CloudTrail Tampering

Techniques for avoiding CloudTrail detection

Overview

Almost everything in AWS is an API call under the hood and can be logged by CloudTrail making it difficult for attackers to stay hidden. Trails are Regional resources and can be individually enabled for an AWS account or set up via AWS Organizations for all accounts and/or Regions in the Organization. Therefore, if logging can be disabled or otherwise compromised, an attacker can better stay hidden.

CloudTrail Management Events always stay enabled regardless of the techniques below and record control-plane related events from the past 90 days.

Tampering

cloudtrail:DeleteTrail — Will delete a trail
cloudtrail:PutEventSelectors — Modifies the Advanced Event Selectors or Event Selectors i.e., what data the trail logs
cloudtrail:StopLogging — Will turn logging off for a trail
cloudtrail:UpdateTrail — Modifies a trail configuration

Since CloudTrail logs end up in an AWS S3 Bucket, the ability to delete or manipulate the bucket and its objects is a viable disruption as well.

s3api:DeleteObject — This deletes the logs. An attacker must have this permission because you cannot delete an S3 bucket without first deleting its contents
s3api:PutBucketPolicy — Block CloudTrail from logging
s3api:DeleteBucket — Deletes the bucket preventing CloudTrail from logging its events (exception being Management Events)
s3api:PutLifecycleConfiguration — Update the bucket to delete its data every 1 day (lowest value)

PreviousAWS Defense Evasion NextUndocumented AWS APIs

Last updated 19 days ago

Was this helpful?