Try it using Invoke-Atomic

Indicator Removal on Host: Clear Linux or Mac System Logs

Description from ATT&CK

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • /var/log/messages:: General and system-related messages
  • /var/log/secure or /var/log/auth.log: Authentication logs
  • /var/log/utmp or /var/log/wtmp: Login records
  • /var/log/kern.log: Kernel logs
  • /var/log/cron.log: Crond logs
  • /var/log/maillog: Mail server logs
  • /var/log/httpd/: Web server access and error logs

Atomic Tests

Atomic Test #1 - rm -rf

Delete system and audit logs

Supported Platforms: macos,linux

auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*

Atomic Test #2 - Overwrite Linux Mail Spool

This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: linux

auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4

Inputs:

Name Description Type Default Value
username Username of mail spool String root

Attack Commands: Run with bash!

1
2
echo 0> /var/spool/mail/#{username}

Atomic Test #3 - Overwrite Linux Log

This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: linux

auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5

Inputs:

Name Description Type Default Value
log_path Path of specified log Path /var/log/secure

Attack Commands: Run with bash!

1
2
echo 0> #{log_path}

source