Full Report
Unit 42 research examines attack scenarios targeting cloud logging services. Learn how to defend against log manipulation and defense evasion. The post Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility appeared first on Unit 42.
Analysis Summary
Based on the Unit 42 research article "Blinding the Watchmen," here is the summary of the techniques and tools used to abuse cloud logging services.
# Tool/Technique: Cloud Logging Manipulation
## Overview
This technique involves the deliberate subversion, disabling, or flooding of cloud-native logging services (such as AWS CloudTrail, Azure Monitor, and Google Cloud Logging). Attackers target these services to evade detection, hide their lateral movement, and prevent forensic investigators from reconstructing the timeline of an incident.
## Technical Details
- **Type**: Technique (Defense Evasion)
- **Platform**: Cloud Environments (AWS, Azure, GCP)
- **Capabilities**: Log suppression, log deletion, API flooding, and "log blinding."
- **First Seen**: Ongoing; reported in high-profile cloud breaches (e.g., SolarWinds/M365, internal red team exercises).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.008 - Impair Defenses: Disable or Modify Cloud Logging
- T1070 - Indicator Removal on Host
- T1070.003 - Indicator Removal on Host: Clear Command History
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0010 - Exfiltration**
- T1537 - Transfer Data to Cloud Account
## Functionality
### Core Capabilities
- **Disabling Logs**: Turning off logging services (e.g., `StopLogging` in AWS CloudTrail) to create a total visibility gap.
- **Log Deletion**: Deleting the storage buckets (S3, Azure Blob) where logs are archived or deleting the log groups themselves.
- **Resource Deletion**: Deleting the underlying infrastructure that triggers logs (e.g., deleting a VM so its operational logs are purged).
### Advanced Features
- **Log Flooding/Spamming**: Generating thousands of benign log events to overwhelm SIEM ingestion limits or drown out malicious "signals" in "noise."
- **Selective Logging (Filter Manipulation)**: Modifying exclusion filters to ignore specific IP addresses or user agents associated with the attacker.
- **Log Forgery**: Injecting fake log entries into the stream to provide a false narrative or implicate benign users.
## Indicators of Compromise
- **File Names**: N/A (Cloud-native APIs are used)
- **Network Indicators**:
- Unusually high volume of calls to `cloudtrail.amazonaws[.]com`
- Calls to `logging.googleapis[.]com` or `monitor.azure[.]com` from unrecognized source IPs.
- **Behavioral Indicators**:
- `UpdateTrail`, `StopLogging`, or `DeleteTrail` events in AWS.
- `activityLogAlerts/delete` or `diagnosticSettings/write` in Azure.
- Frequent `Set-AzDiagnosticSetting` or `Remove-AzDiagnosticSetting` PowerShell commands.
- Sudden drops in log volume from a specific high-traffic resource.
## Associated Threat Actors
- **APT29 (Cozy Bear)**: Known for manipulating Microsoft 365 audit logs.
- **Scattered Spider (UNC3944)**: Known for sophisticated cloud-native evasion and disabling security software.
## Detection Methods
- **Behavioral Detection**: Implement "Immutable Alerts" that trigger when logging configurations are modified. Monitor for "Logging Stopped" events.
- **Statistical Analysis**: Detect anomalies in log ingestion volume (e.g., a sudden 90% drop in log flow).
- **Cross-Plane Correlation**: Compare activity in the data plane (e.g., S3 access) with the management plane (e.g., CloudTrail config changes).
## Mitigation Strategies
- **Service Control Policies (SCPs)**: In AWS, use SCPs to prevent even "Root" users or Administrators from disabling CloudTrail.
- **Locking Log Buckets**: Use S3 Object Lock or Azure Immutable Storage to prevent the deletion of log files for a set retention period.
- **Multi-Account Logging**: Ship logs to a dedicated, isolated security account where the primary compromised credentials do not have "Delete" permissions.
- **Resource Locks**: Apply "CanNotDelete" locks to critical logging resources in Azure.
## Related Tools/Techniques
- **Pacu**: An open-source AWS exploitation framework with modules for disabling logging.
- **CloudGoat**: A deployment tool for vulnerable cloud infrastructure used to practice these techniques.
- **Log Overflows**: Flooding the SIEM (Security Information and Event Management) to incur costs or cause data dropping.