Log Tampering

Category: Monitoring & Operational Security
Severity: High

Description

Unauthorized modification, deletion, or manipulation of security logs and audit trails to hide malicious activities and impair incident investigation capabilities.

Technical Details

Attack Vector

• Log file modification
• Log deletion attacks
• Log injection attacks
• Log system manipulation

Common Techniques

• Direct log file manipulation
• Log rotation abuse
• Log system compromise
• Timestamp manipulation

Impact

• Evidence Destruction: Removal of evidence of malicious activities
• Investigation Impairment: Compromised incident investigation capabilities
• Forensic Challenges: Difficulty in reconstructing attack timelines
• Compliance Violations: Violation of log retention requirements

Detection Methods

Log Integrity Monitoring

• Monitor log file integrity
• Detect unauthorized log modifications
• Track log deletion events
• Analyze log tampering patterns

System Monitoring

• Monitor log system access
• Track log file changes
• Detect log system compromise
• Analyze system behavior

Mitigation Strategies

Log Protection

• Implement log integrity protection
• Use centralized logging systems
• Deploy log encryption
• Monitor log access

System Security

• Implement access controls for logs
• Use log signing mechanisms
• Deploy log backup systems
• Monitor log system security

Real-World Examples

Example 1: Direct Log File Manipulation

# Vulnerable log system
import os

def clear_security_logs():
    # Attacker directly modifies log files
    log_files = [
        "/var/log/security.log",
        "/var/log/auth.log",
        "/var/log/mcp.log"
    ]
    
    for log_file in log_files:
        if os.path.exists(log_file):
            # Clears log file
            open(log_file, 'w').close()
            
            # Or selectively removes entries
            with open(log_file, 'r') as f:
                lines = f.readlines()
            
            # Removes suspicious entries
            filtered_lines = [
                line for line in lines 
                if "failed_login" not in line and "privilege_escalation" not in line
            ]
            
            with open(log_file, 'w') as f:
                f.writelines(filtered_lines)

Example 2: Log Injection Attack

# Vulnerable log injection
def log_user_activity(user, activity):
    # Vulnerable to log injection
    log_entry = f"{datetime.now()} - User {user} performed {activity}"
    
    with open("/var/log/user_activity.log", "a") as f:
        f.write(log_entry + "\n")

# Attacker injects malicious log entries
# user = "admin"
# activity = "login\n2024-01-15 10:30:00 - User admin performed legitimate_action"
# Creates fake log entries to hide malicious activities

Example 3: Log System Compromise

# Compromised logging system
class LoggingSystem:
    def __init__(self):
        self.log_file = "/var/log/system.log"
        self.compromised = False
    
    def log_event(self, event):
        if self.compromised:
            # Attacker controls logging system
            if "attack" in event or "malicious" in event:
                # Silently drops suspicious events
                return
            
            # Modifies events to hide activities
            event = event.replace("failed", "successful")
            event = event.replace("unauthorized", "authorized")
        
        with open(self.log_file, "a") as f:
            f.write(f"{datetime.now()} - {event}\n")
    
    def compromise_system(self):
        # Attacker compromises logging system
        self.compromised = True

References & Sources

• Red Hat - “Model Context Protocol (MCP): Understanding security risks and controls”
• Cisco - “AI Model Context Protocol (MCP) and Security”

Related TTPs

• Missing Audit Trails
• Blind Spots in Security
• Insufficient Logging

---

Log tampering represents a serious threat to security operations by destroying evidence and compromising incident investigation capabilities.