low

GuardDuty detection bypass via cloudtrail

Published Thu, Apr 23rd, 2020
Platforms

Summary

GuardDuty detected CloudTrail being outright disabled, but did not detect if an attacker with the necessary permissions filtered out all events from CloudTrail via PutEventSelectors, resulting in defenders having no logs to review. AWS fixed this issue by adding a GuardDuty detection that triggers if PutEventSelectors is used to disable all event types.

Affected Services

GuardDuty

Remediation

As a safety measure, set up additional detections independent of GuardDuty.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Thu, Apr 23rd, 2020
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Spencer Gietzen, Rhino Security