Helmwart
← Atlas · Threats High

T23 · Helmwart ID · OWASP MAS Guide source

Selective Log Manipulation

Extends T8: Repudiation and Untraceability · base threat in OWASP v1.1 catalog

L5 · Evaluation and Observability Autonomy AML.T0081 ↗AML.T0046 ↗
Last reviewed 2026-05-14 · Severity heuristic: high

Definition

An attacker, having gained some level of write access, selectively removes specific log entries covering fraudulent transactions while leaving the surrounding log intact. The result is that the audit trail appears complete (normal volume, no obvious gaps) while incriminating records have been excised. This is more targeted than wholesale log deletion and is harder to detect without cryptographic log-integrity enforcement.

What it looks like in practice

An attacker uses a compromised RPA agent to approve several fraudulent expense claims. The agent generates log entries for each approval. The attacker then accesses the logging backend and removes only the log lines corresponding to those specific approvals. To avoid triggering volume-based anomaly detection, the attacker backfills the gaps with fabricated log entries for benign low-value approvals that maintain the expected event rate, a technique documented in the MAS Guide as “benign action mimicry”. From the monitoring system’s perspective, the approval count and event frequency look normal; the fraudulent approvals have simply never happened.

Why it’s dangerous in multi-agent context

Agents generate high volumes of log events across many automated steps. The sheer volume makes selective deletion harder to detect by casual inspection; a missing entry in thousands of records is not obvious without purpose-built log-integrity tooling. In a multi-agent pipeline where each agent emits its own log stream, an attacker who compromises the centralised log aggregator (rather than individual agent processes) can excise records from all agents simultaneously. T44 (Insufficient Logging in MCP Server / Client) creates the blind spot that makes this attack viable in MCP-integrated deployments.

Detection signals

Selective log deletion leaves structural fingerprints (sequence gaps, hash-chain breaks, or unexpected event-rate flatness) rather than the volume drop that wholesale deletion would cause.

  • A break in the HMAC chain: the computed HMAC of entry N does not match the value stored in entry N+1’s prev_hash field. A chain-integrity check run on every log batch ingestion should emit an alert on the first mismatch.
  • A monotonically increasing event sequence number with a gap (e.g. sequence jumps from 10 042 to 10 044) in the centralised log aggregator’s index. Instrument the aggregator to reject or flag non-contiguous sequence ingestion.
  • A period of exactly N consecutive minutes where the event count per minute is implausibly uniform (variance < 1) for a high-throughput agent. Genuine activity fluctuates; statistically flat counts indicate fabricated backfill entries.
  • A log entry’s agent_id and action_type fields present in the downstream payment system’s records (i.e. a payment was made) with no corresponding approval event in the agent audit log. Cross-reference payment records against approval events hourly and alert on any orphaned payment.
  • A write operation to the logging backend’s data partition authenticated with the agent’s operational credentials (which should have no write access to that partition). Alert on any IAM access event where the agent’s service account performs a delete or update on the audit log store.

Mitigations

  • Write logs to an append-only store using cryptographic chaining (Hash-based Message Authentication Code (HMAC)-linked entries or a Merkle tree) so individual record deletion is detectable.
  • Ship logs to an immutable, off-host destination (write-once object storage, a separate SIEM ingestion endpoint) before the agent process can be targeted.
  • Alert on log volume drops as well as content anomalies; a sudden decrease in event rate from a high-throughput agent is as significant as an unexpected spike.
  • Separate write permissions on the logging backend from the agent’s operational permissions: the agent should not hold credentials that allow it to modify its own audit trail.

Relation to base threat (T1–T17)

T23 extends T8 Repudiation and Untraceability. Where T8 covers the broad class of actions that evade audit, T23 is the surgical log-deletion variant: the attacker targets specific records rather than disabling logging entirely. T35 (Manipulation of Proof of Sampling) is the ElizaOS-specific analogue where the verification mechanism rather than the log store is the target.

OWASP Top 10 for Agentic Applications 2026

The Agentic Top 10 (ASI01 through ASI10) is a separate practitioner-facing publication that maps onto the master Threats & Mitigations threat numbering. T23 is covered by the following Top 10 entries:

  • ASI09 Human-Agent Trust Exploitation contributing

    Adversaries exploit the tendency of humans to trust fluent, authoritative-sounding agents: an agent presents plausible justification for a harmful action, the human approves it, and the resulting audit trail reads as deliberate human authorisation. The attack surface is the review step itself: human-in-the-loop oversight becomes the vector when reviewers lack the context, time, or authority to challenge what the agent recommends.

    OWASP LLM Top 10: LLM01:2025LLM05:2025LLM06:2025LLM09:2025
  • ASI08 Cascading Failures related

    A single low-severity fault (a hallucinated value, a corrupted tool output, a poisoned memory entry) propagates across a network of agents that each build on the last agent's output, compounding into system-wide harm that is disproportionate to the original defect. ASI08 is about propagation and amplification, not the fault's origin; the initial trigger may itself be innocuous.

    OWASP LLM Top 10: LLM01:2025LLM04:2025LLM06:2025

Source: OWASP Top 10 for Agentic Applications 2026 (Dec 2025) · the Top 10 is a compass into the master Threats & Mitigations taxonomy, not a replacement for it.

Design principles at stake

When T23 is present, these security design principles are the ones being violated or tested. Each links to the full principle; the mitigations below are how you restore them.

  • Defence-in-Depth Selective deletion is harder to detect than wholesale log removal precisely because the surrounding log appears complete: volume, event rate, and format all look normal after benign-action mimicry backfills the gaps. Depth means the log's integrity does not depend on any single control: HMAC-linked entries or a Merkle tree make individual record deletion detectable as a chain break regardless of what replaces the gap, logs are shipped to an immutable off-host destination before the agent process can be targeted, and the agent holds no credentials that allow it to modify its own audit trail. Volume-anomaly alerting provides an additional independent signal, because even a well-executed mimicry operation is unlikely to perfectly replicate the expected event distribution over time.
  • Observability / Non-repudiation The threat directly targets the observability layer, not to disable it entirely (which would be obvious) but to surgically excise the incriminating records while preserving the appearance of completeness. Non-repudiation requires that the log cannot be edited by any party with access to the system being audited: the agent must write to an append-only store using a separate write-only audit identity, so that the operational credentials the attacker leverages to approve fraudulent claims carry no permission to touch the log backend. Cryptographic chaining transforms every deletion attempt into an auditable integrity failure rather than a silent gap.

Recommended mitigations

Auto-generated from the mitigation catalog: every mitigation whose coverage map includes T23, sorted by maturity tier (Tier 1 production-canonical first, then Tier 2, then Tier 3 research-stage).

  • Tier 2 Egress DLP (Output egress DLP — inspection gate for PII, secrets, and IP at the agent boundary)

    An agent produces output continuously across multiple channels: user-facing responses, tool-call parameter envelopes, log records, and outbound HTTP requests. Any of those channels can carry sensitive content the agent has retrieved, been fed, or been tricked into including. Output egress DLP places an inspection gate at the boundary so that PII, credentials, and proprietary content are classified and either redacted or quarantined before they leave the trust boundary, regardless of how they got into the output.

    why it helps Gaps in audit coverage mean sensitive content that an agent emits to a log record may go undetected. DLP inspection at the log-emit edge catches that content before the record is written, and the DLP match event itself becomes an auditable record of what the agent attempted to emit.

  • Tier 2 Split actor (Separation of actor and recorder — different identities for action and audit)

    An agent that writes its own audit log can omit, alter, or suppress any record of its own actions. This is not a theoretical risk: an attacker who controls the acting identity controls the evidence. Actor/recorder separation is the structural fix. The identity that performs an action and the identity that records it are different principals, with non-overlapping permissions, so no single compromise can both execute and erase.

    why it helps Selective log manipulation is the deliberate suppression or falsification of an agent's own action records. When the actor identity has no write access to audit storage, that manipulation is structurally blocked: a separate recorder principal holds the sole append-only write path, so the actor cannot remove or alter the entries that incriminate it.

Multi-agent variants: OWASP MAS Guide

The OWASP OWASP MAS Threat Modelling Guide v1.0 catalogues 1 named multi-agent variant of T23, anchored to specific MAESTRO layers. Each is a concrete attack pattern that emerges when this threat compounds across agents.

  • CL Auditability Collapse via Log Manipulation + MCP Logging Gap extends T23, T44, T8

    An attacker with write access to centralized logs selectively prunes evidence (T23); MCP tool-call logs are never captured because the MCP server has insufficient logging (T44); the combined gap makes repudiation impossible to disprove (T8).

Source: OWASP MAS Threat Modelling Guide v1.0, §2 Overview of MAESTRO Framework — Extended Threat Scenarios + Cross-Layer table.

Red-team pivot: MITRE ATLAS techniques

MITRE ATLAS catalogues adversary techniques against AI systems. Where this OWASP threat has an attacker-perspective counterpart, the ATLAS technique is shown below. That is what a red team would actually be doing on the wire. Use this for detection-signal anchoring, threat-hunting hypotheses, and IR runbooks. Source: mitre-atlas/atlas-data v5.6.0.

AML.T0081 Modify AI Agent Configuration view on ATLAS ↗

Adversary alters an agent's configuration (system prompt, tool list, allowed actions, persona) to change its behaviour without retraining.

AML.T0046 Spamming AI System with Chaff Data view on ATLAS ↗

Adversary floods the AI system with low-value inputs to crowd out legitimate signals, mask attacker activity, or drive up cost.

References

  • OWASP MAS Threat Modelling Guide v1.0 (April 2025) §3 RPA Expense Reimbursement Agent — Layer 5 Evaluation and Observability.

Sources

  • OWASP-MAS-Guide · 1.0 (Apr 2025) · §3 RPA Expense Reimbursement Agent — Layer 5 Evaluation and Observability