T1070.002: Clear Linux or Mac System Logs
| View on MITRE ATT&CK | T1070.002 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
/var/log/messages:: General and system-related messages/var/log/secureor/var/log/auth.log: Authentication logs/var/log/utmpor/var/log/wtmp: Login records/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs/var/log/maillog: Mail server logs/var/log/httpd/: Web server access and error logs
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Encrypt Sensitive Information
Protect sensitive information with strong encryption.Remote Data Storage
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.How to detect this technique
MITRE ATT&CK Data Components
File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)File Deletion (File)
Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
Delete log files via cat utility by appending /dev/null or /dev/zero
rm -rf
Truncate system log files via truncate utility (freebsd)
Delete system log files using OSAScript
Delete system log files via unlink utility
Delete log files using built-in log utility
Delete system log files using shred utility
Delete system log files via unlink utility (freebsd)
Delete system journal logs via rm and journalctl utilities
rm -rf
Overwrite Linux Mail Spool
Delete system log files using Applescript
Overwrite macOS system log via echo utility
Delete system log files using srm utility
System log file deletion via find utility
Truncate system log files via truncate utility
Overwrite Linux Log
Real-time system log clearance/deletion
Overwrite FreeBSD system log via echo utility
Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.