T1562.008 Disable or Modify Cloud Logs Mappings

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-03 Configuration Change Control Protects T1562.008 Disable or Modify Cloud Logs
AC-03 Access Enforcement Protects T1562.008 Disable or Modify Cloud Logs
AC-05 Separation of Duties Protects T1562.008 Disable or Modify Cloud Logs
AC-06 Least Privilege Protects T1562.008 Disable or Modify Cloud Logs
CM-05 Access Restrictions for Change Protects T1562.008 Disable or Modify Cloud Logs
IA-02 Identification and Authentication (organizational Users) Protects T1562.008 Disable or Modify Cloud Logs
AC-02 Account Management Protects T1562.008 Disable or Modify Cloud Logs
PUR-AS-E5 Audit Solutions Technique Scores T1562.008 Disable or Modify Cloud Logs
ME-RBAC-E3 Role Based Access Control Technique Scores T1562.008 Disable or Modify Cloud Logs
DEF-SecScore-E3 Secure Score Technique Scores T1562.008 Disable or Modify Cloud Logs
DEF-IR-E5 Incident Response Technique Scores T1562.008 Disable or Modify Cloud Logs
DO365-AG-E5 App Governance Technique Scores T1562.008 Disable or Modify Cloud Logs
DO365-ATH-E5 Advanced Threat Hunting Technique Scores T1562.008 Disable or Modify Cloud Logs