AWS CloudTrail Trail Update Detection
Detection of AWS CloudTrail trail updates via the UpdateTrail API, potentially indicating malicious attempts to reduce logging visibility, change log destinations, or weaken log integrity, enabling adversaries to evade detection.
The AWS CloudTrail service logs API calls and related events, providing visibility into user activity within an AWS account. Attackers may attempt to modify CloudTrail settings to redirect logs to unauthorized buckets, drop regions from logging scope, or disable valuable selectors to evade detection. This activity is often performed after initial compromise to hinder incident response and forensic investigations. This rule identifies modifications to CloudTrail settings using the UpdateTrail API, which could indicate malicious activity. The detection focuses on the UpdateTrail API call and its parameters within CloudTrail logs. Defenders should validate any configuration change against approved baselines. The rule was last updated on 2026-04-10, ensuring it incorporates the latest understanding of potential attack vectors.
Attack Chain
- An attacker gains initial access to the AWS environment, potentially through compromised credentials or an exposed API key.
- The attacker enumerates existing CloudTrail trails to identify a suitable target for modification.
- The attacker calls the
UpdateTrailAPI to modify the CloudTrail configuration. - The attacker may change the
S3BucketNameparameter to redirect logs to a different S3 bucket under their control. - The attacker may modify the
IncludeGlobalServiceEventsparameter to exclude global service events, reducing visibility into critical account-level actions. - The attacker may adjust event selectors to filter out specific event types, further reducing the scope of logged activity.
- The attacker may disable log file validation to weaken integrity by setting
EnableLogFileValidationtofalse. - The attacker successfully modifies the CloudTrail trail to evade detection and maintain a semblance of logging, while crucial events are no longer recorded or accessible to security teams.
Impact
A successful attack can lead to reduced visibility into malicious activities within the AWS environment. By modifying CloudTrail trails, attackers can hinder incident response efforts, making it difficult to detect and investigate security incidents. Depending on the scope of changes, adversaries can operate undetected for extended periods, potentially leading to significant data breaches or system compromise. Even with minimal changes, the integrity of log data can be compromised.
Recommendation
- Deploy the following Sigma rule to detect suspicious CloudTrail trail updates and tune it to your environment.
- Investigate any alerts generated by the Sigma rule, focusing on the user identity (
aws.cloudtrail.user_identity.arn), user agent (user_agent.original), and source IP address (source.ip). - Monitor changes to critical CloudTrail parameters such as
S3BucketName,CloudWatchLogsLogGroupArn,KmsKeyId,IsMultiRegionTrail, andIncludeGlobalServiceEvents, which are available in theaws.cloudtrail.request_parametersfield. - Correlate
UpdateTrailevents with precedingStopLoggingor followingDeleteTrailevents to identify potential sequences of malicious activity. - Implement AWS Config rules to monitor and enforce CloudTrail configuration baselines, mitigating unauthorized modifications.
- Review IAM policies and role changes to ensure least privilege and prevent unauthorized access to CloudTrail management APIs.
Detection coverage 2
AWS CloudTrail Trail Updated
lowDetects updates to an existing CloudTrail trail via UpdateTrail API which may reduce visibility, change destinations, or weaken integrity.
AWS CloudTrail Trail Updated - S3 Bucket Changed
mediumDetects updates to an existing CloudTrail trail where the S3 bucket is changed, potentially indicating an attempt to redirect logs to an attacker-controlled location.
Detection queries are available on the platform. Get full rules →