Skip to content

T1070.002 Clear Linux or Mac System Logs

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:1

  • /var/log/messages:: General and system-related messages
  • /var/log/secure or /var/log/auth.log: Authentication logs
  • /var/log/utmp or /var/log/wtmp: Login records
  • /var/log/kern.log: Kernel logs
  • /var/log/cron.log: Crond logs
  • /var/log/maillog: Mail server logs
  • /var/log/httpd/: Web server access and error logs
Item Value
ID T1070.002
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009
Tactics TA0005
Platforms Linux, macOS
Version 1.0
Created 28 January 2020
Last Modified 29 March 2020

Procedure Examples

ID Name Description
S1016 MacMa MacMa can clear possible malware traces such as application logs.2
S0279 Proton Proton removes logs from /var/logs and /Library/logs.3
G0106 Rocke Rocke has cleared log files within the /var/log/ folder.4
G0139 TeamTNT TeamTNT has removed system logs from /var/log/syslog.5

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
M1029 Remote Data Storage Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022 Restrict File and Directory Permissions Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion

References