aws attacks cloudtrail Stopping a CloudTrail trail

Stopping a CloudTrail trail

PLATFORM

SERVICE

cloudtrail

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

medium

About

An attacker can stop a CloudTrail trail from logging to hide their activities.

Understanding Impact

Business Impact

CloudTrail is the AWS service that allows you to log all actions taken in your cloud environment. When an attacker disables CloudTrail, you lose visibility and accountability on attacker activities. This increases the time to detection and makes incident response and forensics more challenging.

Technical Impact

When an attacker stops a CloudTrail trail from logging, control plane activity on the AWS API are no longer logged and are lost forever.

Detection

You can identify when a CloudTrail trail is stopped using CloudTrail's StopLogging event.

GuardDuty also has a dedicated finding: IAMUser/CloudTrailLoggingDisabled.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.defense-evasion.cloudtrail-stop

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS CloudTrail configuration modified".

References

Stratus Red Team - Stop CloudTrail Trail

stratus-red-team.cloud

GuardDuty finding "AWS CloudTrail logging was disabled"

aws documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 13 positions

view all