From 6e9f3584b578af6d0bb821e270ea603f88b6f140 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Fri, 12 Dec 2025 13:20:10 -0500 Subject: [PATCH] [Rule Tunings] AWS Config Rule Tunings ### AWS Config Resource Deletion - added exclusions for services that perform Config modifications by design, reducing noise by 97% over the last 30 days. - added success criteria to query as well - increased severity to medium as this alert should be triaged - updated description, false positive and investigation guide sections - reduced execution window - updated MITRE - updated tags - added highlighted fields ### AWS Configuration Recorder Stopped no major query changes needed for this rule, performing as expected in telemetry with low volume as this is more rare activity. - updated description, false positive and investigation guide sections - reduced execution window - updated MITRE - updated tags - added highlighted fields --- ..._evasion_config_service_rule_deletion.toml | 152 ++++++++++++------ ...vasion_configuration_recorder_stopped.toml | 120 ++++++++++---- 2 files changed, 192 insertions(+), 80 deletions(-) diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 855c53f6374..5f905e15301 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,86 +2,117 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/12/12" [rule] author = ["Elastic", "Austin Songer"] description = """ -Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to -reduce visibility into the security posture of an account and / or its workload instances. +Identifies attempts to delete AWS Config resources. AWS Config provides continuous visibility into resource +configuration changes and compliance posture across an account. Deleting Config components can significantly reduce +security visibility and auditability. Adversaries may delete or disable Config resources to evade detection, hide prior +activity, or weaken governance controls before or after other malicious actions. """ false_positives = [ """ - Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order - to align with local security policies and requirements. Automation, orchestration, and security tools may also make - changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds - of user or service contexts do not commonly make changes to this service. + Deletion of AWS Config resources may occur during legitimate account restructuring, environment teardown, or changes + to compliance tooling. Centralized security teams or approved automation may also delete and recreate Config + components as part of controlled workflows. Confirm that the action aligns with approved change management and was + performed by an expected principal. """, ] -from = "now-60m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Config Resource Deletion" note = """## Triage and analysis +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + ### Investigating AWS Config Resource Deletion -AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. +AWS Config records configuration changes, relationships, and compliance status for AWS resources over time. +Deleting Config components such as recorders, delivery channels, rules, or conformance packs disrupts +security monitoring, compliance enforcement, and forensic visibility. This behavior is uncommon outside of +planned infrastructure changes and should be treated as high-risk when unexpected. This rule detects successful deletion of AWS Config resources. + +### Possible investigation steps + +**Identify the actor** +- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who initiated the deletion. +- Confirm whether this principal typically manages AWS Config or centralized security tooling. +- Check `user_agent.original` to determine whether the action was performed via console, CLI, SDK, or automation. + +**Determine what was deleted** +- Inspect `event.action` and `aws.cloudtrail.request_parameters` to identify which Config component was removed + (e.g., configuration recorder, delivery channel, rule, aggregator, or conformance pack). +- Assess whether the deleted resource was account-scoped or organization-wide. Used for compliance reporting, guardrails, or security monitoring. +- Identify the affected regions and accounts using `cloud.region` and `cloud.account.id`. + +**Reconstruct timing and intent** +- Use `@timestamp` to correlate the deletion with: + - IAM changes (role updates, policy modifications, STS activity). + - Other monitoring disruptions (CloudTrail, GuardDuty, Security Hub). + - Destructive or high-impact actions occurring shortly before or after. +- Compare the timing against approved maintenance windows or infrastructure changes. + +**Correlate with broader activity** +- Pivot in CloudTrail on the same principal or access key to identify: + - Additional attempts to disable logging or security controls. + - Resource deletions or configuration weakening across services. +- Evaluate whether the deletion appears isolated or part of a broader evasion sequence. + +**Validate intent with stakeholders** +- Confirm with security, cloud platform, or compliance teams whether the deletion was planned and approved. +- Verify whether replacement Config resources were created shortly after, or whether monitoring remains disabled. -This rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources. +### False positive analysis -#### Possible investigation steps +- **Planned environment changes** + - Non-production account teardown, environment consolidation, or compliance tool migrations may involve + deletion of Config resources. -- Identify the user account that performed the action and whether it should perform this kind of action. -- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related. -- Investigate other alerts associated with the user account during the past 48 hours. -- Contact the account and resource owners and confirm whether they are aware of this activity. -- Check if this operation was approved and performed according to the organization's change management policy. -- Considering the source IP address and geolocation of the user who issued the command: - - Do they look normal for the calling user? - - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? - - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? -- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. +- **Authorized security automation** + - Approved automation or security tooling may delete and recreate Config components during setup or remediation. + - Tune exceptions carefully using specific principals or automation roles rather than broad exclusions. -### False positive analysis +### Response and remediation -- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions. +- **Contain and restore visibility** + - If unauthorized, immediately re-enable AWS Config components, including recorders and delivery channels. + - Validate that historical configuration data and compliance reporting resume as expected. -### Response and remediation +- **Investigate scope and impact** + - Determine how long Config visibility was impaired and what activity may have occurred during that window. + - Review other monitoring gaps (e.g., CloudTrail or GuardDuty changes) for coordinated evasion. + +- **Credential and access review** + - Rotate or disable credentials associated with the deleting principal if compromise is suspected. + - Review IAM permissions to ensure only a minimal, well-defined set of roles can manage AWS Config. -- Initiate the incident response process based on the outcome of the triage. -- Disable or limit the account during the investigation and response. -- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: - - Identify the account role in the cloud environment. - - Assess the criticality of affected services and servers. - - Work with your IT team to identify and minimize the impact on users. - - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. - - Identify any regulatory or legal ramifications related to this activity. -- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. -- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. -- Consider enabling multi-factor authentication for users. -- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. -- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. -- Take the actions needed to return affected systems, data, or services to their normal operational levels. -- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. -- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +- **Hardening and prevention** + - Use SCPs or IAM conditions to restrict deletion of Config resources in production and security accounts. + - Implement AWS Config rules or Security Hub controls to alert when Config is disabled or degraded. + - Document and formalize change procedures for governance tooling. + +### Additional information +- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** +- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** +- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)** +""" references = [ "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html", ] -risk_score = 21 +risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" -severity = "low" +severity = "medium" tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS Config", "Resources: Investigation Guide", "Tactic: Defense Evasion", ] @@ -89,10 +120,13 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and - event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or +event.dataset: aws.cloudtrail + and event.provider: config.amazonaws.com + and event.outcome: success + and event.action: (DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration) + and not aws.cloudtrail.user_identity.invoked_by: (securityhub.amazonaws.com or fms.amazonaws.com or controltower.amazonaws.com or config-conforms.amazonaws.com) ''' @@ -107,6 +141,11 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + [rule.threat.tactic] @@ -114,3 +153,18 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" +] diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 2fdd647f242..7d37cb4941d 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,21 +2,26 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/12" [rule] author = ["Elastic"] -description = "Identifies an AWS configuration change to stop recording a designated set of resources." +description = """ +Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record +configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into +infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken +compliance and security monitoring controls. +""" false_positives = [ """ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false - positives, it can be exempted from the rule. + Authorized administrators may temporarily stop the AWS Config recorder during planned maintenance, account + restructuring, or controlled configuration changes. Automated infrastructure or compliance tooling may also stop and + restart the recorder as part of setup or teardown workflows. Activity outside of documented change windows or from + unexpected identities should be investigated. """, ] -from = "now-60m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Configuration Recorder Stopped" @@ -27,37 +32,58 @@ note = """## Triage and analysis ### Investigating AWS Configuration Recorder Stopped -AWS Config records and evaluates configurations of AWS resources, ensuring compliance and security. Stopping the configuration recorder can hinder visibility into resource changes, aiding adversaries in evading detection. The detection rule identifies successful attempts to stop the recorder, signaling potential defense evasion by monitoring specific AWS CloudTrail events related to configuration changes. +AWS Config provides continuous visibility into resource configuration changes and underpins many security, compliance, +and audit workflows. Stopping the configuration recorder prevents new changes from being captured and can create blind +spots in detection and forensic timelines. + +This behavior is uncommon in steady-state production environments and should be carefully reviewed, especially when +performed outside approved maintenance windows or by unexpected principals. ### Possible investigation steps -- Review the AWS CloudTrail logs for the specific event.action:StopConfigurationRecorder to identify the user or role that initiated the action. -- Check the event.outcome:success field to confirm the action was successfully executed and correlate it with any other suspicious activities around the same timeframe. -- Investigate the IAM permissions and roles associated with the user or entity that stopped the configuration recorder to determine if they have the necessary permissions and if those permissions are appropriate. -- Analyze the context of the event by examining other recent AWS CloudTrail events from the same event.provider:config.amazonaws.com to identify any related configuration changes or anomalies. -- Assess the potential impact on compliance and security by identifying which resources were affected by the stopped configuration recorder and evaluating the risk of undetected changes during the period it was inactive. -- Review any recent changes in AWS Config settings or policies that might explain the legitimate need to stop the configuration recorder, ensuring there is a valid business justification. +**Identify the actor** +- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` + to determine who initiated the `StopConfigurationRecorder` action. Confirm whether this principal typically administers AWS Config or performs security and compliance operations. -### False positive analysis +**Examine the request context** +- Review `user_agent.original` to determine whether the request originated from the AWS Console, CLI, SDK, or automation tooling. +- Inspect `source.ip` and any available geo context to assess whether the request originated from an expected network or region. -- Routine maintenance activities by authorized personnel can trigger the rule. To manage this, create exceptions for specific IAM roles or users known to perform these tasks regularly. -- Automated scripts or tools used for configuration management might stop the recorder as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using their unique identifiers or tags. -- Scheduled configuration changes during non-peak hours may involve stopping the recorder temporarily. Document these schedules and adjust the rule to ignore events during these periods. -- Testing environments often mimic production changes, including stopping the recorder. Exclude events from known testing accounts or environments to prevent unnecessary alerts. +**Determine scope and impact** +- Identify which configuration recorder was stopped and which regions or resources were affected. +- Determine how long the recorder remained disabled and whether any configuration changes occurred during that window. +- Assess whether AWS Config rules, Security Hub controls, or downstream monitoring systems were impacted. -### Response and remediation +**Correlate with related activity** +- Look for surrounding CloudTrail activity from the same principal, including: + - Deletion or modification of Config rules, delivery channels, or conformance packs. + - IAM changes, credential activity, or other security control modifications. +- Check for signs of follow-on activity that may have relied on reduced visibility, such as resource creation, policy changes, + or network reconfiguration. + +**Validate intent** +- Confirm with the platform, security, or compliance teams whether the recorder stoppage was intentional and approved. +- Compare the timing against change management records, infrastructure deployments, or account bootstrapping workflows. + +### False positive analysis -- Immediately re-enable the AWS Config recorder to restore visibility into resource changes and ensure compliance monitoring is active. -- Conduct a thorough review of AWS CloudTrail logs to identify any unauthorized or suspicious activities that occurred during the period when the configuration recorder was stopped. -- Verify the IAM roles and permissions associated with the AWS account to ensure that only authorized personnel have the ability to stop the configuration recorder. Adjust permissions as necessary to follow the principle of least privilege. -- Implement additional monitoring and alerting for any future attempts to stop the AWS Config recorder, ensuring that such actions trigger immediate notifications to the security team. -- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the action was part of a broader attack or misconfiguration. -- Review and update incident response plans to include specific procedures for handling AWS Config recorder stoppage events, ensuring rapid response and containment in future occurrences. -- Consider enabling AWS Config rules to automatically remediate unauthorized changes, such as stopping the configuration recorder, to enhance the security posture and prevent recurrence. +- Planned maintenance or controlled configuration changes may require temporarily stopping the recorder. +- Automated account provisioning, teardown, or remediation tooling may stop and restart the recorder as part of normal workflows. -## Setup +### Response and remediation -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +- Immediately restart the AWS Config recorder to restore configuration visibility. +- Review CloudTrail logs for activity that occurred while the recorder was stopped and assess potential security or compliance impact. +- If the action was unauthorized, rotate or disable credentials associated with the initiating principal and investigate for compromise. +- Review IAM permissions to ensure only a minimal set of trusted roles can stop or modify AWS Config components. +- Implement guardrails such as AWS Config rules, SCPs, or automated remediation to detect and respond to recorder stoppage. +- Update monitoring, alerting, and incident response runbooks to explicitly cover AWS Config visibility loss scenarios. + +### Additional information +- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** +- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** +- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)** +""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html", @@ -65,12 +91,22 @@ references = [ risk_score = 73 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435" severity = "high" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Config", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success +event.dataset: aws.cloudtrail + and event.provider: config.amazonaws.com + and event.action: StopConfigurationRecorder + and event.outcome: success ''' @@ -85,6 +121,11 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + [rule.threat.tactic] @@ -92,3 +133,20 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", +] +