AWS CloudTrail configuration modified

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an attacker is trying to evade defenses by modifying CloudTrail.

Strategy

This rule detects if a user is modifying CloudTrail by monitoring the following CloudTrail API calls:

Triage and response

  1. Review the @responseElements in the {{@evt.name}} event to determine the scope of the changes.
  2. Determine if the user ARN ({{@userIdentity.arn}}) intended to make a CloudTrail modification.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.