Audit Logging Bypass
lowaudit-logging-bypass
Attacker disables or evades security logging to hide malicious activity
Repudiation
MITRE ATT&CK techniques
| ID | Name | Tactic |
|---|---|---|
| T1562 | Impair Defenses | Defense Evasion |
| T1070 | Indicator Removal | Defense Evasion |
Common Weakness Enumeration
Mitigating controls
ctrl-audit-1- Implement immutable logging
ctrl-audit-2- Ship logs to secure, separate storage
ctrl-audit-3- Monitor for logging gaps or anomalies
ctrl-audit-4- Implement log integrity verification
ctrl-audit-5- Alert on logging configuration changes
ctrl-audit-6- Monitor for security service status changes (e.g., detector disabled, logging stopped)