AWS CloudTrail Trail Creation Detected
Detection of new AWS CloudTrail trail creation, potentially indicating malicious activity such as subverting monitoring objectives or capturing sensitive data by adversaries.
This detection identifies the creation of new AWS CloudTrail trails via the CreateTrail API call. While legitimate trail creation occurs during onboarding or audit improvements, adversaries may create trails to write logs to attacker-controlled destinations, limit the scope of regions monitored, or otherwise subvert existing monitoring objectives. Detecting unauthorized trail creation is critical because adversaries can use this technique to capture sensitive data, cover their tracks, or disable logging altogether. Organizations should validate new trails for destination ownership, encryption, multi-region coverage, and organizational scope upon creation. This activity directly impacts an organization's ability to detect and respond to security incidents within their AWS environment.
Attack Chain
- The adversary gains initial access to an AWS account through compromised credentials or other means.
- The adversary enumerates existing CloudTrail configurations using
DescribeTrailsto understand the current logging setup. - The adversary identifies potential gaps in the existing logging configuration, such as missing regions or inadequate S3 bucket permissions.
- The adversary creates a new CloudTrail trail using the
CreateTrailAPI, configured to send logs to an attacker-controlled S3 bucket or CloudWatch Logs Log Group. - The adversary may configure the new trail to exclude specific regions or services to avoid detection of their activities.
- The adversary may use
PutEventSelectorsto configure the newly created trail to log specific events of interest, potentially capturing sensitive data. - The adversary activates the new trail using
StartLogging. - The adversary proceeds with their malicious activities, knowing that their actions may not be fully logged or monitored by the organization's security team.
Impact
Successful exploitation allows adversaries to capture sensitive data logged by CloudTrail, such as API keys, credentials, and configuration details. This can lead to further compromise of the AWS environment and potentially exfiltration of data. In addition, adversaries can disable or modify existing CloudTrail logs, hindering incident response and forensic investigations. The impact is reduced visibility into malicious activity, enabling attackers to operate undetected within the AWS environment.
Recommendation
- Deploy the Sigma rule "AWS CloudTrail Log Created" to your SIEM to detect suspicious trail creation activities.
- Investigate any
CreateTrailevents detected by the Sigma rule, focusing on unfamiliar user identities, user agents, and source IPs. - Validate the configuration of newly created trails, verifying that the
S3BucketNameandCloudWatchLogsLogGroupArnbelong to your organization,IsMultiRegionTrailis set totrue, andKmsKeyIdis an approved CMK, as detailed in the rule's documentation. - Restrict
cloudtrail:CreateTrailpermissions to only authorized administrators using IAM policies to prevent unauthorized trail creation. - Use AWS Config or Security Hub to enforce multi-region logging, global event inclusion, and validated log destinations.
Detection coverage 2
AWS CloudTrail Log Created
lowDetects creation of a new AWS CloudTrail trail via CreateTrail API. Adversaries can create trails that write to attacker-controlled destinations, limit regions, or otherwise subvert monitoring objectives.
AWS CloudTrail Modified Trail
lowDetects modification of an existing AWS CloudTrail trail via UpdateTrail API. Adversaries can modify trails to write to attacker-controlled destinations, limit regions, or otherwise subvert monitoring objectives.
Detection queries are available on the platform. Get full rules →