MITRE ATT&CK Technique
Description
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-12T13:52:32.846Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may disable or modify cloud logging capabilities '
'and integrations to limit what data is collected on their '
'activities and avoid detection. Cloud environments allow for '
'collection and analysis of audit and application logs that '
'provide insight into what activities a user does within the '
'environment. If an adversary has sufficient permissions, they '
'can disable or modify logging to avoid detection of their '
'activities.\n'
'\n'
'For example, in AWS an adversary may disable '
'CloudWatch/CloudTrail integrations prior to conducting '
'further malicious activity.(Citation: Following the '
'CloudTrail: Generating strong AWS security signals with Sumo '
'Logic) They may alternatively tamper with logging '
'functionality – for example, by removing any associated SNS '
'topics, disabling multi-region logging, or disabling settings '
'that validate and/or encrypt log files.(Citation: AWS Update '
'Trail)(Citation: Pacu Detection Disruption Module) In Office '
'365, an adversary may disable logging on mail collection '
'activities for specific users by using the '
'`Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 '
'Advanced Auditing for the user, or by downgrading the user’s '
'license from an Enterprise E5 to an Enterprise E3 '
'license.(Citation: Dark Reading Microsoft 365 Attacks 2021)',
'external_references': [{'external_id': 'T1562.008',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/008'},
{'description': 'Amazon Web Services. (n.d.). '
'Stopping CloudTrail from Sending '
'Events to CloudWatch Logs. Retrieved '
'October 16, 2020.',
'source_name': 'Stopping CloudTrail from Sending '
'Events to CloudWatch Logs',
'url': 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html'},
{'description': 'AWS. (n.d.). update-trail. Retrieved '
'August 4, 2023.',
'source_name': 'AWS Update Trail',
'url': 'https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html'},
{'description': 'Dan Whalen. (2019, September 10). '
'Following the CloudTrail: Generating '
'strong AWS security signals with '
'Sumo Logic. Retrieved October 16, '
'2020.',
'source_name': 'Following the CloudTrail: Generating '
'strong AWS security signals with '
'Sumo Logic',
'url': 'https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/'},
{'description': 'Google. (n.d.). Configuring Data '
'Access audit logs. Retrieved October '
'16, 2020.',
'source_name': 'Configuring Data Access audit logs',
'url': 'https://cloud.google.com/logging/docs/audit/configure-data-access'},
{'description': 'Kelly Sheridan. (2021, August 5). '
'Incident Responders Explore '
'Microsoft 365 Attacks in the Wild. '
'Retrieved March 17, 2023.',
'source_name': 'Dark Reading Microsoft 365 Attacks '
'2021',
'url': 'https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591'},
{'description': 'Microsoft. (n.d.). az monitor '
'diagnostic-settings. Retrieved '
'October 16, 2020.',
'source_name': 'az monitor diagnostic-settings',
'url': 'https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete'},
{'description': 'Rhino Security Labs. (2021, April '
'29). Pacu Detection Disruption '
'Module. Retrieved August 4, 2023.',
'source_name': 'Pacu Detection Disruption Module',
'url': 'https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py'}],
'id': 'attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:23.308Z',
'name': 'Disable or Modify Cloud Logs',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Syed Ummar Farooqh, McAfee',
'Prasad Somasamudram, McAfee',
'Sekhar Sarukkai, McAfee',
'Ibrahim Ali Khan',
'Alex Soler, AttackIQ',
'Janantha Marasinghe',
'Matt Snyder, VMware',
'Joe Gumke, U.S. Bank',
'Arun Seelagan, CISA'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS', 'SaaS', 'Office Suite', 'Identity Provider'],
'x_mitre_version': '2.1'}