Try it using Invoke-Atomic

Indicator Removal on Host: Clear Linux or Mac System Logs

Description from ATT&CK

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • /var/log/messages:: General and system-related messages
  • /var/log/secure or /var/log/auth.log: Authentication logs
  • /var/log/utmp or /var/log/wtmp: Login records
  • /var/log/kern.log: Kernel logs
  • /var/log/cron.log: Crond logs
  • /var/log/maillog: Mail server logs
  • /var/log/httpd/: Web server access and error logs

Atomic Tests

Atomic Test #1 - rm -rf

Delete system and audit logs

Supported Platforms: macos,linux

auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*

Atomic Test #2 - Delete log files using built-in log utility

This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content

Supported Platforms: macos

auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
4
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log

Atomic Test #3 - Truncate system log files via truncate utility

This test truncates the system log files using the truncate utility with (-s 0 or –size=0) parameter which sets file size to zero, thus emptying the file content

Supported Platforms: macos

auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo truncate -s 0 /var/log/system.log #size parameter shorthand
sudo truncate --size=0 /var/log/system.log #size parameter 

Atomic Test #4 - Delete log files via cat utility by appending /dev/null or /dev/zero

The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility

Supported Platforms: macos

auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)

Atomic Test #5 - System log file deletion via find utility

This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)

Supported Platforms: macos

auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
4
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution

Atomic Test #6 - Overwrite macOS system log via echo utility

This test overwrites the contents of system log file with an empty string using echo utility

Supported Platforms: macos

auto_generated_guid: 0208ea60-98f1-4e8c-8052-930dce8f742c

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo echo '' > /var/log/system.log

Atomic Test #7 - Real-time system log clearance/deletion

This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process

Supported Platforms: macos

auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo log -f /var/log/system.log | : > /var/log/system.log

This test deletes the system log file using unlink utility

Supported Platforms: macos

auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo unlink /var/log/system.log

Atomic Test #9 - Delete system log files using shred utility

This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely

Supported Platforms: macos

auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo shred -u -z -n 3 /var/log/system.log

Atomic Test #10 - Delete system log files using srm utility

This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation

Supported Platforms: macos

auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files

Atomic Test #11 - Delete system log files using OSAScript

This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges

Supported Platforms: macos

auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'

Atomic Test #12 - Delete system log files using Applescript

This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive

Supported Platforms: macos

auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'

Atomic Test #13 - Delete system journal logs via rm and journalctl utilities

The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.

Supported Platforms: linux

auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place

Atomic Test #14 - Overwrite Linux Mail Spool

This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: linux

auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4

Inputs:

Name Description Type Default Value
username Username of mail spool string root

Attack Commands: Run with bash!

1
2
echo 0> /var/spool/mail/#{username}

Atomic Test #15 - Overwrite Linux Log

This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: linux

auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5

Inputs:

Name Description Type Default Value
log_path Path of specified log path /var/log/secure

Attack Commands: Run with bash!

1
2
echo 0> #{log_path}

source