T1562.008 Disable Cloud Logs Mappings

An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.

Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1562.008 Disable Cloud Logs
AC-3 Access Enforcement Protects T1562.008 Disable Cloud Logs
AC-5 Separation of Duties Protects T1562.008 Disable Cloud Logs
AC-6 Least Privilege Protects T1562.008 Disable Cloud Logs
CM-5 Access Restrictions for Change Protects T1562.008 Disable Cloud Logs
IA-2 Identification and Authentication (organizational Users) Protects T1562.008 Disable Cloud Logs
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.008 Impair Defenses: Disable Cloud Logs
aws_config AWS Config technique_scores T1562.008 Disable Cloud Logs
Comments
The following AWS Config managed rules can identify potentially malicious changes to cloud logging: "api-gw-execution-logging-enabled", "cloudfront-accesslogs-enabled", "elasticsearch-logs-to-cloudwatch", "elb-logging-enabled", "redshift-cluster-configuration-check", "rds-logging-enabled", and "s3-bucket-logging-enabled" are run on configuration changes. "cloudtrail-security-trail-enabled", "cloud-trail-cloud-watch-logs-enabled", "cloudtrail-s3-dataevents-enabled", "vpc-flow-logs-enabled", "waf-classic-logging-enabled", and "wafv2-logging-enabled" are run periodically. Coverage factor is significant for these rules, since they cover logging configuration for a wide range of services, resulting in an overall score of Significant.
References
    amazon_guardduty Amazon GuardDuty technique_scores T1562.008 Disable Cloud Logs
    Comments
    The following GuardDuty findings provide indicators of malicious activity in defense measures: Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
    References
      aws_iot_device_defender AWS IoT Device Defender technique_scores T1562.008 Disable Cloud Logs
      Comments
      The "Logging disabled" audit check ("LOGGING_DISABLED_CHECK" in the CLI and API) can identify potentially malicious changes to AWS IoT logs (both V1 and V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial since this control only addresses IoT logging.
      References
        aws_iot_device_defender AWS IoT Device Defender technique_scores T1562.008 Disable Cloud Logs
        Comments
        The "ENABLE_IOT_LOGGING" mitigation action (which is supported by the "Logging disabled" audit check) enables AWS IoT logging if it is not enabled when the check is run, effectively reversing the adversary behavior if those logs were disabled due to malicious changes. Score is limited to Partial since this control only addresses IoT logging.
        References
          aws_security_hub AWS Security Hub technique_scores T1562.008 Disable Cloud Logs
          Comments
          AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.
          References