Skip to content

DET0520 Behavioral Detection of Log File Clearing on Linux and macOS

Item Value
ID DET0520
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1070.002 (Clear Linux or Mac System Logs)

Analytics

Linux

AN1438

Detects log-clearing behavior by correlating suspicious command execution targeting log files under /var/log/, anomalous deletions or truncations of system logs, and unusual child processes (e.g., shell pipelines or redirections).

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Deletion (DC0040) auditd:SYSCALL PATH
Mutable Elements
Field Description
TimeWindow The time window used to correlate log file interaction and suspicious command execution.
LogFilePathPattern Regex pattern used to match monitored log file paths (e.g., /var/log/auth.log).
UserContext User or group (e.g., root) that should trigger higher severity detection.

macOS

AN1439

Detects adversary clearing log files on macOS by correlating calls to shell utilities (e.g., echo >, rm, truncate) targeting files in /var/log/ with unusual context (non-administrative users or abnormal process lineage).

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process
File Modification (DC0061) fs:fsusage truncate, unlink, write
Mutable Elements
Field Description
TimeWindow Duration in which process activity and file I/O should be temporally linked.
LogFilePathPattern Tunable path filter for macOS logs such as /var/log/system.log or /var/log/asl.log.
UserContext Detects higher risk when log deletion is performed by unusual users (e.g., interactive vs. system users).