T1562.008 Disable or Modify Cloud Logs

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-01.01 Identity and credential management Mitigates T1562.008 Disable or Modify Cloud Logs
Comments
This diagnostic statement protects against Disable or Modify Cloud Logs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CM-05 Access Restrictions for Change mitigates T1562.008 Disable or Modify Cloud Logs
    IA-02 Identification and Authentication (Organizational Users) mitigates T1562.008 Disable or Modify Cloud Logs
    AC-03 Access Enforcement mitigates T1562.008 Disable or Modify Cloud Logs
    AC-05 Separation of Duties mitigates T1562.008 Disable or Modify Cloud Logs
    AC-06 Least Privilege mitigates T1562.008 Disable or Modify Cloud Logs
    AC-02 Account Management mitigates T1562.008 Disable or Modify Cloud Logs
    CM-03 Configuration Change Control mitigates T1562.008 Disable or Modify Cloud Logs

    VERIS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable or Modify Cloud Logs
    action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Disable or Modify Cloud Logs

    GCP Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    identity_platform Identity Platform technique_scores T1562.008 Disable or Modify Cloud Logs
    Comments
    Identity Platform provides Admin APIs to manage users and authentication tokens. To prevent unwanted access to your users and tokens through these APIs, Identity Platform leverages IAM to manage permission to specific Identity Platform APIs. This control will ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
    References
    policy_intelligence Policy Intelligence technique_scores T1562.008 Disable or Modify Cloud Logs
    Comments
    Adversaries that try to disable cloud logging capabilities have the advantage to limit the amount of the data that can be collected and can possibly control not being detected. This control may be used to routinely check role account permissions in IAM audit logs.
    References
    resource_manager Resource Manager technique_scores T1562.008 Disable or Modify Cloud Logs
    Comments
    This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to modify and/or disable cloud logging capabilities.
    References
    security_command_center Security Command Center technique_scores T1562.008 Disable or Modify Cloud Logs
    Comments
    SCC detect changes to the configuration which would lead to disable logging on an instance or container. This security solution protects against system modifications used to remove evidence and evade defenses. Because of the near-real time temporal factor this control was graded as significant.
    References

    AWS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    amazon_guardduty Amazon GuardDuty technique_scores T1562.008 Disable Cloud Logs
    Comments
    The following GuardDuty findings provide indicators of malicious activity in defense measures: Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller "Amazon GuardDuty is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in GuardDuty."
    References
    aws_config AWS Config technique_scores T1562.008 Disable Cloud Logs
    Comments
    The following AWS Config managed rules can identify potentially malicious changes to cloud logging: "api-gw-execution-logging-enabled", "cloudfront-accesslogs-enabled", "elasticsearch-logs-to-cloudwatch", "elb-logging-enabled", "redshift-cluster-configuration-check", "rds-logging-enabled", and "s3-bucket-logging-enabled" are run on configuration changes. "cloudtrail-security-trail-enabled", "cloud-trail-cloud-watch-logs-enabled", "cloudtrail-s3-dataevents-enabled", "vpc-flow-logs-enabled", "waf-classic-logging-enabled", and "wafv2-logging-enabled" are run periodically. Coverage factor is significant for these rules, since they cover logging configuration for a wide range of services, resulting in an overall score of Significant. "AWS Config is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Config. "
    References
    aws_iot_device_defender AWS IoT Device Defender technique_scores T1562.008 Disable Cloud Logs
    Comments
    The "Logging disabled" audit check ("LOGGING_DISABLED_CHECK" in the CLI and API) can identify potentially malicious changes to AWS IoT logs (both V1 and V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial since this control only addresses IoT logging.
    References
    aws_iot_device_defender AWS IoT Device Defender technique_scores T1562.008 Disable Cloud Logs
    Comments
    The "ENABLE_IOT_LOGGING" mitigation action (which is supported by the "Logging disabled" audit check) enables AWS IoT logging if it is not enabled when the check is run, effectively reversing the adversary behavior if those logs were disabled due to malicious changes. Score is limited to Partial since this control only addresses IoT logging.
    References
    aws_security_hub AWS Security Hub technique_scores T1562.008 Disable Cloud Logs
    Comments
    AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.
    References