Skip to content

SC-109: Cloud Log Tampering & Anti-Forensics

Operation GHOST TRAIL

Classification: TABLETOP EXERCISE -- 100% Synthetic

All organizations, IP addresses, domains, cloud accounts, and threat actors in this scenario are entirely fictional. Created for educational tabletop exercises only.

Scenario Metadata

Field Value
Difficulty ★★★★★ (Expert)
Duration 3-4 hours
Participants 4-8 (SOC, IR, Cloud Security, Legal, CISO)
ATT&CK Techniques T1562.008 · T1070.002 · T1078.004 · T1098 · T1537
Threat Actor SPECTRAL VOID (anti-forensics specialist group)
Industry Financial Services
Primary Impact 14-day forensic blindspot, $2.3M in unauthorized transfers undetected

Threat Actor Profile: SPECTRAL VOID

Attribute Detail
Motivation Financial gain -- cover tracks for wire fraud operation
Sophistication Very high -- deep cloud platform expertise, multi-cloud capability
Known Targets Financial institutions, cryptocurrency exchanges, fintech platforms
Avg. Dwell Time 30-60 days (extended by log destruction)
Signature Systematically eliminates forensic evidence across all three major cloud providers before executing primary objective
Tools Custom AWS SDK scripts, Azure CLI automation, stolen service account credentials, ephemeral compute for C2

Executive Summary

SPECTRAL VOID compromises a cloud administrator's credentials at Meridian Financial Group (synthetic fintech company, 800 employees) through a targeted phishing campaign. Rather than immediately pursuing their financial objective, the attacker spends 9 days methodically disabling and deleting logging infrastructure across AWS, Azure, and GCP environments. They disable CloudTrail in 3 AWS regions, delete 47 VPC flow log configurations, modify Azure Diagnostic Settings to stop forwarding Activity Logs to the SIEM, and delete GCP audit log sinks. With forensic visibility eliminated, SPECTRAL VOID executes unauthorized wire transfers totaling $2.3M over 5 days. The attack is discovered on Day 23 when a finance team member notices discrepancies in reconciliation reports. The IR team finds a 14-day forensic blindspot with minimal recoverable evidence.

Environment Setup

Target Organization: Meridian Financial Group (synthetic)

Asset Detail
Industry Fintech, 800 employees, multi-cloud architecture
AWS Account Production: meridian-prod (Account ID: 111122223333)
Azure Subscription Meridian-Azure-Prod (10.20.0.0/16)
GCP Project meridian-gcp-prod
CloudTrail Enabled in us-east-1, us-west-2, eu-west-1 -- S3 bucket: meridian-cloudtrail-logs.example.com
SIEM Microsoft Sentinel (Azure) + Splunk (AWS/GCP)
IAM AWS SSO with Azure AD federation, MFA enforced (but not phishing-resistant)
Payment Systems Internal wire transfer API at payments.internal.example.com (10.20.5.50)

Phase 1: Initial Access -- Credential Theft (Day 0)

Attacker Actions

SPECTRAL VOID sends a targeted phishing email to the cloud infrastructure team impersonating an AWS support notification about an upcoming service disruption:

Phishing Email (Reconstructed)

From: aws-notifications@support-aws.example.com
To: cloud-admin@meridian.example.com
Subject: [Action Required] AWS Service Health -- Upcoming us-east-1 Maintenance

Dear Cloud Administrator,

A critical maintenance window is scheduled for your account 
111122223333. To avoid service disruption, please verify your 
administrative access:

https://console-aws.example.com/verify-access

This action must be completed within 24 hours.

Amazon Web Services Support

The cloud administrator (testuser/REDACTED) clicks the link and enters their AWS SSO credentials and MFA token on the phishing page. The attacker captures the session token and federated credentials providing access to AWS, Azure, and limited GCP resources.

Evidence Artifacts

AWS CloudTrail -- Initial Login (Before Tampering)

{
  "eventTime": "2026-03-15T09:14:22Z",
  "eventName": "ConsoleLogin",
  "sourceIPAddress": "203.0.113.45",
  "userIdentity": {
    "type": "FederatedUser",
    "arn": "arn:aws:sts::111122223333:federated-user/cloud-admin",
    "accountId": "111122223333"
  },
  "responseElements": {
    "ConsoleLogin": "Success"
  },
  "additionalEventData": {
    "MFAUsed": "Yes",
    "LoginTo": "https://console.aws.example.com"
  }
}

Detection Queries

// Detect federated login from unusual IP
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName == "ConsoleLogin"
| where SourceIpAddress !startswith "10." 
    and SourceIpAddress !startswith "172.16."
    and SourceIpAddress !startswith "192.168."
| where UserIdentityType == "FederatedUser"
| join kind=leftanti (
    AWSCloudTrail
    | where TimeGenerated between(ago(30d) .. ago(1d))
    | where EventName == "ConsoleLogin"
    | distinct SourceIpAddress
) on SourceIpAddress
| project TimeGenerated, UserIdentityArn, SourceIpAddress, 
    AWSRegion

index=aws sourcetype=aws:cloudtrail eventName=ConsoleLogin
| search sourceIPAddress!="10.*" sourceIPAddress!="172.16.*"
| stats earliest(_time) as first_seen values(userIdentity.arn) 
    as user by sourceIPAddress
| where first_seen > relative_time(now(), "-24h")
| lookup known_admin_ips ip as sourceIPAddress OUTPUT is_known
| where isnull(is_known)

Discussion Injects

Technical

The phishing page captured the MFA token in real-time and replayed it. How would phishing-resistant MFA (FIDO2/WebAuthn) have prevented this? What is the window for session token replay?

Phase 2: Privilege Escalation & Persistence (Days 1-3)

Attacker Actions

SPECTRAL VOID creates a backdoor IAM user and additional access keys:

IAM Backdoor Creation (CloudTrail -- Still Active)

{
  "eventTime": "2026-03-16T02:33:41Z",
  "eventName": "CreateUser",
  "sourceIPAddress": "203.0.113.45",
  "requestParameters": {
    "userName": "svc-cloudwatch-metrics"
  },
  "userIdentity": {
    "arn": "arn:aws:sts::111122223333:federated-user/cloud-admin"
  }
}

Policy Attachment (Overly Permissive)

{
  "eventTime": "2026-03-16T02:34:02Z",
  "eventName": "AttachUserPolicy",
  "requestParameters": {
    "userName": "svc-cloudwatch-metrics",
    "policyArn": "arn:aws:iam::111122223333:policy/AdminAccess-Legacy"
  }
}

The attacker creates the user name svc-cloudwatch-metrics to blend in with legitimate service accounts. They attach an existing overly-permissive legacy policy rather than creating a new one to avoid triggering alerts on policy creation.

Detection Queries

// Detect IAM user creation outside of IaC pipelines
AWSCloudTrail
| where EventName in ("CreateUser", "CreateAccessKey", 
    "AttachUserPolicy")
| where UserIdentityArn !has "terraform" 
    and UserIdentityArn !has "cloudformation"
| summarize Actions=make_set(EventName), 
    ActionCount=count() by UserIdentityArn, 
    bin(TimeGenerated, 1h)
| where ActionCount >= 2

index=aws sourcetype=aws:cloudtrail 
    eventName IN ("CreateUser", "CreateAccessKey", 
    "AttachUserPolicy")
| search NOT userIdentity.arn="*terraform*" 
    NOT userIdentity.arn="*cloudformation*"
| stats values(eventName) as actions count by 
    userIdentity.arn span=1h _time
| where count >= 2

Phase 3: Log Infrastructure Destruction (Days 4-9)

Attacker Actions

This is the core of the operation. SPECTRAL VOID systematically eliminates forensic evidence across all cloud platforms over 6 days, spacing actions to avoid triggering volume-based alerts.

Day 4 -- AWS CloudTrail Disabled

CloudTrail StopLogging Events

{
  "eventTime": "2026-03-19T03:15:44Z",
  "eventName": "StopLogging",
  "sourceIPAddress": "198.51.100.22",
  "requestParameters": {
    "name": "arn:aws:cloudtrail:us-east-1:111122223333:trail/meridian-prod-trail"
  }
}

{
  "eventTime": "2026-03-19T04:22:18Z",
  "eventName": "StopLogging",
  "sourceIPAddress": "198.51.100.22",
  "requestParameters": {
    "name": "arn:aws:cloudtrail:us-west-2:111122223333:trail/meridian-prod-trail"
  }
}

{
  "eventTime": "2026-03-19T05:01:33Z",
  "eventName": "StopLogging",
  "sourceIPAddress": "198.51.100.22",
  "requestParameters": {
    "name": "arn:aws:cloudtrail:eu-west-1:111122223333:trail/meridian-prod-trail"
  }
}

Day 5 -- VPC Flow Logs Deleted

The attacker deletes flow log configurations across 47 VPCs and subnets:

VPC Flow Log Deletion (Sample)

{
  "eventTime": "2026-03-20T01:44:12Z",
  "eventName": "DeleteFlowLogs",
  "sourceIPAddress": "198.51.100.22",
  "requestParameters": {
    "DeleteFlowLogIds": [
      "fl-0a1b2c3d4e5f6a7b8",
      "fl-1b2c3d4e5f6a7b8c9",
      "fl-2c3d4e5f6a7b8c9d0"
    ]
  }
}

Day 6 -- S3 Log Bucket Lifecycle Policy Modified

Rather than deleting existing logs (which would trigger data loss alerts), the attacker modifies the S3 lifecycle policy to expire objects after 1 day:

S3 Lifecycle Policy Modification

{
  "eventTime": "2026-03-21T02:11:55Z",
  "eventName": "PutBucketLifecycleConfiguration",
  "sourceIPAddress": "198.51.100.22",
  "requestParameters": {
    "bucketName": "meridian-cloudtrail-logs",
    "lifecycleConfiguration": {
      "rules": [{
        "id": "log-retention-compliance",
        "status": "Enabled",
        "expiration": { "days": 1 },
        "prefix": ""
      }]
    }
  }
}

Day 7 -- Azure Diagnostic Settings Removed

Azure Activity Log -- Diagnostic Setting Deletion

{
  "time": "2026-03-22T03:05:27Z",
  "operationName": "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE",
  "caller": "cloud-admin@meridian.example.com",
  "callerIpAddress": "198.51.100.22",
  "properties": {
    "statusCode": "OK",
    "resourceUri": "/subscriptions/aaaabbbb-cccc-dddd-eeee-ffffgggghhhh/providers/microsoft.insights/diagnosticSettings/send-to-sentinel"
  }
}

Day 8-9 -- GCP Audit Log Sinks Deleted

GCP Admin Activity Log -- Sink Deletion

{
  "timestamp": "2026-03-23T04:18:33Z",
  "protoPayload": {
    "methodName": "google.logging.v2.ConfigServiceV2.DeleteSink",
    "authenticationInfo": {
      "principalEmail": "cloud-admin@meridian.example.com"
    },
    "requestMetadata": {
      "callerIp": "198.51.100.22"
    },
    "request": {
      "sinkName": "projects/meridian-gcp-prod/sinks/export-to-splunk"
    }
  }
}

Detection Queries

// CRITICAL: Detect CloudTrail being disabled
AWSCloudTrail
| where EventName in ("StopLogging", "DeleteTrail", 
    "UpdateTrail", "DeleteFlowLogs",
    "PutBucketLifecycleConfiguration")
| project TimeGenerated, EventName, SourceIpAddress, 
    UserIdentityArn, RequestParameters
| order by TimeGenerated asc

index=aws sourcetype=aws:cloudtrail 
    eventName IN ("StopLogging", "DeleteTrail", 
    "UpdateTrail", "DeleteFlowLogs", 
    "PutBucketLifecycleConfiguration")
| table _time eventName sourceIPAddress 
    userIdentity.arn requestParameters
| sort _time

Anti-Forensics Detection Gap

The CloudTrail StopLogging event is itself the last event recorded before the blindspot begins. If this event is not alerted on in real-time, the defender loses visibility for the entire period logging is disabled. This is the single most critical detection in cloud security.

Discussion Injects

Technical

The attacker spaced log destruction across 6 days and 3 cloud providers. Why is this more effective than disabling everything at once? How does this defeat volume-based anomaly detection?

Decision

CloudTrail is disabled across 3 regions. You have a 14-day forensic blindspot. How do you reconstruct what happened? What alternative evidence sources exist (S3 access logs, CloudWatch metrics, billing data)?

Phase 4: Financial Fraud Execution (Days 10-14)

Attacker Actions

With logging disabled, SPECTRAL VOID executes the primary objective -- unauthorized wire transfers through the internal payment API:

Wire Transfer API Calls (Reconstructed from Application Logs)

2026-03-25T06:12:44Z POST /api/v2/transfers/initiate
Source: 198.51.100.22 (via VPN tunnel to 10.20.5.50)
Auth: Bearer token (svc-cloudwatch-metrics)
Body: {
  "from_account": "MFG-OPERATING-001",
  "to_account": "EXT-8847291",
  "amount": 487000.00,
  "currency": "USD",
  "reference": "Q1-VENDOR-SETTLEMENT-0847"
}
Response: 200 OK -- Transfer ID: TXN-20260325-0847

2026-03-26T05:44:18Z POST /api/v2/transfers/initiate
Source: 198.51.100.22
Body: {
  "from_account": "MFG-OPERATING-001",
  "to_account": "EXT-9912034",
  "amount": 523000.00,
  "currency": "USD",
  "reference": "Q1-VENDOR-SETTLEMENT-0912"
}
Response: 200 OK -- Transfer ID: TXN-20260326-0912

Total unauthorized transfers: 5 transactions, $2.3M over 5 days, all using legitimate-looking vendor settlement reference numbers.

Evidence Artifacts

Application Server Logs (Only Surviving Evidence)

[2026-03-25T06:12:44Z] [payments-api] [INFO] Transfer initiated
  user=svc-cloudwatch-metrics src=10.20.3.17 
  amount=487000.00 dest=EXT-8847291
[2026-03-25T06:12:45Z] [payments-api] [INFO] Transfer approved
  txn=TXN-20260325-0847 approval=auto 
  (amount < threshold 500000)

Critical Finding

The auto-approval threshold of $500,000 allowed all 5 transfers to process without human review. Each transfer was deliberately kept below this threshold -- a technique known as "structuring."

Phase 5: Discovery & Response (Day 23)

Discovery

A finance team member notices $2.3M in unreconciled outbound transfers during monthly close. The transfers reference vendor settlement codes that do not match any active vendor agreements.

IR Team Findings

The incident response team discovers:

  1. CloudTrail disabled in all 3 AWS regions since Day 4
  2. VPC flow logs deleted -- no network traffic records for 19 days
  3. Azure Diagnostic Settings removed -- no Activity Log forwarding since Day 7
  4. GCP log export sinks deleted since Day 8
  5. S3 log bucket lifecycle policy set to 1-day expiration -- historical logs destroyed
  6. A backdoor IAM user (svc-cloudwatch-metrics) with admin privileges

Timeline Reconstruction

Day Event Evidence Source
0 Credential phishing -- cloud-admin compromised CloudTrail (pre-tampering), email gateway
1-3 Backdoor IAM user created, access keys generated CloudTrail (pre-tampering)
4 CloudTrail disabled in 3 regions CloudTrail StopLogging event (last event)
5 VPC flow logs deleted (47 configurations) CloudTrail DeleteFlowLogs event
6 S3 log lifecycle set to 1-day expiration CloudTrail PutBucketLifecycle event
7 Azure Diagnostic Settings removed Azure Activity Log (last event before gap)
8-9 GCP audit log sinks deleted GCP Admin Activity (last event before gap)
10-14 FORENSIC BLINDSPOT -- $2.3M in wire transfers Application logs only
15-22 FORENSIC BLINDSPOT -- unknown attacker activity No evidence available
23 Finance discovers unreconciled transfers Manual business process

Indicators of Compromise

Network IOCs

IOC Type Context
203.0.113.45 IPv4 Initial phishing login source
198.51.100.22 IPv4 Attacker operational IP (log destruction + fraud)
support-aws.example.com Domain Phishing domain impersonating AWS
console-aws.example.com Domain Credential harvesting page

Cloud IOCs

IOC Type Context
svc-cloudwatch-metrics IAM User Backdoor service account
AdminAccess-Legacy IAM Policy Overly permissive legacy policy abused
fl-0a1b2c3d4e5f6a7b8 Flow Log ID Deleted VPC flow log
send-to-sentinel Diagnostic Setting Deleted Azure log forwarding
export-to-splunk Log Sink Deleted GCP log export

Behavioral IOCs

Indicator Description
StopLogging events across multiple regions within 2 hours Systematic CloudTrail disabling
DeleteFlowLogs for 47 configurations in a single session Mass VPC flow log deletion
S3 lifecycle policy change to 1-day expiration on log bucket Evidence destruction via auto-expiration
Wire transfers structured below $500K auto-approval threshold Financial structuring pattern
Service account accessing payment API outside business hours Anomalous API access pattern

Containment & Remediation

Immediate Actions (Hour 0-4)

  1. Re-enable CloudTrail in all regions immediately
  2. Restore VPC flow logs across all VPCs and subnets
  3. Restore Azure Diagnostic Settings and GCP log sinks
  4. Disable backdoor IAM user svc-cloudwatch-metrics and revoke all access keys
  5. Rotate cloud-admin credentials -- revoke all sessions, issue new FIDO2 keys
  6. Freeze external wire transfers pending investigation
  7. Restore S3 lifecycle policy to original retention (365 days)

Evidence Recovery

Alternative Evidence Sources for Forensic Blindspot

Even with CloudTrail disabled, partial evidence may exist in:

  • AWS S3 access logs (if enabled separately from CloudTrail)
  • CloudWatch metrics (API call counts, error rates -- metadata only)
  • AWS billing data (resource creation/usage patterns)
  • VPC DNS query logs (if forwarded to Route 53 Resolver)
  • Application-level logs (if not stored in the compromised cloud account)
  • Third-party SaaS logs (SSO provider, email gateway, endpoint EDR)
  • AWS Config (resource state changes, even without CloudTrail)

Preventive Controls

  1. CloudTrail tamper protection -- Enable organization-level trail with SCP preventing StopLogging/DeleteTrail
  2. Log immutability -- S3 Object Lock (Governance or Compliance mode) on all log buckets
  3. Cross-account log archival -- Ship logs to a separate security account with restricted access
  4. Real-time alerting on log infrastructure changes -- StopLogging, DeleteFlowLogs, and diagnostic setting deletion must page the SOC immediately
  5. Phishing-resistant MFA -- FIDO2/WebAuthn for all cloud administrator accounts
  6. Wire transfer controls -- Dual-approval for all external transfers regardless of amount
  7. Service account governance -- All service accounts require owner, expiration date, and principle of least privilege

Detection Improvements

// CRITICAL ALERT: Any modification to logging infrastructure
let LogTamperEvents = dynamic([
    "StopLogging", "DeleteTrail", "UpdateTrail",
    "DeleteFlowLogs", "PutBucketLifecycleConfiguration"
]);
AWSCloudTrail
| where EventName in (LogTamperEvents)
| extend AlertSeverity = "Critical"
| project TimeGenerated, EventName, SourceIpAddress,
    UserIdentityArn, AWSRegion, RequestParameters

index=aws sourcetype=aws:cloudtrail 
    eventName IN ("StopLogging", "DeleteTrail", 
    "UpdateTrail", "DeleteFlowLogs",
    "PutBucketLifecycleConfiguration")
| eval alert_severity="critical"
| sendalert cloud_log_tampering
| table _time eventName sourceIPAddress 
    userIdentity.arn awsRegion

ATT&CK Mapping

Phase Technique ID Tactic
Initial Access Valid Accounts: Cloud Accounts T1078.004 Initial Access
Persistence Account Manipulation T1098 Persistence
Defense Evasion Impair Defenses: Disable Cloud Logs T1562.008 Defense Evasion
Defense Evasion Indicator Removal: Clear Linux/Mac System Logs T1070.002 Defense Evasion
Collection Data from Cloud Storage T1530 Collection
Impact Transfer to Cloud Account T1537 Exfiltration

Lessons Learned

  1. CloudTrail StopLogging is the single most critical alert in AWS -- If you detect nothing else, detect this. The StopLogging event is the last event before total blindness. Real-time paging is mandatory.
  2. Log immutability is non-negotiable -- S3 Object Lock in Compliance mode prevents even root accounts from deleting logs. Without it, attackers can erase all evidence of their activity.
  3. Cross-account log archival creates a forensic safety net -- Logs shipped to a separate security account survive even if the production account is fully compromised.
  4. Anti-forensics extends dwell time dramatically -- The 14-day blindspot turned what could have been a 4-day incident into a 23-day incident with $2.3M in losses.
  5. Financial structuring defeats single-threshold controls -- The attacker kept every transfer below $500K. Velocity-based detection (multiple transfers in a short window) would have caught this pattern.

Cross-References