AWS CloudTrail Log Suspended
This brief describes the critical defense evasion tactic of suspending AWS CloudTrail logging via the StopLogging API, used by threat actors to eliminate audit visibility before performing sensitive operations or exfiltrating data, thereby concealing their activities and hindering incident response.
This brief focuses on a significant defense evasion technique employed in cloud environments: the suspension of AWS CloudTrail logging. Threat actors utilize the StopLogging API call to halt the recording of API activity within an AWS account. This action is a critical preparatory step, executed post-compromise to eliminate forward audit visibility and obscure their tracks before performing sensitive operations such as modifying critical configurations, exfiltrating data from S3 buckets, or altering IAM policies. By temporarily blinding security monitoring tools that rely on CloudTrail logs, attackers aim to evade detection and complicate incident response efforts. While not tied to a specific campaign or threat actor, this technique is a common component of various post-compromise playbooks, highlighting its importance for defenders monitoring AWS environments.
Attack Chain
- Initial Compromise: An attacker successfully gains unauthorized access to AWS credentials, potentially through phishing, exposed access keys, or exploiting vulnerabilities in a public-facing application or service, which possess sufficient permissions to manage CloudTrail.
- Execution of
StopLoggingAPI Call: Using the compromised credentials, the attacker invokes thecloudtrail:StopLoggingAPI via the AWS Command Line Interface (CLI), AWS Software Development Kit (SDK), or directly through the AWS Management Console. - Suspension of Audit Logging: The invocation of
StopLoggingimmediately ceases the recording of API calls and related events to the targeted CloudTrail, effectively creating a blind spot for security monitoring and auditing systems. - Execution of Primary Malicious Objective: With audit visibility impaired, the attacker proceeds to carry out their main objective, which may include modifying critical infrastructure configurations, exfiltrating sensitive data from storage services like S3, deleting crucial resources, or making changes to identity and access management (IAM) policies, all while minimizing their digital footprint.
- Obscuring Tracks: To further evade detection or complicate forensic analysis, the attacker may subsequently attempt to resume logging using
StartLogging, delete the CloudTrail completely (DeleteTrail), or modify its configuration (UpdateTrail) to redirect logs or reduce their granularity.
Impact
The successful suspension of AWS CloudTrail logging has immediate and severe consequences for an organization's security posture. The primary impact is a complete loss of audit visibility into activities within the compromised AWS account for the duration of the logging suspension. This blind spot makes it exceedingly difficult to detect ongoing malicious activities, understand the scope of a breach, or conduct effective forensic investigations. Attackers can leverage this window to perform data exfiltration, modify critical infrastructure, create backdoors, or elevate privileges undetected. While specific victim counts are not tied to this general technique, any organization relying on CloudTrail for compliance, security monitoring, or operational auditing would face significant risks, including regulatory non-compliance, financial loss due to data breaches, and extended recovery times.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect
StopLoggingAPI calls in your AWS CloudTrail logs. - Configure AWS CloudTrail to log all management events, S3 data events, and Lambda data events to ensure comprehensive coverage, leveraging the
aws.cloudtraillog source. - Implement AWS Identity and Access Management (IAM) policies to limit
cloudtrail:StopLoggingpermissions to only essential "break-glass" roles, ensuring that theaws.cloudtrail.user_identity.arnfield is closely monitored. - Integrate a Cloud Security Posture Management (CSPM) solution to continuously monitor and enforce logging configurations and alert on any unauthorized changes or suspensions, which can be observed through
event.action: "StopLogging". - Establish immediate alerts for
event.action: "StopLogging"events, triggering automated playbooks for investigation and potential remediation, including reviewinguser_agent.originalandsource.ipfor suspicious activity.
Detection coverage 1
AWS CloudTrail Log Suspended
highDetects CloudTrail logging suspension via the StopLogging API. This eliminates forward audit visibility and is a classic defense evasion step before sensitive changes or data theft.
Detection queries are available on the platform. Get full rules →