Skip to content

Delete CloudTrail Trail

Platform: AWS


  • Defense Evasion


Delete a CloudTrail trail simulating an attacker disrupting logging to evade detection.

Attacker Actions:

  • Deletes a CloudTrail trail.
  • Resulting event name: DeleteTrail
  • Assigned IAM Permission: cloudtrail:DeleteTrail

Workflow Inputs:

Specify which user this attack should run as.


Clean Up:

  • Recreates the CloudTrail trail.
  • Executed as the DeRF Default User

Execution Instructions

  • See User Guide for Execution Instructions via the Google Cloud Console
  • Programmatically execute this workflow with the following cli command:
gcloud workflows run aws-delete-cloudtrail-trail `--data={"user": "user01"}` 

Detection Artifacts

Identify when a CloudTrail trail is deleted through the AWS event, DeleteTrail.

Refer to Stratus Red Team documentation for additional detailed detection artifacts produced by this attack technique.