Try it using Invoke-Atomic

Indicator Removal on Host: Clear Linux or Mac System Logs

Description from ATT&CK

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • <code>/var/log/messages:</code>: General and system-related messages
  • <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs
  • <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records
  • <code>/var/log/kern.log</code>: Kernel logs
  • <code>/var/log/cron.log</code>: Crond logs
  • <code>/var/log/maillog</code>: Mail server logs
  • <code>/var/log/httpd/</code>: Web server access and error logs

https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - rm -rf

Delete system and audit logs

Supported Platforms: macos,linux

auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*

Atomic Test #2 - Overwrite Linux Mail Spool

This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: linux

auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4

Inputs:

Name Description Type Default Value
username Username of mail spool String root

Attack Commands: Run with bash!

1
2

echo 0> /var/spool/mail/#{username}

Atomic Test #3 - Overwrite Linux Log

This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: linux

auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5

Inputs:

Name Description Type Default Value
log_path Path of specified log Path /var/log/secure

Attack Commands: Run with bash!

1
2

echo 0> #{log_path}

source