Impair Defenses: Disable Cloud Logs

An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.

Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.[1]

ID: T1562.008
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: AWS, Azure, GCP
Permissions Required: User
Data Sources: AWS CloudTrail logs, Azure activity logs, GCP audit logs
Contributors: AttackIQ; Ibrahim Ali Khan; Janantha Marasinghe; Matt Snyder, VMware; Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee)
Version: 1.0
Created: 12 October 2020
Last Modified: 19 October 2020

Mitigations

Mitigation Description
User Account Management

Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.

Detection

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[2] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[3] In Azure, monitor for az monitor diagnostic-settings delete.[4] Additionally, a sudden loss of a log source may indicate that it has been disabled.

References