Skip to content

Disable CloudTrail Logging Through Event Selectors

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Defense Evasion

Description

Disrupt CloudTrail Logging by creating an event selector on the Trail, filtering out all management events.

Reference: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass

Warm-up:

  • Create a CloudTrail trail.

Detonation:

  • Create a CloudTrail event selector to disable management events, through cloudtrail:PutEventSelectors

Instructions

Detonate with Stratus Red Team
stratus detonate aws.defense-evasion.cloudtrail-event-selectors

Detection

Identify when event selectors of a CloudTrail trail are updated, through CloudTrail's PutEventSelectors event.