CloudTrail Alert Details
Alert ID: CLOUDTRAIL-LOG-ENUM-1654-7842 Alert Time: 2024-03-14 16:30:45 EST Severity: MEDIUM (68/100) Source: AWS CloudTrail + GuardDuty Rule: “Anomalous CloudTrail Log Access” MITRE ATT&CK: T1654 – Log Enumeration
Alert Details:
Detection: IAM user enumerating CloudTrail trails and logs
IAM User: dev_user (developer account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 16:15-16:30 EST
API Calls (CloudTrail):
16:15:10 – cloudtrail:DescribeTrails (list all trails) – SUCCESS
16:15:45 – cloudtrail:GetTrailStatus (get status of each trail) – SUCCESS
16:16:22 – cloudtrail:LookupEvents (search logs for specific users/actions) – SUCCESS
16:17:05 – cloudtrail:LookupEvents (search for “CreateUser”) – SUCCESS
16:17:48 – cloudtrail:LookupEvents (search for “ConsoleLogin”) – SUCCESS
16:18:30 – s3:ListObjects on bucket: company-cloudtrail-logs (trail logs) – SUCCESS
16:19:15 – s3:GetObject on log file 123456789012_CloudTrail_us-east-1_20240314T1600Z.json (downloaded)
16:20:00 – s3:GetObject on another log file (downloaded)
Detection Logic:
dev_user has no legitimate need to access CloudTrail logs
Source IP unusual (Bulgaria)
LookupEvents used to search for specific activities
Log files downloaded from S3
Pattern matches attacker checking what logs exist and what they record
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CloudTrail logs
CloudTrail Console, GuardDuty
Confirmed log enumeration and download
2. Account Investigation
Check dev_user activity
AWS IAM, CloudTrail
Developer account compromised (phishing)
3. Immediate Action
Rotate access keys
AWS IAM
dev_user keys rotated
4. Log Access Restriction
Revoke unnecessary permissions
IAM Policy
Removed CloudTrail and S3 log access
5. Impact Assessment
Determine what logs were accessed
CloudTrail
Attacker downloaded logs containing 2 weeks of API activity
6. Account Remediation
Disable dev_user temporarily
AWS IAM
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-219 Summary: T1654 – Log Enumeration: Attacker Accesses and Downloads CloudTrail Logs Status: RESOLVED Resolution: MALICIOUS – Logs Accessed, Permissions Revoked Priority: P2 – MEDIUM Labels: T1654, log-enumeration, cloudtrail, guardduty, compromised-account Components: Cloud-Security, Logging
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS CloudTrail + GuardDuty.
Alert: “Anomalous CloudTrail Log Access”.
IAM User: dev_user (developer account).
Source IP: 185.143.221[.]89 (Bulgaria).
Activity: Described trails, looked up events, downloaded 2 log files.
Time: 2024-03-14 16:30 EST.
Technique: MITRE ATT&CK T1654 – Log Enumeration.
2. Technical Analysis:
Attack Chain:
15:30 – dev_user account compromised (phishing)
15:45 – Attacker logs into AWS from Bulgaria
16:00 – Attacker enumerates CloudTrail logs
16:15-16:30 – Log enumeration and download
16:30 – GuardDuty detects
Logs Downloaded:
123456789012_CloudTrail_us-east-1_20240314T1600Z.json (2 weeks of API calls)
Another file with additional logs
Total: 2 files, ~5 MB
Information in Logs:
All API calls made by all users in the account
Includes sensitive operations (IAM changes, S3 access, Lambda creations)
Attacker can analyze logs to understand environment and avoid detection
Attacker Intent:
Reconnaissance: see what activities are logged
Identify which actions might trigger alerts
Plan further attacks
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
16:00-16:30 – Log enumeration
16:30 – Alert
16:32 – SOC investigates
16:33 – Keys rotated
16:34 – Permissions revoked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
API Calls:
– cloudtrail:DescribeTrails
– cloudtrail:LookupEvents
– s3:GetObject on cloudtrail bucket
Account:
– dev_user (compromised)
4. Containment Actions:
Immediate Actions:
Rotated dev_user access keys.
Removed CloudTrail and S3 log access from IAM policy.
Blocked attacker IP.
Disabled account temporarily.
Post-Incident:
Reviewed CloudTrail logs for further malicious activity.
No evidence of other actions.
Account Remediation:
Enforced MFA.
5. Root Cause Analysis:
Primary Cause: Developer account compromised via phishing.
Contributing Factors:
No MFA on account.
Excessive permissions (could access logs).
6. Business Impact:
Operational Impact: None.
Data Exposure: 2 weeks of CloudTrail logs exposed; no customer data.
7. Remediation & Prevention:
Completed Actions:
Keys rotated.
Permissions restricted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented least privilege IAM policies.
Enabled GuardDuty with log access alerts.
8. Conclusion:
An attacker compromised a developer account and enumerated CloudTrail logs, downloading 2 weeks of API activity. GuardDuty detected the anomalous log access, enabling revocation of permissions. The logs contained no customer data but could aid further attacks.
Closure Rationale: Logs accessed; permissions revoked; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 17:30 EST