CAPEC-268 Audit Log Manipulation – Attack Pattern Analysis

CAPEC-268 Metadata

Likelihood of Attack

High

Typical Severity

High

Overview

Summary

The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.

Prerequisites

The target host is logging the action and data of the user. The target host insufficiently protects access to the logs or logging mechanisms.

Potential Solutions / Mitigations

No specific solutions listed.

Related Weaknesses (CWE)

CWE ID	Description
CWE-117	Improper Output Neutralization for Logs

Related CAPECs

CAPEC ID	Description
CAPEC-161	An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.

CAPEC ID

Description

CAPEC-161

An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1070	Indicator Removal on Host
1562.002	Impair Defenses: Disable Windows Event Logging
1562.003	Impair Defenses: Impair Command History Logging
1562.008	Impair Defenses: Disable Cloud Logs

Taxonomy: OWASP Attacks

Entry ID	Entry Name
Link	Log Injection

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.