Cloudtrail delete trail¶
An attacker may attempt to disable a cloudtrail instance in order to avoid detection
|trailname||str||Name of the cloudtrail to be targeted||example-cloudtrail|
aws cloudtrail stop-logging --name example-cloudtrail
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:StopLogging AND eventSource:*.cloudtrail.amazonaws.com
--- title: Cloudtrail delete trail id: bf856088-70f3-498b-af19-f061c0bd7740 status: experimental author: Nick Jones date: 2023-07-01 description: An attacker may attempt to disable a cloudtrail instance in order to avoid detection logsource: service: cloudtrail detection: selection_source: - eventSource: "*.cloudtrail.amazonaws.com" events: - eventName: "StopLogging" condition: selection_source AND events level: low tags: - attack.T1562