Technique on mitre.org

T1562.008: Disable or Modify Cloud Logs

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

yandex_cloud: PT-CR-1263: Yandex_Cloud_PostgreSQL_Cluster_Log_Statement_Disable: A user disabled logging in a cluster vmware_aria: PT-CR-2375: AOFL_Added_New_Log_Filter: An action with a log filter can indicate an attempt to limit the data collected from the Aria Operations for Logs monitoring objects

Detection

ID	DS0025	Data source and component	Cloud Service: Cloud Service Modification	Description	Monitor changes made to cloud services for unexpected modifications to settings and/or data

ID	DS0002	Data source and component	User Account: User Account Modification	Description	Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the `Update User` and `Change User License` events in the Azure AD audit log.

ID	DS0025	Data source and component	Cloud Service: Cloud Service Disable	Description	Monitor logs for API calls to disable logging. In AWS, monitor for: `StopLogging`, `UpdateTrail` `DeleteTrail`. In GCP, monitor for: `google.logging.v2.ConfigServiceV2.UpdateSink` and `google.logging.v2.ConfigServiceV2.DeleteSink`. In Azure, monitor for `az monitor diagnostic-settings update` and `az monitor diagnostic-settings delete`. Additionally, a sudden loss of a log source may indicate that it has been disabled.

ID	Data source and component	Description
DS0025	Cloud Service: Cloud Service Modification	Monitor changes made to cloud services for unexpected modifications to settings and/or data
DS0002	User Account: User Account Modification	Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the `Update User` and `Change User License` events in the Azure AD audit log.
DS0025	Cloud Service: Cloud Service Disable	Monitor logs for API calls to disable logging. In AWS, monitor for: `StopLogging`, `UpdateTrail` `DeleteTrail`. In GCP, monitor for: `google.logging.v2.ConfigServiceV2.UpdateSink` and `google.logging.v2.ConfigServiceV2.DeleteSink`. In Azure, monitor for `az monitor diagnostic-settings update` and `az monitor diagnostic-settings delete`. Additionally, a sudden loss of a log source may indicate that it has been disabled.

Mitigation

ID	M1018	Name	User Account Management	Description	Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.

ID	Name	Description
M1018	User Account Management	Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.