T1070.002 Clear Linux or Mac System Logs
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:1
/var/log/messages:: General and system-related messages/var/log/secureor/var/log/auth.log: Authentication logs/var/log/utmpor/var/log/wtmp: Login records/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs/var/log/maillog: Mail server logs/var/log/httpd/: Web server access and error logs
| Item | Value |
|---|---|
| ID | T1070.002 |
| Sub-techniques | T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006 |
| Tactics | TA0005 |
| Platforms | Linux, macOS |
| Version | 1.0 |
| Created | 28 January 2020 |
| Last Modified | 29 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0279 | Proton | Proton removes logs from /var/logs and /Library/logs.2 |
| G0106 | Rocke | Rocke has cleared log files within the /var/log/ folder.3 |
| G0139 | TeamTNT | TeamTNT has removed system logs from /var/log/syslog.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1041 | Encrypt Sensitive Information | Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
| M1029 | Remote Data Storage | Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
| M1022 | Restrict File and Directory Permissions | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Deletion |
References
-
Marcel. (2018, April 19). 12 Critical Linux Log Files You Must be Monitoring. Retrieved March 29, 2020. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩
-
Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. ↩