Attackers Target Cloud Logs To Evade Detection

Threat actors are increasingly targeting cloud logging infrastructure as a primary defense evasion technique. By disabling, deleting, or manipulating cloud audit logs across AWS CloudTrail, Azure Monitor, and Google Cloud Logging, attackers effectively blind security teams during intrusions. This tactic allows adversaries to operate undetected for extended periods, exfiltrate data, establish persistence, and cover their tracks. Organizations must implement immutable logging, cross-region redundancy, and real-time monitoring of logging configuration changes to maintain visibility into their cloud environments.

Introduction

Cloud logging services represent both the cornerstone of modern security operations and a critical single point of failure. When attackers gain sufficient privileges within cloud environments, their first move increasingly involves sabotaging the very systems designed to detect them. By manipulating AWS CloudTrail, Azure Activity Logs, or Google Cloud Audit Logs, adversaries achieve tactical invisibility—conducting malicious activities in an environment where security teams have been effectively blindfolded.

This sophisticated defense evasion technique transforms cloud logging infrastructure from a security asset into a liability. Understanding how attackers abuse these services is essential for organizations seeking to maintain effective security posture in cloud environments.

Background & Context

Cloud service providers offer comprehensive logging capabilities designed to capture every action within their ecosystems. AWS CloudTrail records API calls, Azure Monitor tracks resource changes, and Google Cloud Logging maintains audit trails across services. Security teams depend on these logs for threat detection, compliance reporting, forensic investigation, and incident response.

However, these same logging services operate under a fundamental vulnerability: they can be controlled through the same permission models they monitor. An attacker with sufficient Identity and Access Management (IAM) privileges can modify logging configurations, creating blind spots in security monitoring.

Recent campaigns by advanced persistent threat groups have demonstrated systematic approaches to log manipulation. The techniques mirror tactics used in traditional on-premises environments but exploit cloud-specific architectures. The distributed nature of cloud infrastructure, combined with the complexity of multi-account organizations and shared responsibility models, creates opportunities for attackers to operate undetected.

Cloud logging manipulation has appeared in notable breaches across financial services, healthcare, and technology sectors. Attackers leverage compromised credentials, over-privileged service accounts, or misconfigured IAM policies to gain the necessary access rights for log tampering.

Technical Breakdown

AWS CloudTrail Manipulation

Attackers targeting AWS environments employ several techniques to compromise logging visibility:

Trail Deletion:

aws cloudtrail delete-trail --name primary-audit-trail --region us-east-1

This command completely removes a CloudTrail configuration, ceasing all future logging. Sophisticated attackers execute this across multiple regions to ensure comprehensive coverage gaps.

Logging Suspension:

aws cloudtrail stop-logging --name primary-audit-trail

Rather than deletion, stopping logging maintains the trail configuration while halting event capture—a subtler approach that may escape immediate notice.

Event Selector Modification:

aws cloudtrail put-event-selectors --trail-name primary-audit-trail \
  --event-selectors '[]'

This technique selectively disables logging for specific event types while maintaining the appearance of active monitoring.

Azure Monitor Evasion

Azure environments face similar manipulation vectors:

Diagnostic Settings Removal:

Remove-AzDiagnosticSetting -ResourceId "/subscriptions/{id}" -Name "SecurityLogs"

This PowerShell command eliminates diagnostic configurations that route logs to storage accounts or Log Analytics workspaces.

Activity Log Alert Deletion:
Attackers disable alerting mechanisms that would notify security teams of suspicious configuration changes, operating in the gap between log generation and security response.

Google Cloud Platform Attacks

GCP logging abuse follows comparable patterns:

Sink Deletion:

gcloud logging sinks delete security-export-sink

Removing log sinks prevents audit logs from reaching centralized security monitoring platforms.

Exclusion Filter Injection:
Attackers add exclusion filters to existing sinks, selectively filtering out evidence of their activities while maintaining normal logging appearance:

gcloud logging sinks update security-sink \
  --add-exclusion=name=hide-activity,filter='protoPayload.authenticationInfo.principalEmail="attacker@domain.com"'

Cross-Platform Techniques

Regardless of cloud provider, attackers employ common methodologies:

• Privilege Escalation: Exploiting misconfigurations to obtain permissions necessary for log manipulation
• Temporary Disruption: Briefly disabling logs during high-risk operations, then re-enabling to avoid sustained alerts
• Selective Deletion: Removing specific log entries rather than entire logging infrastructure
• Configuration Rollback: Reverting logging settings to less comprehensive configurations

Impact & Risk Assessment

The consequences of successful cloud log manipulation extend far beyond immediate detection evasion:

Extended Dwell Time: Without functioning detection capabilities, attackers operate undetected for weeks or months, maximizing data exfiltration and expanding their foothold across cloud resources.

Compliance Violations: Regulatory frameworks including PCI-DSS, HIPAA, SOC 2, and GDPR mandate comprehensive audit logging. Log deletion creates compliance gaps with potential legal and financial ramifications.

Forensic Blindness: Post-incident investigations rely heavily on log data. When attackers successfully erase their tracks, organizations cannot determine breach scope, identify compromised data, or implement appropriate remediation.

Insurance Implications: Cyber insurance policies increasingly require evidence of security controls. Inability to produce audit logs may complicate claims processing following security incidents.

Reputation Damage: Organizations unable to provide transparent incident timelines face heightened scrutiny from customers, partners, and regulators.

The risk severity scales with organizational cloud adoption. Multi-cloud environments face compounded challenges, as attackers may exploit inconsistent logging policies across platforms.

Vendor Response

Major cloud providers have implemented protective measures, though gaps remain:

AWS offers CloudTrail Insights for anomaly detection, S3 Object Lock for immutable log storage, and AWS Organizations SCPs (Service Control Policies) to prevent trail deletion across accounts.

Azure provides Activity Log retention guarantees, Azure Policy enforcement for diagnostic settings, and immutable blob storage options for log archives.

Google Cloud implements Organization Policy constraints preventing log sink deletion, VPC Service Controls for data exfiltration prevention, and Access Transparency logs for administrative actions.

Despite these capabilities, they require deliberate configuration—default settings often provide insufficient protection. Vendors continue developing improved defaults and automated protections, but implementation responsibility remains with customers under shared responsibility models.

Mitigations & Workarounds

Organizations should implement multiple defensive layers:

Implement Log Immutability:
Configure write-once-read-many (WORM) storage for log archives:

# AWS S3 Object Lock
aws s3api put-object-lock-configuration --bucket audit-logs \
  --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"GOVERNANCE","Days":90}}}'

Cross-Region Replication:
Duplicate logs across geographic regions to prevent single-region manipulation:

# Azure Log Analytics workspace replication
az monitor log-analytics workspace create --resource-group security-rg \
  --workspace-name backup-logs --location westus2

Separate Security Accounts:
Route logs to dedicated security accounts with restricted access, preventing attackers from disabling monitoring even with production environment access.

Permission Boundaries:
Implement least-privilege IAM policies explicitly denying logging manipulation:

{
  "Effect": "Deny",
  "Action": [
    "cloudtrail:DeleteTrail",
    "cloudtrail:StopLogging",
    "cloudtrail:PutEventSelectors"
  ],
  "Resource": "*"
}

Multi-Factor Authentication:
Require MFA for any privileged operations affecting logging infrastructure.

Detection & Monitoring

Effective detection requires monitoring the monitors:

Configuration Change Alerts:
Establish real-time notifications for logging configuration modifications:

# AWS EventBridge rule for CloudTrail changes
aws events put-rule --name detect-cloudtrail-changes \
  --event-pattern '{"source":["aws.cloudtrail"],"detail-type":["AWS API Call via CloudTrail"],"detail":{"eventName":["StopLogging","DeleteTrail","UpdateTrail"]}}'

Health Check Automation:
Continuously verify logging service operational status:

import boto3

def verify_cloudtrail_status():
    client = boto3.client('cloudtrail')
    trails = client.describe_trails()
    for trail in trails['trailList']:
        status = client.get_trail_status(Name=trail['TrailARN'])
        if not status['IsLogging']:
            alert_security_team(trail['Name'])

Baseline Deviation Detection:
Establish expected log volume patterns and alert on significant deviations indicating potential log suppression.

Third-Party SIEM Integration:
Export logs to external security information and event management platforms, creating monitoring redundancy outside attacker-controlled environments.

Regular Audit Reviews:
Periodically verify logging configurations match security policies and haven’t been subtly modified.

Best Practices

Comprehensive cloud logging security requires organizational commitment:

Architecture Design:

• Implement dedicated logging accounts within cloud organization hierarchies
• Use cross-account log aggregation with restrictive bucket policies
• Deploy logging infrastructure as code with version control

Operational Procedures:

• Establish change management processes for logging configuration modifications
• Require dual authorization for any logging infrastructure changes
• Conduct regular disaster recovery exercises including logging infrastructure

Governance Frameworks:

• Document logging requirements in security policies
• Include logging manipulation scenarios in threat modeling
• Integrate logging verification into compliance auditing

Team Training:

• Educate security operations teams on cloud-specific evasion techniques
• Develop incident response playbooks addressing log tampering scenarios
• Conduct purple team exercises simulating logging attacks

Technology Stack:

• Deploy cloud-native security tools with independent logging capabilities
• Implement runtime security monitoring that doesn’t solely rely on cloud provider logs
• Consider hybrid approaches combining cloud-native and third-party solutions

Key Takeaways

• Cloud logging infrastructure represents a critical attack surface that adversaries systematically target for defense evasion
• Default cloud logging configurations provide insufficient protection against determined attackers with elevated privileges
• Immutable storage, cross-region replication, and separate security accounts form essential defensive controls
• Real-time monitoring of logging configuration changes enables rapid detection of tampering attempts
• Comprehensive cloud security requires treating logging infrastructure with the same rigor as production systems
• Organizations must implement defense-in-depth strategies that maintain visibility even when primary logging fails

References

• AWS CloudTrail Documentation: https://docs.aws.amazon.com/cloudtrail/
• Azure Monitor Best Practices: https://docs.microsoft.com/azure/azure-monitor/
• Google Cloud Audit Logs: https://cloud.google.com/logging/docs/audit
• MITRE ATT&CK T1562.008: Impair Defenses – Disable Cloud Logs
• Cloud Security Alliance: Cloud Logging Best Practices
• NIST SP 800-92: Guide to Computer Security Log Management

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/