An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| LOG-10 | Audit Records Protection | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
References
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
References
|
| IAM-05 | Least Privilege | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, in terms of mitigation, configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies. Adversaries have been known to disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs
References
|