An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.
Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1562.008 | Disable Cloud Logs | |
| AC-3 | Access Enforcement | Protects | T1562.008 | Disable Cloud Logs | |
| AC-5 | Separation of Duties | Protects | T1562.008 | Disable Cloud Logs | |
| AC-6 | Least Privilege | Protects | T1562.008 | Disable Cloud Logs | |
| CM-5 | Access Restrictions for Change | Protects | T1562.008 | Disable Cloud Logs | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1562.008 | Disable Cloud Logs |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1562.008 | Disable Cloud Logs |
Comments
The Azure Sentinel Analytics "Exchange AuditLog disabled" query can detect potentially malicious disabling of Exchange logs. The Azure Sentinel Analytics "Azure DevOps Audit Stream Disabled" query can identify disabling of Azure DevOps log streaming. The coverage for these queries is minimal (specific to these technologies) resulting in an overall Minimal score.
References
|