Impair Defenses: Disable or Modify Cloud Logs

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.[1] They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.[2][3] In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.[4]

ID: T1562.008
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Azure AD, Google Workspace, IaaS, Office 365, SaaS
Contributors: Alex Soler, AttackIQ; Ibrahim Ali Khan; Janantha Marasinghe; Joe Gumke, U.S. Bank; Matt Snyder, VMware; Prasad Somasamudram, McAfee; Sekhar Sarukkai, McAfee; Syed Ummar Farooqh, McAfee
Version: 2.0
Created: 12 October 2020
Last Modified: 12 April 2024

Procedure Examples

ID Name Description
G0016 APT29

APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.[5]

S1091 Pacu

Pacu can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs.[6]

Mitigations

ID Mitigation Description
M1018 User Account Management

Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Disable

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging, UpdateTrail DeleteTrail.[7] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink and google.logging.v2.ConfigServiceV2.DeleteSink.[8] In Azure, monitor for az monitor diagnostic-settings update and az monitor diagnostic-settings delete.[9] Additionally, a sudden loss of a log source may indicate that it has been disabled.

Cloud Service Modification

Monitor changes made to cloud services for unexpected modifications to settings and/or data

DS0002 User Account User Account Modification

Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[10]

References