-
Notifications
You must be signed in to change notification settings - Fork 511
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Route53 Resolver Query Log Configuration Deleted (#3592)
* new rule 'Route53 Resolver Query Log Configuration Deleted' * added investigation guide * adjusted investigation notes * Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml Co-authored-by: Ruben Groenewoud <[email protected]> --------- Co-authored-by: Ruben Groenewoud <[email protected]> (cherry picked from commit 2375297)
- Loading branch information
1 parent
c7dcac3
commit a9c54a2
Showing
1 changed file
with
103 additions
and
0 deletions.
There are no files selected for viewing
103 changes: 103 additions & 0 deletions
103
rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| [metadata] | ||
| creation_date = "2024/04/12" | ||
| integration = ["aws"] | ||
| maturity = "production" | ||
| min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" | ||
| min_stack_version = "8.9.0" | ||
| updated_date = "2024/05/06" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration | ||
| is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete | ||
| query log configurations to evade detection or cover their tracks. | ||
| """ | ||
| false_positives = ["Legitimate deletion of Route53 Resolver Query Log Configuration by authorized personnel."] | ||
| from = "now-60m" | ||
| index = ["filebeat-*", "logs-aws.cloudtrail*"] | ||
| interval = "10m" | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Route53 Resolver Query Log Configuration Deleted" | ||
| note = """ | ||
| ## Triage and Analysis | ||
| ### Investigating Route53 Resolver Query Log Configuration Deleted | ||
| This rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network. | ||
| Adversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts. | ||
| #### Possible Investigation Steps | ||
| - **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated. | ||
| - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion. | ||
| - **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities. | ||
| - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign. | ||
| - **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations. | ||
| - Investigate any recent permission changes that might indicate role abuse or credentials compromise. | ||
| - **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion. | ||
| - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems. | ||
| - **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action. | ||
| ### False Positive Analysis | ||
| - **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel. | ||
| ### Response and Remediation | ||
| - **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries. | ||
| - **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations. | ||
| - Adjust AWS IAM policies to reinforce security measures. | ||
| - **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions. | ||
| - **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities. | ||
| ### Additional Information | ||
| For detailed instructions on managing Route53 Resolver and securing its configurations, refer to the [Amazon Route53 Resolver documentation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html). | ||
| """ | ||
| references = [ | ||
| "https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "453183fa-f903-11ee-8e88-f661ea17fbce" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Data Source: AWS", | ||
| "Data Source: Amazon Web Services", | ||
| "Data Source: Amazon Route53", | ||
| "Use Case: Log Auditing", | ||
| "Resources: Investigation Guide", | ||
| "Tactic: Defense Evasion", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com | ||
| and event.action: DeleteResolverQueryLogConfig and event.outcome: success | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1562" | ||
| name = "Impair Defenses" | ||
| reference = "https://attack.mitre.org/techniques/T1562/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1562.008" | ||
| name = "Disable or Modify Cloud Logs" | ||
| reference = "https://attack.mitre.org/techniques/T1562/008/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" | ||
|
|