Description
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality, for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Cloud Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading)
Platforms
Mitigations (1)
User Account ManagementM1018
Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.(C... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow lo... |
References
- AWS. (n.d.). update-trail. Retrieved April 15, 2026.
- Kelly Sheridan. (2021, August 5). Retrieved April 15, 2026.
- Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.
Frequently Asked Questions
What is T1685.002 (Disable or Modify Cloud Log)?
T1685.002 is a MITRE ATT&CK technique named 'Disable or Modify Cloud Log'. It belongs to the Defense Impairment tactic(s). An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and anal...
How can T1685.002 be detected?
Detection of T1685.002 (Disable or Modify Cloud Log) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1685.002?
There are 1 documented mitigations for T1685.002. Key mitigations include: User Account Management.
Which threat groups use T1685.002?
Known threat groups using T1685.002 include: APT29.