Delete CloudTrail Trail
Platform: AWS
MITRE ATT&CK Tactics
- Defense Evasion
Description
Delete a CloudTrail trail. Simulates an attacker disrupting CloudTrail logging.
Warm-up:
- Create a CloudTrail trail.
Detonation:
- Delete the CloudTrail trail.
Instructions
Detection
Identify when a CloudTrail trail is deleted, through CloudTrail's DeleteTrail
event.
GuardDuty also provides a dedicated finding type, Stealth:IAMUser/CloudTrailLoggingDisabled.