TID-225: Logs can be manipulated on the device
Threat Description
Threat actors may try to manipulate logs on the device to evade defenses, confuse incident responders, hide their access techniques, or keep their exploitation methods secret. Threat actors can do this by changing the timestamps on logs, deleting logs entirely, inserting or reporting false logs, restoring the device to a previous state, or factory resetting the device. All of these methods will prevent defenders from obtaining an accurate representation of the current or past state of the device and will make analysis of the device more difficult.
Threat Maturity and Evidence
Observed Adversarial Technique
- ATT&CK T1630 Indicator Removal on Host
The Android malware Monokle has the capability to use incoming cellphone calls to trigger certain events on the device. After receiving the phone call, Monokle will subsequently delete the call record log, thereby making it more difficult to know that an incoming phone call took place or caused an event to occur on the device.
CWE
- CWE-284: Improper Access Control
“The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.”
CVE
- CVE - CVE-2024-9026
“… when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.”