Skip to content

Stop CloudTrail Trail

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Defense Evasion

Description

Stops a CloudTrail Trail from logging. Simulates an attacker disrupting CloudTrail logging.

Warm-up:

  • Create a CloudTrail Trail.

Detonation:

  • Call cloudtrail:StopLogging to stop CloudTrail logging.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.defense-evasion.cloudtrail-stop

Detection

Identify when a CloudTrail trail is disabled, through CloudTrail's StopLogging event.

GuardDuty also provides a dedicated finding type, Stealth:IAMUser/CloudTrailLoggingDisabled.