1. Home
  2. Techniques
  3. Enterprise
  4. Indicator Removal
  5. Clear Linux or Mac System Logs

Indicator Removal: Clear Linux or Mac System Logs

ID Name
T1070.001 Clear Windows Event Logs
T1070.002 Clear Linux or Mac System Logs
T1070.003 Clear Command History
T1070.004 File Deletion
T1070.005 Network Share Connection Removal
T1070.006 Timestomp
T1070.007 Clear Network Connection History and Configurations
T1070.008 Clear Mailbox Data
T1070.009 Clear Persistence
T1070.010 Relocate Malware

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:[1]

  • /var/log/messages:: General and system-related messages
  • /var/log/secure or /var/log/auth.log: Authentication logs
  • /var/log/utmp or /var/log/wtmp: Login records
  • /var/log/kern.log: Kernel logs
  • /var/log/cron.log: Crond logs
  • /var/log/maillog: Mail server logs
  • /var/log/httpd/: Web server access and error logs
ID: T1070.002
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Linux, macOS
Version: 1.0
Created: 28 January 2020
Last Modified: 29 March 2020
Version Permalink

Procedure Examples

ID Name Description
S1016 MacMa

MacMa can clear possible malware traces such as application logs.[2]
S0279 Proton

Proton removes logs from /var/logs and /Library/logs.[3]
G0106 Rocke

Rocke has cleared log files within the /var/log/ folder.[4]
G0139 TeamTNT

TeamTNT has removed system logs from /var/log/syslog.[5]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
M1029 Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022 Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs.
DS0022 File File Deletion

Monitor for unexpected deletion of a system log file, typically stored in /var/logs or /Library/Logs.

File Modification

Monitor for changes made to system log files, typically stored in /var/log or /Library/Logs, for unexpected modifications to access permissions and attributes

References

  1. Marcel. (2018, April 19). 12 Critical Linux Log Files You Must be Monitoring. Retrieved March 29, 2020.
  2. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  3. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  1. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  2. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.