Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when an attacker is trying to evade defenses by modifying CloudTrail.

Strategy

This rule detects if a user is modifying CloudTrail by monitoring the following CloudTrail API calls:

• StopLogging
• DeleteTrail
• UpdateTrail

Triage and response

1. Review the @responseElements in the {{@evt.name}} event to determine the scope of the changes.
2. Determine if the user ARN ({{@userIdentity.arn}}) intended to make a CloudTrail modification.
3. If the user did not make the API call:
   • Rotate the credentials.
   • Investigate if the same credentials made other unauthorized API calls.