Skip to content

Delete CloudTrail Trail

Platform: AWS

MITRE ATT&CK Tactics

  • Defense Evasion

Description

Delete a CloudTrail trail. Simulates an attacker disrupting CloudTrail logging.

Warm-up:

  • Create a CloudTrail trail.

Detonation:

  • Delete the CloudTrail trail.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.defense-evasion.cloudtrail-delete

Detection

Identify when a CloudTrail trail is deleted, through CloudTrail's DeleteTrail event.

GuardDuty also provides a dedicated finding type, Stealth:IAMUser/CloudTrailLoggingDisabled.