Skip to content

Disable CloudTrail Logging Through Event Selectors

Platform: AWS


  • Defense Evasion


Disrupt CloudTrail Logging by creating an event selector on the Trail, filtering out all management events.

Attacker Actions:

  • Updates the in-scope events captured by a Cloudtrail to exclude all management-plane events.
  • Resulting event name: PutEventSelector
  • Assigned IAM Permission: cloudtrail:PutEventSelector

Workflow Inputs:

Specify which user this attack should run as.


Clean Up:

  • Reverts the event selectors on Cloudtrail trail, resuming logging of management-plane events
  • Executed as the DeRF Default User

Execution Instructions

  • See User Guide for Execution Instructions via the Google Cloud Console
  • Programmatically execute this workflow with the following cli command:
gcloud workflows run aws-cloudtrail-event-selector-srt `--data={"user": "user01"}` 

Detection Artifacts

Identify when a CloudTrail trail is deleted through the AWS event, PutEventSelectors.

Refer to Stratus Red Team documentation for additional detailed detection artifacts produced by this attack technique.