Stop CloudTrail Trail
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Defense Evasion
Description
Stops a CloudTrail Trail from logging. Simulates an attacker disrupting CloudTrail logging.
Warm-up:
- Create a CloudTrail Trail.
Detonation:
- Call cloudtrail:StopLogging to stop CloudTrail logging.
Instructions
Detection
Identify when a CloudTrail trail is disabled, through CloudTrail's StopLogging
event.
GuardDuty also provides a dedicated finding type, Stealth:IAMUser/CloudTrailLoggingDisabled.