The Abstract ASTRO research team has just published a blog entitled: How Attackers Disable CloudTrail Without Calling StopLogging or DeleteTrail.
Security teams rely heavily on AWS CloudTrail as a source of truth for detecting breaches, but new research shows attackers can quietly disable or degrade logging without ever touching the APIs most defenders monitor.
In a new technical deep dive, ASTRO uncovers how adversaries are bypassing traditional detections (like StopLogging or DeleteTrail) and instead using lesser-known AWS APIs to blind logging systems while keeping them appearing fully operational.
Key findings that may interest your readers:
- Attackers can create “invisible activity zones” using PutEventSelectors, selectively excluding malicious actions from logs while CloudTrail continues to run normally.
- CloudTrail Lake can be silently neutralized via APIs like StopEventDataStoreIngestion and DeleteEventDataStore, halting or destroying long-term forensic visibility.
- Anomaly detection can be disabled outright by-passing empty parameters to PutInsightSelectors, removing automated detection of suspicious behavior.
- Critical guardrails can be dismantled through APIs like DeleteResourcePolicy and DeregisterOrganizationDelegatedAdmin, weakening cross-account protections.
- The real risk is in the sequence: individually, these API calls look like routine maintenance—but chained together, they allow attackers to erase evidence and evade detection entirely.
The research also outlines detection strategies, including how to identify subtle parameter changes and—more importantly—how to correlate multiple low-signal events into high-confidence alerts, something most SIEMs struggle to do.
This has major implications for DFIR teams and cloud security programs: organizations may believe they have full visibility, while attackers are actively operating in blind spots.
You can read the blog entry here: https://www.abstract.security/blog/how-attackers-disable-cloudtrail-without-calling-stoplogging-or-deletetrail
Like this:
Like Loading...
Related
This entry was posted on March 31, 2026 at 3:09 pm and is filed under Commentary with tags Abstract Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Research Shows How Attackers Silently Disable AWS CloudTrail Without Triggering Alerts
The Abstract ASTRO research team has just published a blog entitled: How Attackers Disable CloudTrail Without Calling StopLogging or DeleteTrail.
Security teams rely heavily on AWS CloudTrail as a source of truth for detecting breaches, but new research shows attackers can quietly disable or degrade logging without ever touching the APIs most defenders monitor.
In a new technical deep dive, ASTRO uncovers how adversaries are bypassing traditional detections (like StopLogging or DeleteTrail) and instead using lesser-known AWS APIs to blind logging systems while keeping them appearing fully operational.
Key findings that may interest your readers:
The research also outlines detection strategies, including how to identify subtle parameter changes and—more importantly—how to correlate multiple low-signal events into high-confidence alerts, something most SIEMs struggle to do.
This has major implications for DFIR teams and cloud security programs: organizations may believe they have full visibility, while attackers are actively operating in blind spots.
You can read the blog entry here: https://www.abstract.security/blog/how-attackers-disable-cloudtrail-without-calling-stoplogging-or-deletetrail
Share this:
Like this:
Related
This entry was posted on March 31, 2026 at 3:09 pm and is filed under Commentary with tags Abstract Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.