AWS Config Disabling Channel/Recorder

 1title: AWS Config Disabling Channel/Recorder
 2id: 07330162-dba1-4746-8121-a9647d49d297
 3status: test
 4description: Detects AWS Config Service disabling
 5references:
 6    - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
 7author: vitaliy0x1
 8date: 2020/01/21
 9modified: 2022/10/09
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventSource: 'config.amazonaws.com'
19        eventName:
20            - 'DeleteDeliveryChannel'
21            - 'StopConfigurationRecorder'
22    condition: selection
23falsepositives:
24    - Valid change in AWS Config Service
25level: high

References

• Example Log Files - AWS Config

  For examples of the CloudTrail log entries, see the following topics.

  
  Read More

Related rules

• Cisco Disabling Logging
• NetNTLM Downgrade Attack - Registry
• Hypervisor Enforced Code Integrity Disabled
• Powershell Defender Disable Scan Feature
• Tamper Windows Defender - PSClassic