Skip to content
Threat Feed
low advisory

AWS CloudTrail Trail Update Detection

Detection of AWS CloudTrail trail updates via the UpdateTrail API, potentially indicating malicious attempts to reduce logging visibility, change log destinations, or weaken log integrity, enabling adversaries to evade detection.

The AWS CloudTrail service logs API calls and related events, providing visibility into user activity within an AWS account. Attackers may attempt to modify CloudTrail settings to redirect logs to unauthorized buckets, drop regions from logging scope, or disable valuable selectors to evade detection. This activity is often performed after initial compromise to hinder incident response and forensic investigations. This rule identifies modifications to CloudTrail settings using the UpdateTrail API, which could indicate malicious activity. The detection focuses on the UpdateTrail API call and its parameters within CloudTrail logs. Defenders should validate any configuration change against approved baselines. The rule was last updated on 2026-04-10, ensuring it incorporates the latest understanding of potential attack vectors.

Attack Chain

  1. An attacker gains initial access to the AWS environment, potentially through compromised credentials or an exposed API key.
  2. The attacker enumerates existing CloudTrail trails to identify a suitable target for modification.
  3. The attacker calls the UpdateTrail API to modify the CloudTrail configuration.
  4. The attacker may change the S3BucketName parameter to redirect logs to a different S3 bucket under their control.
  5. The attacker may modify the IncludeGlobalServiceEvents parameter to exclude global service events, reducing visibility into critical account-level actions.
  6. The attacker may adjust event selectors to filter out specific event types, further reducing the scope of logged activity.
  7. The attacker may disable log file validation to weaken integrity by setting EnableLogFileValidation to false.
  8. The attacker successfully modifies the CloudTrail trail to evade detection and maintain a semblance of logging, while crucial events are no longer recorded or accessible to security teams.

Impact

A successful attack can lead to reduced visibility into malicious activities within the AWS environment. By modifying CloudTrail trails, attackers can hinder incident response efforts, making it difficult to detect and investigate security incidents. Depending on the scope of changes, adversaries can operate undetected for extended periods, potentially leading to significant data breaches or system compromise. Even with minimal changes, the integrity of log data can be compromised.

Recommendation

  • Deploy the following Sigma rule to detect suspicious CloudTrail trail updates and tune it to your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the user identity (aws.cloudtrail.user_identity.arn), user agent (user_agent.original), and source IP address (source.ip).
  • Monitor changes to critical CloudTrail parameters such as S3BucketName, CloudWatchLogsLogGroupArn, KmsKeyId, IsMultiRegionTrail, and IncludeGlobalServiceEvents, which are available in the aws.cloudtrail.request_parameters field.
  • Correlate UpdateTrail events with preceding StopLogging or following DeleteTrail events to identify potential sequences of malicious activity.
  • Implement AWS Config rules to monitor and enforce CloudTrail configuration baselines, mitigating unauthorized modifications.
  • Review IAM policies and role changes to ensure least privilege and prevent unauthorized access to CloudTrail management APIs.

Detection coverage 2

AWS CloudTrail Trail Updated

low

Detects updates to an existing CloudTrail trail via UpdateTrail API which may reduce visibility, change destinations, or weaken integrity.

sigma tactics: impact techniques: T1562.008 sources: cloudtrail, aws

AWS CloudTrail Trail Updated - S3 Bucket Changed

medium

Detects updates to an existing CloudTrail trail where the S3 bucket is changed, potentially indicating an attempt to redirect logs to an attacker-controlled location.

sigma tactics: impact techniques: T1562.008 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →