Benchmark: T1562.008 Impair Defenses: Disable or Modify Cloud Logs
Overview
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections
Start the Powerpipe server:
powerpipe server
Open http://localhost:9033 in your browser and select T1562.008 Impair Defenses: Disable or Modify Cloud Logs.
Run this benchmark in your terminal:
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0005_t1562_008
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0005_t1562_008 --share
Detections
- CloudWatch Log Group Created with Encryption Disabled
- Config Configuration Recorder Stopped
- S3 Bucket Block Public Access Disabled
- SES Identity Feedback Forwarding Disabled