T1562.008 Disable Cloud Logs
An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.
Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.1
| Item | Value |
|---|---|
| ID | T1562.008 |
| Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010 |
| Tactics | TA0005 |
| Platforms | IaaS |
| Permissions required | User |
| Version | 1.2 |
| Created | 12 October 2020 |
| Last Modified | 08 March 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management | Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0025 | Cloud Service | Cloud Service Disable |
References
-
Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020. ↩
-
Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020. ↩
-
Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020. ↩
-
Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020. ↩