Techniques
Sample rules
AWS Defense Evasion Impair Security Services
- source: splunk
- technicques:
- T1562.008
- T1562
Description
This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection.
Detection logic
`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms")
| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_impair_security_services_filter`
AWS Defense Evasion PutBucketLifecycle
- source: splunk
- technicques:
- T1562.008
- T1562
Description
This analytic identifies PutBucketLifecycle events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted.
Detection logic
`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success
| spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days
| spath path=requestParameters{}.bucketName output=bucket_name
| stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where expiration_days < 3
| `aws_defense_evasion_putbucketlifecycle_filter`
ASL AWS Defense Evasion Impair Security Services
- source: splunk
- technicques:
- T1562.008
- T1562
Description
This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection.
Detection logic
`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms")
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_impair_security_services_filter`