MITRE ATT&CK T1562.008 Impair Defenses: Disable or Modify Cloud Logs

Disable or Modify Cloud Logs is a defense evasion technique that adversaries use to manipulate cloud logging services to evade detection and obscure their activities. Cloud environments rely on logging solutions like AWS CloudTrail, Azure Monitor, and Google Cloud Logging to track system events, user actions, and security incidents. These logs are critical for threat detection, incident response, and forensic investigations. By disabling, modifying, or deleting cloud logs, attackers can cover their tracks, making it difficult for security teams to identify unauthorized access, privilege escalation, or data exfiltration.

In this blog post, we explain the T1562.008 Disable or Modify Cloud Logs technique of the MITRE ATT&CK® framework and explore how adversaries employ Disable or Modify Cloud Logs with real-world attack examples in detail.

What are Cloud Logs?

Cloud logs refer to the records or entries generated by various applications, services, and systems within a cloud computing environment. These logs capture important information about events, activities, and performance metrics, offering details on what transpires within the cloud infrastructure. Cloud logs serve as a valuable resource for administrators, developers, and security personnel to gain insights into the behavior and health of their cloud-based systems. 

Cloud logs can encompass a wide range of data, including error messages, user actions, system events, and resource utilization metrics. Cloud logs are often stored centrally in a dedicated logging service or platform, making it easier to aggregate and analyze data from multiple sources. Common logging services in cloud environments include AWS CloudWatch Logs, Google Cloud Logging, and Azure Monitor Logs.

Adversary Use of Disable or Modify Cloud Logs 

Cloud environments typically offer robust logging capabilities to help organizations monitor and analyze activities within their infrastructure. However, these logging mechanisms are also potential targets for adversaries. Adversaries employ the Disable or Modify Cloud Logs technique to manipulate and evade detection within cloud computing environments. This method involves tampering or suppression of log entries to undermine detection and incident response efforts. 

In Amazon Web Services (AWS), an adversary could undermine the integrity of the monitoring process by disabling CloudWatch or CloudTrail. These services are vital for capturing API calls, resource changes, and user activity. By disabling these integrations, adversaries ensure their subsequent actions are not recorded. Furthermore, adversaries may alter CloudTrail settings to stop the delivery of logs to a centralized S3 bucket, or they could delete or modify the logs directly if they have managed to gain the necessary access. Altering log integrity can be as subtle as changing the CloudTrail log file validation feature. By disabling this feature, adversaries can manipulate log files without detection. Similarly, turning off the encryption of log files or disabling multi-region logging might allow an adversary to focus their disruptions on a single region while activities in other regions remain unmonitored.

Moreover, disabling or modifying cloud logs extends beyond infrastructure and into cloud-based applications and services. For instance, in Microsoft's Office 365, adversaries can disable or circumvent logging for specific users. By using the Set-MailboxAuditBypassAssociation cmdlet, they can set a mailbox to bypass audit logging, essentially making activities performed by that user invisible to the default logging mechanism.

Ready to Simulate Real-World Threats from Red Report 2025?