Unit 42 cloud-logging defense-evasion taxonomy across AWS CloudTrail and Google Cloud Logging

vulnerability-trend · campaign:cloud-logging-defense-evasion-unit42

Coverage timeline

first 2026-06-10 → last 2026-06-10

Briefs

1 distinct

Sources cited

3 hosts

Sections touched

research

Co-occurring entities

see Related entities below

Story timeline

2026-06-10CTI Daily Brief — 2026-06-10
researchFirst coverage. 7 technique categories; SINGLE-SOURCE; NIS2 log-integrity relevance.

Where this entity is cited

research1

Source distribution

unit42.paloaltonetworks.com1 (33%)
sysdig.com1 (33%)
thehackernews.com1 (33%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)
annual-reportannual-report:gtig-europe-2025×1

All cited sources (3)

Items in briefs about Unit 42 cloud-logging defense-evasion taxonomy across AWS CloudTrail and Google Cloud Logging (1)

Unit 42 catalogues cloud-logging defense-evasion across AWS CloudTrail and Google Cloud Logging — with concrete detection mappings [SINGLE-SOURCE]

From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →

Unit 42 enumerates seven cloud-logging attack categories — five evasion, two visibility (Unit 42, 2026-06-09). Evasion techniques: stopping CloudTrail trails (StopLogging), deleting S3/GCS log destinations, removing GCP log-routing sinks, impairing customer-managed encryption keys (CMEK) so logs become unreadable, and log poisoning to mask activity with benign-looking entries; visibility techniques redirect logs to attacker accounts via cross-account delivery for long-term reconnaissance of defender detections (T1562.008, T1070, T1530). Hardening: S3 Object Lock / GCS locked-bucket immutable retention; IAM restrictions on cloudtrail:StopLogging, cloudtrail:DeleteTrail, logging.sinks.delete; alert on cloudtrail:UpdateTrail modifying KMS-key associations and on KMS key-policy changes affecting CloudTrail encryption. Log-integrity monitoring is a NIS2 incident-detection expectation, making this directly relevant to EU cloud-resident public-sector and financial workloads. [SINGLE-SOURCE] (Unit 42 primary research).