < 3 
| `aws_defense_evasion_putbucketlifecycle_filter`