Skip to main content

AWS API calls indicating evasion

ID:aws_evasion
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0005:T1562.008

Description

AlphaSOC detected the use of AWS APIs indicating potential evasion. Detected actions may include changing or disabling logging settings, Access Control Lists (ACLs), and security groups. This pattern of behavior may indicate that threat actors are trying to disable security controls within the AWS environment to avoid detection.

Impact

Successful evasion of AWS security controls can lead to prolonged unauthorized access. Threat actors may be able to operate undetected within the AWS environment and potentially escalate privileges, access sensitive data, or launch further attacks.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Verify if the actions were authorized. If unauthorized, review any changes made, re-enable logging, revoke the associated access keys, and reset IAM credentials. To avoid future incidents, always grant least privilage access and configure default account policy to enable logging.

Known False Positives