Stop CloudTrail Trail
MITRE ATT&CK Tactics
- Defense Evasion
Stop the recording of events from a CloudTrail trail simulating an attacker disrupting logging to evade detection.
- Stop a CloudTrail trail.
- Resulting event name:
- Assigned IAM Permission:
Specify which user this attack should run as.
- Restarts the CloudTrail trail.
- Executed as the
DeRF Default User
- See User Guide for Execution Instructions via the Google Cloud Console
- Programmatically execute this workflow with the following cli command:
Identify when a CloudTrail trail is disabled through the AWS event,
Refer to Stratus Red Team documentation for additional detailed detection artifacts produced by this attack technique.