Stop CloudTrail Trail
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Defense Evasion
Description
Stops a CloudTrail Trail from logging. Simulates an attacker disrupting CloudTrail logging.
Warm-up:
- Create a CloudTrail Trail.
Detonation:
- Call cloudtrail:StopLogging to stop CloudTrail logging.
Instructions
Detection
Identify when a CloudTrail trail is disabled, through CloudTrail's StopLogging event.
GuardDuty also provides a dedicated finding type, Stealth:IAMUser/CloudTrailLoggingDisabled.
Detonation logs new!
The following CloudTrail events are generated when this technique is detonated1:
cloudtrail:StopLogging
View raw detonation logs
[
{
"awsRegion": "apiso-centralnorth-2r",
"eventCategory": "Management",
"eventID": "10163ed2-2253-469d-a5ee-cbc6651f8934",
"eventName": "StopLogging",
"eventSource": "cloudtrail.amazonaws.com",
"eventTime": "2024-07-31T13:06:24Z",
"eventType": "AwsApiCall",
"eventVersion": "1.10",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "143434273843",
"requestID": "14c891b6-11b5-4787-ae97-64a974977078",
"requestParameters": {
"name": "stratus-red-team-ct-stop-trail-buykxbqejv"
},
"responseElements": null,
"sourceIPAddress": "86.245.153.234",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "cloudtrail.apiso-centralnorth-2r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_c97089f1-1ae3-4ecc-b006-f5e8fd0f2571",
"userIdentity": {
"accessKeyId": "AKIAGGWFBBHBE7D3M9WI",
"accountId": "143434273843",
"arn": "arn:aws:iam::143434273843:user/christophe",
"principalId": "AIDAOC1SYDVN0AF0FMMR",
"type": "IAMUser",
"userName": "christophe"
}
}
]