Analytics Story: AWS Defense Evasion
Description
Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.
Why it matters
Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudTrail DeleteAlarms |  AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteDetector | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteIPSet | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteLogGroup | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteLogStream | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteRule | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteTrail | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail DeleteWebACL | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail PutBucketLifecycle | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail StopLogging | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail UpdateTrail | AWS |
aws:cloudtrail |
aws_cloudtrail |
References
Source: GitHub | Version: 1