Indicator Removal on Host: Clear Linux or Mac System Logs

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:[1]

  • /var/log/messages:: General and system-related messages
  • /var/log/secure or /var/log/auth.log: Authentication logs
  • /var/log/utmp or /var/log/wtmp: Login records
  • /var/log/kern.log: Kernel logs
  • /var/log/cron.log: Crond logs
  • /var/log/maillog: Mail server logs
  • /var/log/httpd/: Web server access and error logs
ID: T1070.002
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Linux, macOS
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Version: 1.0
Created: 28 January 2020
Last Modified: 29 March 2020

Procedure Examples

Name Description
Proton

Proton removes logs from /var/logs and /Library/logs.[2]

Rocke

Rocke has cleared log files within the /var/log/ folder.[3]

Mitigations

Mitigation Description
Encrypt Sensitive Information

Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Remote Data Storage

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

Restrict File and Directory Permissions

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.

References