| Name |
Audit Log Manipulation |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions. |
| Prerequisites |
The target host is logging the action and data of the user. The target host insufficiently protects access to the logs or logging mechanisms. |
| Solutions | |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-117 |
Improper Output Neutralization for Logs |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-161 |
An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1070 |
Indicator Removal on Host |
| 1562.002 |
Impair Defenses: Disable Windows Event Logging |
| 1562.003 |
Impair Defenses: Impair Command History Logging |
| 1562.008 |
Impair Defenses: Disable Cloud Logs |
|
| Taxonomy: OWASP Attacks |
|
Entry ID
|
Entry Name
|
| Link |
Log Injection |
|