|T1562.001||Disable or Modify Tools|
|T1562.002||Disable Windows Event Logging|
|T1562.003||Impair Command History Logging|
|T1562.004||Disable or Modify System Firewall|
|T1562.007||Disable or Modify Cloud Firewall|
|T1562.008||Disable Cloud Logs|
|T1562.009||Safe Mode Boot|
|T1562.011||Spoof Security Alerting|
An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the
Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.
|M1018||User Account Management||
Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.
|ID||Data Source||Data Component||Detects|
|DS0025||Cloud Service||Cloud Service Disable||
Monitor logs for API calls to disable logging. In AWS, monitor for:
|Cloud Service Modification||
Monitor changes made to cloud services for unexpected modifications to settings and/or data
|DS0002||User Account||User Account Modification||
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the