Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Disable Cloud Logs
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Disable Cloud Logs
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Impair Defenses:  Disable Cloud Logs

ID Name
.001 Disable or Modify Tools
.002 Disable Windows Event Logging
.003 Impair Command History Logging
.004 Disable or Modify System Firewall
.006 Indicator Blocking
.007 Disable or Modify Cloud Firewall
.008 Disable Cloud Logs
.009 Safe Mode Boot
.010 Downgrade Attack

An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)

ID: T1562.008
Sub-technique of:  T1562
Tactic(s): Defense Evasion
Platforms: IaaS
Permissions Required: User
Data Sources: Cloud Service: Cloud Service Disable, Cloud Service: Cloud Service Modification
Version: 1.2
Created: 12 Oct 2020
Last Modified: 08 Mar 2022

Mitigations
Mitigation Description
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Detection

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.

References

  1. Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.
  2. Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.
  3. Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.
  4. Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020.
Навигация

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.