Skip to content

DeleteTrail

AWS

DeleteTrail

service: AWS - CloudTrail
techniques:

Event

Permanently deletes a CloudTrail trail, stopping API activity logging for that trail configuration.

Security Context

  • Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.

Log Source

CloudTrail

Sample Event

Adversarial. Draco deletes the org-wide CloudTrail trail fantasticlogs-org-trail after running StopLogging first (otherwise GuardDuty can fire a CloudTrailLoggingDisabled finding from log delivery latency). T1685.002. The textbook CloudTrail kill, lifted directly from the Stratus Red Team cloudtrail-delete technique.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:39:17Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "DeleteTrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "arn:aws:cloudtrail:us-east-1:555123456789:trail/fantasticlogs-org-trail"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000011111110",
"eventID": "90000000-0000-4000-8000-000011111111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...