Log Tampering
Category: Monitoring & Operational Security
Severity: High
MITRE ATT&CK Mapping: T1070.002 (Indicator Removal on Host: Clear Linux or Mac System Logs)
Description
Unauthorized modification, deletion, or manipulation of security logs and audit trails to hide malicious activities and impair incident investigation capabilities.
Technical Details
Attack Vector
- Log file modification
- Log deletion attacks
- Log injection attacks
- Log system manipulation
Common Techniques
- Direct log file manipulation
- Log rotation abuse
- Log system compromise
- Timestamp manipulation
Impact
- Evidence Destruction: Removal of evidence of malicious activities
- Investigation Impairment: Compromised incident investigation capabilities
- Forensic Challenges: Difficulty in reconstructing attack timelines
- Compliance Violations: Violation of log retention requirements
Detection Methods
Log Integrity Monitoring
- Monitor log file integrity
- Detect unauthorized log modifications
- Track log deletion events
- Analyze log tampering patterns
System Monitoring
- Monitor log system access
- Track log file changes
- Detect log system compromise
- Analyze system behavior
Mitigation Strategies
Log Protection
- Implement log integrity protection
- Use centralized logging systems
- Deploy log encryption
- Monitor log access
System Security
- Implement access controls for logs
- Use log signing mechanisms
- Deploy log backup systems
- Monitor log system security
Real-World Examples
Example 1: Direct Log File Manipulation
# Vulnerable log system
import os
def clear_security_logs():
# Attacker directly modifies log files
log_files = [
"/var/log/security.log",
"/var/log/auth.log",
"/var/log/mcp.log"
]
for log_file in log_files:
if os.path.exists(log_file):
# Clears log file
open(log_file, 'w').close()
# Or selectively removes entries
with open(log_file, 'r') as f:
lines = f.readlines()
# Removes suspicious entries
filtered_lines = [
line for line in lines
if "failed_login" not in line and "privilege_escalation" not in line
]
with open(log_file, 'w') as f:
f.writelines(filtered_lines)
Example 2: Log Injection Attack
# Vulnerable log injection
def log_user_activity(user, activity):
# Vulnerable to log injection
log_entry = f"{datetime.now()} - User {user} performed {activity}"
with open("/var/log/user_activity.log", "a") as f:
f.write(log_entry + "\n")
# Attacker injects malicious log entries
# user = "admin"
# activity = "login\n2024-01-15 10:30:00 - User admin performed legitimate_action"
# Creates fake log entries to hide malicious activities
Example 3: Log System Compromise
# Compromised logging system
class LoggingSystem:
def __init__(self):
self.log_file = "/var/log/system.log"
self.compromised = False
def log_event(self, event):
if self.compromised:
# Attacker controls logging system
if "attack" in event or "malicious" in event:
# Silently drops suspicious events
return
# Modifies events to hide activities
event = event.replace("failed", "successful")
event = event.replace("unauthorized", "authorized")
with open(self.log_file, "a") as f:
f.write(f"{datetime.now()} - {event}\n")
def compromise_system(self):
# Attacker compromises logging system
self.compromised = True
References & Sources
- Red Hat - “Model Context Protocol (MCP): Understanding security risks and controls”
- Cisco - “AI Model Context Protocol (MCP) and Security”
Related TTPs
Log tampering represents a serious threat to security operations by destroying evidence and compromising incident investigation capabilities.