Skip to content

Remove VPC Flow Logs

Platform: AWS

MITRE ATT&CK Tactics

  • Defense Evasion

Description

Removes a VPC Flog Logs configuration from a VPC.

Warm-up:

  • Create a VPC with a VPC Flow Logs configuration.

Detonation:

  • Remove the VPC Flow Logs configuration.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.defense-evasion.vpc-remove-flow-logs

Detection

Using CloudTrail's DeleteFlowLogs event.

To reduce the risk of false positives related to VPC deletion in development environments, alerts can be raised only when DeleteFlowLogs is not closely followed by DeleteVpc.