T1070.002
Indicator Removal on Host: Clear Linux or Mac System Logs
Description from ATT&CK
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
- <code>/var/log/messages:</code>: General and system-related messages
- <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs
- <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records
- <code>/var/log/kern.log</code>: Kernel logs
- <code>/var/log/cron.log</code>: Crond logs
- <code>/var/log/maillog</code>: Mail server logs
- <code>/var/log/httpd/</code>: Web server access and error logs
https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - rm -rf
Delete system and audit logs
Supported Platforms: macos,linux
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
Atomic Test #2 - Overwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: linux
auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
username | Username of mail spool | String | root |
Attack Commands: Run with bash!
1
2
echo 0> /var/spool/mail/#{username}
Atomic Test #3 - Overwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: linux
auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
log_path | Path of specified log | Path | /var/log/secure |
Attack Commands: Run with bash!
1
2
echo 0> #{log_path}