Try in Splunk Security Cloud

Description

Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2022-07-15
  • Author: Gowthamaraj Rajendran, Splunk
  • ID: 4e00b690-293f-434d-a9d8-bcfb2ea5fff9

Narrative

Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.

Detections

Name Technique Type
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs TTP
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs TTP
AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion PutBucketLifecycle Disable or Modify Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Update Cloudtrail Impair Defenses, Disable or Modify Cloud Logs TTP

Reference

source | version: 1