Platform Author Last Update aws Nick Jones 2024-12-02
An adversary may attempt to enumerate the configured trails, to identify what actions will be logged and where they will be logged to. In AWS, this may start with a single call to enumerate the trails applicable to the default region.
MITRE IDs
Required Permissions
cloudtrail:DescribeTrails
Required Parameters
None
Attacker Action
aws cloudtrail describe-trails
Detection Case
ELK query
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DescribeTrails AND eventSource:*.cloudtrail.amazonaws.com
Sigma Definition
title : Enumerate Cloudtrails for a Given Region
id : 48653a63-085a-4a3b-88be-9680e9adb449
description : An adversary may attempt to enumerate the configured trails, to identify what actions will be logged and where they will be logged to. In AWS, this may start with a single call to enumerate the trails applicable to the default region.
- eventSource : " *.cloudtrail.amazonaws.com "
- eventName : " DescribeTrails "
condition : selection_source and events
- Developers making legitimate changes to the environment. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.