AWS Config Disabling Channel/Recorder

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·

Detects AWS Config Service disabling

Sigma rule (View on GitHub)

 1title: AWS Config Disabling Channel/Recorder
 2id: 07330162-dba1-4746-8121-a9647d49d297
 3status: test
 4description: Detects AWS Config Service disabling
 5references:
 6    - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
 7author: vitaliy0x1
 8date: 2020-01-21
 9modified: 2022-10-09
10tags:
11    - attack.defense-evasion
12    - attack.t1562.001
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventSource: 'config.amazonaws.com'
19        eventName:
20            - 'DeleteDeliveryChannel'
21            - 'StopConfigurationRecorder'
22    condition: selection
23falsepositives:
24    - Valid change in AWS Config Service
25level: high

References

AWS Config

Read More

Related rules

AMSI Bypass Pattern Assembly GetType
AWS CloudTrail Important Change
AWS GuardDuty Important Change
Add SafeBoot Keys Via Reg Utility
Azure Kubernetes Events Deleted