T1562.008 Disable Cloud Logs
An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.2 In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.4
| Item | Value |
|---|---|
| ID | T1562.008 |
| Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011 |
| Tactics | TA0005 |
| Platforms | Azure AD, Google Workspace, IaaS, Office 365, SaaS |
| Version | 1.3 |
| Created | 12 October 2020 |
| Last Modified | 20 April 2023 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management | Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0025 | Cloud Service | Cloud Service Disable |
| DS0002 | User Account | User Account Modification |
References
-
Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020. ↩
-
Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020. ↩
-
Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020. ↩
-
Kelly Sheridan. (2021, August 5). Incident Responders Explore Microsoft 365 Attacks in the Wild. Retrieved March 17, 2023. ↩
-
Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020. ↩
-
Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021. ↩