Unit 42 catalogues cloud-logging defense-evasion across AWS CloudTrail and Google Cloud Logging — with concrete detection mappings [SINGLE-SOURCE]

Unit 42 enumerates seven cloud-logging attack categories — five evasion, two visibility (Unit 42, 2026-06-09). Evasion techniques: stopping CloudTrail trails (StopLogging), deleting S3/GCS log destinations, removing GCP log-routing sinks, impairing customer-managed encryption keys (CMEK) so logs become unreadable, and log poisoning to mask activity with benign-looking entries; visibility techniques redirect logs to attacker accounts via cross-account delivery for long-term reconnaissance of defender detections (T1562.008, T1070, T1530). Hardening: S3 Object Lock / GCS locked-bucket immutable retention; IAM restrictions on cloudtrail:StopLogging, cloudtrail:DeleteTrail, logging.sinks.delete; alert on cloudtrail:UpdateTrail modifying KMS-key associations and on KMS key-policy changes affecting CloudTrail encryption. Log-integrity monitoring is a NIS2 incident-detection expectation, making this directly relevant to EU cloud-resident public-sector and financial workloads. [SINGLE-SOURCE] (Unit 42 primary research).