T1070.002
Indicator Removal on Host: Clear Linux or Mac System Logs
Description from ATT&CK
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
- /var/log/messages:: General and system-related messages
- /var/log/secure or /var/log/auth.log: Authentication logs
- /var/log/utmp or /var/log/wtmp: Login records
- /var/log/kern.log: Kernel logs
- /var/log/cron.log: Crond logs
- /var/log/maillog: Mail server logs
- /var/log/httpd/: Web server access and error logs
Atomic Tests
Atomic Test #1 - rm -rf
Delete system and audit logs
Supported Platforms: macos,linux
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
Atomic Test #2 - Delete log files using built-in log utility
This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
Supported Platforms: macos
auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
4
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
Atomic Test #3 - Truncate system log files via truncate utility
This test truncates the system log files using the truncate utility with (-s 0 or –size=0) parameter which sets file size to zero, thus emptying the file content
Supported Platforms: macos
auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo truncate -s 0 /var/log/system.log #size parameter shorthand
sudo truncate --size=0 /var/log/system.log #size parameter
Atomic Test #4 - Delete log files via cat utility by appending /dev/null or /dev/zero
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
Supported Platforms: macos
auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
Atomic Test #5 - System log file deletion via find utility
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
Supported Platforms: macos
auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
4
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
Atomic Test #6 - Overwrite macOS system log via echo utility
This test overwrites the contents of system log file with an empty string using echo utility
Supported Platforms: macos
auto_generated_guid: 0208ea60-98f1-4e8c-8052-930dce8f742c
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo echo '' > /var/log/system.log
Atomic Test #7 - Real-time system log clearance/deletion
This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
Supported Platforms: macos
auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo log -f /var/log/system.log | : > /var/log/system.log
Atomic Test #8 - Delete system log files via unlink utility
This test deletes the system log file using unlink utility
Supported Platforms: macos
auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo unlink /var/log/system.log
Atomic Test #9 - Delete system log files using shred utility
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
Supported Platforms: macos
auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo shred -u -z -n 3 /var/log/system.log
Atomic Test #10 - Delete system log files using srm utility
This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
Supported Platforms: macos
auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
Atomic Test #11 - Delete system log files using OSAScript
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
Supported Platforms: macos
auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
Atomic Test #12 - Delete system log files using Applescript
This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
Supported Platforms: macos
auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
Atomic Test #13 - Delete system journal logs via rm and journalctl utilities
The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
Supported Platforms: linux
auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
Atomic Test #14 - Overwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: linux
auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
username | Username of mail spool | string | root |
Attack Commands: Run with bash!
1
2
echo 0> /var/spool/mail/#{username}
Atomic Test #15 - Overwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: linux
auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
log_path | Path of specified log | path | /var/log/secure |
Attack Commands: Run with bash!
1
2
echo 0> #{log_path}