Disable or Modify Cloud Logs

Information

• Name: Disable or Modify Cloud Logs

• ID: T1562.008

• Tactics:

• Technique:

Introduction

The MITRE ATT&CK sub-technique "Disable or Modify Cloud Logs" (T1562.008) refers to adversaries deliberately disabling, modifying, or tampering with cloud logging mechanisms to evade detection and persist unnoticed within cloud environments. Cloud logging services typically provide visibility into user actions, resource usage, and security events. Attackers may target these services to obscure their activities, making it significantly harder for defenders to detect and respond to malicious behaviors.

Deep Dive Into Technique

Adversaries executing this sub-technique typically aim to disrupt or alter logging mechanisms provided by cloud platforms such as AWS CloudTrail, Azure Activity Logs, or Google Cloud Audit Logs. Methods and mechanisms include:

• Disabling logging services directly:

  • Attackers may access cloud management consoles or APIs to disable logging services explicitly.

  • Example: Disabling AWS CloudTrail entirely or stopping specific event logging to avoid tracking.

• Modifying logging configurations:

  • Changing log retention policies to shorten log availability periods and reduce forensic evidence.

  • Altering log destination settings to redirect logs to attacker-controlled storage or to discard logs entirely.

• Tampering with log integrity:

  • Manipulating log entries or timestamps to conceal malicious activities.

  • Using stolen credentials or compromised administrative accounts to modify log settings and configurations.

• Disrupting log delivery mechanisms:

  • Altering permissions or IAM policies to prevent log delivery to security monitoring tools or SIEM solutions.

  • Changing log delivery endpoints to attacker-controlled destinations.

In practice, attackers commonly leverage compromised cloud administrative accounts or API keys to perform these actions. These activities often follow initial access through credential theft, phishing, or exploitation of misconfigured cloud resources.

When this Technique is Usually Used

Attackers typically employ this sub-technique during multiple stages of their attack lifecycle, including:

• Initial Access and Discovery:

  • Immediately following initial compromise to reduce visibility during reconnaissance and enumeration activities.

• Execution and Persistence:

  • After establishing a foothold, attackers disable or modify logging to maintain long-term persistence undetected.

• Privilege Escalation and Defense Evasion:

  • Attackers escalate privileges and subsequently disable or modify logging to evade detection by security monitoring systems.

• Data Exfiltration and Impact:

  • Before performing sensitive operations such as data exfiltration or destructive actions, attackers disable logging to obscure their actions and reduce the likelihood of detection.

Common attack scenarios include:

• Cloud infrastructure compromise through stolen credentials or phishing attacks.

• Insider threats abusing administrative privileges to disable logging and cover unauthorized access.

• Automated attacks leveraging compromised API keys or tokens to modify logging policies rapidly.

How this Technique is Usually Detected

Detection of cloud log disabling or modification primarily relies on monitoring and alerting mechanisms, including:

• Real-time monitoring of cloud audit logs:

  • Tracking configuration changes to logging services (e.g., AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs).

  • Detecting API calls or administrative actions that disable or alter logging configurations.

• Behavioral analytics and anomaly detection:

  • Identifying unusual activity patterns, such as sudden changes in logging policies, log destinations, or retention periods.

  • Alerting on log delivery failures or unexpected interruptions in log streams.

• Cloud Security Posture Management (CSPM) tools:

  • Automatically scanning cloud environments for logging configuration drift and unauthorized changes.

  • Generating alerts and notifications when logging services are disabled or modified outside approved change windows.

• Security Information and Event Management (SIEM) systems:

  • Correlating cloud log events with other security telemetry to detect suspicious administrative actions.

  • Utilizing predefined rules and alerts specifically designed to detect cloud logging service manipulation.

Indicators of compromise (IoCs) associated with this sub-technique include:

• Sudden stoppage or interruption of cloud logging services.

• Unexpected changes to log retention periods, destinations, or logging policies.

• Administrative actions performed from unfamiliar IP addresses or geolocations.

• API calls or administrative actions related to logging services performed at unusual times or intervals.

• Missing log entries or gaps in logging data during critical security events.

Why it is Important to Detect This Technique

Early detection of disabling or modifying cloud logs is crucial due to the significant impact this technique can have on security visibility and incident response capabilities. Specific potential impacts include:

• Loss of visibility and monitoring capabilities:

  • Disabling or modifying logs severely hampers an organization's ability to detect, investigate, and respond to security incidents and breaches.

• Delayed incident detection and response:

  • Without accurate logs, security teams may miss critical indicators of compromise, allowing attackers to persist undetected for extended periods.

• Reduced forensic capabilities:

  • Altered or missing logs significantly hinder forensic investigations, making it challenging to reconstruct attacker timelines and activities.

• Increased attacker dwell time:

  • Attackers who successfully disable logging can remain undetected longer, increasing the potential for severe damage, sensitive data exfiltration, or disruption of critical business operations.

• Compliance and regulatory risks:

  • Organizations relying on cloud logs for compliance reporting and auditing may face regulatory penalties if logs are disabled or tampered with.

Therefore, timely detection and alerting of this sub-technique are essential for maintaining robust security posture, ensuring compliance, and minimizing potential damage from security incidents.

Examples

Real-world examples of attackers disabling or modifying cloud logs include:

• Capital One Data Breach (2019):

  • Attackers leveraged compromised AWS IAM roles to disable certain logging and monitoring mechanisms, delaying detection and response.

  • Impact: Over 100 million customer records compromised, resulting in significant financial and reputational damage.

• Crypto-mining Attacks on AWS (2020-2021):

  • Attackers compromised cloud accounts through stolen credentials, disabling CloudTrail logging to hide unauthorized crypto-mining activities.

  • Impact: Organizations experienced increased cloud resource costs and difficulty in identifying and remediating the malicious activity.

• Insider Threat Incident (Multiple Cases):

  • Internal employees or contractors with administrative access disabled or altered logging configurations to conceal unauthorized data access or exfiltration.

  • Impact: Sensitive data exfiltration went undetected for extended periods, resulting in severe compliance violations and financial penalties.

Common tools and methods observed in these scenarios:

• AWS CLI or cloud platform SDKs used to automate disabling or modification of logging services.

• Compromised administrative credentials or API keys leveraged to perform unauthorized logging configuration changes.

• Automated scripts or malware designed specifically to disable logging services upon initial compromise or privilege escalation.

These examples highlight the critical need for continuous monitoring, robust access controls, and effective detection mechanisms to identify and respond promptly to adversaries attempting to disable or modify cloud logging services.