An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.[1] They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.[2][3] In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.[4]
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 |
APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.[5] |
| S1091 | Pacu |
Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management |
Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0289 | Detection Strategy for Disable or Modify Cloud Logs | AN0801 |
Cloud API events where logging services are stopped, deleted, or modified in a way that disables audit visibility. Defender view: unauthorized StopLogging, DeleteTrail, or UpdateSink operations correlated with privileged user activity. |
| AN0802 |
Disabling or modifying sign-in or audit log collection for user activities. Defender view: policy or configuration updates removing logging coverage for critical accounts. |
||
| AN0803 |
Disabling mailbox or tenant-level audit logging, often using Set-MailboxAuditBypassAssociation or downgrading license tiers. Defender view: sudden absence of mailbox activity logging for monitored users. |
||
| AN0804 |
Disabling or altering security and audit logs in SaaS admin panels (e.g., Slack, Zoom, Salesforce). Defender view: API calls or admin console changes that stop event exports or logging integrations. |