Skip to content

T1562.008 Disable Cloud Logs

An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.2 In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.4

Item Value
ID T1562.008
Sub-techniques T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011
Tactics TA0005
Platforms Azure AD, Google Workspace, IaaS, Office 365, SaaS
Version 1.3
Created 12 October 2020
Last Modified 20 April 2023

Mitigations

ID Mitigation Description
M1018 User Account Management Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.

Detection

ID Data Source Data Component
DS0025 Cloud Service Cloud Service Disable
DS0002 User Account User Account Modification

References