1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Disable or Modify Cloud Logs

Impair Defenses: Disable or Modify Cloud Logs

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.[1] They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.[2][3] In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.[4]

ID: T1562.008
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: IaaS, Identity Provider, Office Suite, SaaS
Contributors: Alex Soler, AttackIQ; Arun Seelagan, CISA; Ibrahim Ali Khan; Janantha Marasinghe; Joe Gumke, U.S. Bank; Matt Snyder, VMware; Prasad Somasamudram, McAfee; Sekhar Sarukkai, McAfee; Syed Ummar Farooqh, McAfee
Version: 2.1
Created: 12 October 2020
Last Modified: 14 October 2024
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.[5]
S1091 Pacu

Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.[6]

Mitigations

ID Mitigation Description
M1018 User Account Management

Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Disable

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging, UpdateTrail DeleteTrail.[7] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink and google.logging.v2.ConfigServiceV2.DeleteSink.[8] In Azure, monitor for az monitor diagnostic-settings update and az monitor diagnostic-settings delete.[9] Additionally, a sudden loss of a log source may indicate that it has been disabled.
Cloud Service Modification

Monitor changes made to cloud services for unexpected modifications to settings and/or data.

Analytic 1 - Operations performed by unexpected initiators, frequent modifications, changes to critical resources

index="azure_activity_logs" OperationName="Create or update resource diagnostic setting"| stats count by InitiatorName, ResourceID, Status| where Status!="Succeeded" OR InitiatorName!="expected_initiator"| sort by Time
DS0002 User Account User Account Modification

Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[10]

References

  1. Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020.
  2. AWS. (n.d.). update-trail. Retrieved August 4, 2023.
  3. Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.
  4. Kelly Sheridan. (2021, August 5). Incident Responders Explore Microsoft 365 Attacks in the Wild. Retrieved March 17, 2023.
  5. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  1. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  2. Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.
  3. Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.
  4. Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.
  5. Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.