T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs

Description from ATT&CK

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs) * /var/log/messages:: General and system-related messages * /var/log/secure or /var/log/auth.log: Authentication logs * /var/log/utmp or /var/log/wtmp: Login records * /var/log/kern.log: Kernel logs * /var/log/cron.log: Crond logs * /var/log/maillog: Mail server logs * /var/log/httpd/: Web server access and error logs

Atomic Tests


Atomic Test #1 - rm -rf

Delete system and audit logs

Supported Platforms: macOS, Linux

auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | syslog_path | path of syslog file to delete. On macos it’s /var/log/system.log, on linux, it’s /var/log/syslog. Also note for File events, that on macos, /var/ is a link to /private/var/. | string | /var/log/system.log| | macos_audit_path | path of audit file to delete | string | /var/audit/20220725213300.202208110700021|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
Get Prereq Commands:
1
2
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi



Atomic Test #2 - rm -rf

Delete messages and security logs

Supported Platforms: Linux

auto_generated_guid: bd8ccc45-d632-481e-b7cf-c467627d68f9

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
rm -rf /var/log/messages
rm -rf /var/log/security



Atomic Test #3 - Delete log files using built-in log utility

This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content

Supported Platforms: macOS

auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content



Atomic Test #4 - Truncate system log files via truncate utility

This test truncates the system log files using the truncate utility with (-s 0) parameter which sets file size to zero, thus emptying the file content

Supported Platforms: macOS

auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path of system log to delete. | string | /var/log/system.log|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo truncate -s 0 #{system_log_path} #size parameter shorthand

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{system_log_path}
Get Prereq Commands:
1
touch #{system_log_path}



Atomic Test #5 - Truncate system log files via truncate utility (freebsd)

This test truncates the system log files using the truncate utility with (-s 0 or –size=0) parameter which sets file size to zero, thus emptying the file content

Supported Platforms: Linux

auto_generated_guid: 14033063-ee04-4eaf-8f5d-ba07ca7a097c

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
truncate -s 0 /var/log/messages #size parameter shorthand
truncate --size=0 /var/log/security #size parameter



Atomic Test #6 - Delete log files via cat utility by appending /dev/null or /dev/zero

The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility

Supported Platforms: macOS

auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path of system log to delete. | string | /var/log/system.log|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{system_log_path}
Get Prereq Commands:
1
touch #{system_log_path}



Atomic Test #7 - Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)

The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility

Supported Platforms: Linux

auto_generated_guid: 369878c6-fb04-48d6-8fc2-da9d97b3e054

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
cat /dev/null > /var/log/messages #truncating the file to zero bytes
cat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros)



Atomic Test #8 - System log file deletion via find utility

This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)

Supported Platforms: macOS

auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_name1 | name or prefix of system log to delete. | string | system.log| | system_log_name2 | name or prefix of system log to delete. | string | system.log.97.gz| | system_log_name3 | name or prefix of system log to delete. | string | system.log.98.gz|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
3
sudo find /var/log -name '#{system_log_name1}*' -exec rm {} \; #using "rm" execution
sudo find /var/log -name "#{system_log_name2}*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log -name "#{system_log_name3}*" -exec unlink {} \; #using "unlink" execution

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
Get Prereq Commands:
1
touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}



Atomic Test #9 - Overwrite macOS system log via echo utility

This test overwrites the contents of system log file with an empty string using echo utility

Supported Platforms: macOS

auto_generated_guid: 0208ea60-98f1-4e8c-8052-930dce8f742c

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path to system.log | string | /var/log/system.log|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo echo '' > #{system_log_path}



Atomic Test #10 - Overwrite FreeBSD system log via echo utility

This test overwrites the contents of system log file with an empty string using echo utility

Supported Platforms: Linux

auto_generated_guid: 11cb8ee1-97fb-4960-8587-69b8388ee9d9

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
echo '' > /var/log/messages



Atomic Test #11 - Real-time system log clearance/deletion

This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process

Supported Platforms: macOS

auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo log -f /var/log/system.log | : > /var/log/system.log



This test deletes the system log file using unlink utility

Supported Platforms: macOS

auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path to system.log | string | /var/log/system.log|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo unlink #{system_log_path}

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{system_log_path}
Get Prereq Commands:
1
touch #{system_log_path}



This test deletes the messages log file using unlink utility

Supported Platforms: Linux

auto_generated_guid: 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
unlink /var/log/messages



Atomic Test #14 - Delete system log files using shred utility

This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely

Supported Platforms: macOS

auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path to system.log | string | /var/log/system.log|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo shred -u -z -n 3 #{system_log_path}

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{system_log_path}
Get Prereq Commands:
1
touch #{system_log_path}



Atomic Test #15 - Delete system log files using srm utility

This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation

Supported Platforms: macOS

auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path to system.log | string | /var/log/system.log| | system_log_folder | path to log parent folder | string | /var/log/|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{system_log_path} #{system_log_folder}
Get Prereq Commands:
1
mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log



Atomic Test #16 - Delete system log files using OSAScript

This test deletes the system log file using osascript via “do shell script”(sh/bash by default) which in-turn spawns rm utility, requires admin privileges

Supported Platforms: macOS

auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path to system.log | string | /var/log/system.log|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{system_log_path}
Get Prereq Commands:
1
touch #{system_log_path}



Atomic Test #17 - Delete system log files using Applescript

This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive

Supported Platforms: macOS

auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | system_log_path | path to system.log | string | /var/log/system.log|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{system_log_path}
Get Prereq Commands:
1
touch #{system_log_path}



Atomic Test #18 - Delete system journal logs via rm and journalctl utilities

The first sub-test deletes the journal files using rm utility in the “/var/log/journal/” directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.

Supported Platforms: Linux

auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | journal_folder | path to journal logs | string | /var/log/journal|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat #{journal_folder}
Get Prereq Commands:
1
mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal



Atomic Test #19 - Overwrite Linux Mail Spool

This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: Linux

auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of mail spool | string | root|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
echo 0> /var/spool/mail/#{username}

Dependencies: Run with
1
sh
!

Description: target files must exist
Check Prereq Commands:
1
stat /var/spool/mail/#{username}
Get Prereq Commands:
1
touch /var/spool/mail/#{username}



Atomic Test #20 - Overwrite Linux Log

This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: Linux

auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | log_path | Path of specified log | path | /var/log/secure|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
echo 0> #{log_path}

Cleanup Commands:

1
if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi