AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
Sigma rule (View on GitHub)
1title: AWS Config Disabling Channel/Recorder
2id: 07330162-dba1-4746-8121-a9647d49d297
3status: test
4description: Detects AWS Config Service disabling
5references:
6 - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
7author: vitaliy0x1
8date: 2020/01/21
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventSource: 'config.amazonaws.com'
19 eventName:
20 - 'DeleteDeliveryChannel'
21 - 'StopConfigurationRecorder'
22 condition: selection
23falsepositives:
24 - Valid change in AWS Config Service
25level: high
References
Related rules
- Cisco Disabling Logging
- NetNTLM Downgrade Attack - Registry
- Hypervisor Enforced Code Integrity Disabled
- Powershell Defender Disable Scan Feature
- Tamper Windows Defender - PSClassic