AWS CloudTrail Logging Suspended via StopLogging API
An attacker may suspend AWS CloudTrail logging via the StopLogging API (StopLogging) to eliminate audit visibility and evade defenses.
The AWS CloudTrail service enables governance, compliance, operational auditing, and risk auditing of AWS accounts by logging API calls and related events. Attackers may attempt to disable CloudTrail logging to evade defenses and hide malicious activity. This brief addresses the detection of the StopLogging API call, which suspends CloudTrail logging. The successful invocation of StopLogging creates a gap in audit logs and may indicate malicious activity. Detecting this event is critical for maintaining visibility into an AWS environment and identifying potential security breaches. This activity is a classic defense evasion step taken before sensitive changes or data theft.
Attack Chain
- The attacker compromises an AWS account or obtains valid credentials with sufficient permissions.
- The attacker authenticates to the AWS environment using the compromised credentials.
- The attacker uses the AWS CLI, SDK, or console to execute the
StopLoggingAPI call, specifying the target CloudTrail trail. - CloudTrail stops recording events for the specified trail, creating a gap in audit logs.
- The attacker performs unauthorized actions within the AWS environment, such as modifying IAM policies, accessing sensitive data in S3, or launching EC2 instances.
- The attacker attempts to cover their tracks by deleting CloudTrail trails (
DeleteTrail) or modifying trail configurations (UpdateTrail) after performing malicious actions. - The attacker may resume logging (
StartLogging) after completing their actions to avoid raising suspicion.
Impact
A successful attack can lead to a significant loss of visibility into activities within an AWS environment. This can enable attackers to perform unauthorized actions, such as data theft, privilege escalation, or resource manipulation, without being detected. Depending on the scope of the compromised CloudTrail trail, the impact can range from affecting a single AWS account to an entire organization. The risk score is 47, and the severity is medium.
Recommendation
- Deploy the Sigma rule
AWS CloudTrail StopLogging API Callto your SIEM to detect instances of CloudTrail logging being suspended (rule). - Investigate any detected
StopLoggingevents immediately to determine the actor, scope, and potential impact of the logging suspension (rule). - Monitor for
UpdateTrailandDeleteTrailevents following aStopLoggingevent as further attempts to evade detection (Attack Chain). - Limit the ability to call the
cloudtrail:StopLoggingAPI action to break-glass roles only (Overview). - Alert on any future
StopLoggingcalls to ensure immediate investigation (Overview). - Use AWS Config or Service Control Policies (SCPs) to enforce logging configurations (Overview).
Detection coverage 3
AWS CloudTrail StopLogging API Call
mediumDetects Cloudtrail logging suspension via StopLogging API
AWS CloudTrail Trail Deletion
mediumDetects deletion of CloudTrail trails
AWS CloudTrail Trail Update
lowDetects updates to CloudTrail trails, potentially to change destination
Detection queries are available on the platform. Get full rules →