Audit Bypass
Category: Authentication & Authorization
Severity: Medium
MITRE ATT&CK Mapping: T1562.006 (Impair Defenses: Indicator Blocking)
Description
Lack of proper logging for delegated calls and missing audit trails, enabling attackers to perform actions without detection or accountability.
Technical Details
Attack Vector
- Missing audit logging
- Audit trail manipulation
- Log bypass techniques
- Accountability evasion
Common Techniques
- Log suppression
- Audit trail tampering
- Logging bypass
- Event obfuscation
Impact
- Stealth Operations: Actions performed without detection
- Accountability Loss: Inability to track malicious activities
- Forensic Challenges: Difficulty investigating security incidents
- Compliance Violations: Failure to meet audit requirements
Detection Methods
Audit Monitoring
- Monitor audit log generation
- Track logging patterns
- Detect missing audit entries
- Analyze audit completeness
Log Analysis
- Analyze log integrity
- Monitor log tampering
- Detect log gaps
- Track logging anomalies
Mitigation Strategies
Audit Implementation
- Implement comprehensive audit logging
- Use tamper-proof logging
- Deploy audit monitoring
- Monitor audit completeness
Log Security
- Implement log integrity protection
- Use centralized logging
- Deploy log monitoring
- Monitor log access
Real-World Examples
Example 1: Missing Audit Logging
def execute_sensitive_action(action, user_id):
# No audit logging
result = perform_action(action)
# Should include: audit_log(action, user_id, result)
return result
Example 2: Conditional Logging Bypass
def admin_operation(operation, user_id, bypass_audit=False):
if not bypass_audit:
audit_log(operation, user_id)
# Attack: bypass_audit=True to avoid logging
return execute_admin_operation(operation)
Example 3: Log Suppression
def delegated_call(target_function, params, log_level="INFO"):
# Logging bypass through level manipulation
if log_level != "SILENT":
log_function_call(target_function, params)
# Attack: log_level="SILENT" to suppress logging
return target_function(params)
References & Sources
- Structured MCP Threats - Comprehensive threat landscape analysis
Related TTPs
Audit bypass attacks undermine security monitoring and accountability by evading detection and logging mechanisms.