T1562.008: Disable or Modify Cloud Logs
| View on MITRE ATT&CK | T1562.008 |
|---|---|
| Tactic(s) | Defense Evasion |
| Associated CAPEC Patterns | Audit Log Manipulation (CAPEC-268) , Disable Security Software (CAPEC-578) , Block Logging to Central Repository (CAPEC-571) |
Data from MITRE ATT&CK®:
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Cloud Service Disable (Cloud Service)
Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)Cloud Service Modification (Cloud Service)
Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)User Account Modification (User Account)
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
AWS - CloudWatch Log Group Deletes
Office 365 - Set Audit Bypass For a Mailbox
AWS - Remove VPC Flow Logs using Stratus
GCP - Delete Activity Event Log
Office 365 - Exchange Audit Log Disabled
Azure - Eventhub Deletion
AWS CloudWatch Log Stream Deletes
AWS - CloudTrail Changes
AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.