Home/ATT&CK Technique/Clear Linux or Mac System Logs
ATT&CK Technique

Clear Linux or Mac System Logs

T1685.006 · defense-impairment

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as: /var/log/messages:: General and system-related messages /var/log/secure or /var/log/auth.log: Authentication logs /var/log/utmp or /var/log/wtmp: Login records /var/log/kern.log: Kernel logs /var/log/cron.log: Crond logs /var/log/maillog: Mail server logs * /var/log/httpd/: Web server access and error logs.

LinuxmacOS

Atomic Tests

20
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shelevatedmacos, linuxrm -rf
Delete system and audit logs 
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
shelevatedlinuxrm -rf
Delete messages and security logs 
rm -rf /var/log/messages
rm -rf /var/log/security
shelevatedmacosDelete log files using built-in log utility
This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content 
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
shelevatedmacosTruncate system log files via truncate utility
This test truncates the system log files using the truncate utility with (-s 0) parameter which sets file size to zero, thus emptying the file content 
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
shelevatedlinuxTruncate system log files via truncate utility (freebsd)
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content 
truncate -s 0 /var/log/messages #size parameter shorthand
truncate --size=0 /var/log/security #size parameter
shelevatedmacosDelete log files via cat utility by appending /dev/null or /dev/zero
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility 
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
shelevatedlinuxDelete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility 
cat /dev/null > /var/log/messages #truncating the file to zero bytes
cat /dev/zero > /var/log/messages #log file filled with null bytes(zeros)
shelevatedmacosSystem log file deletion via find utility
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink) 
sudo find /var/log -name '#{system_log_name1}*' -exec rm {} \; #using "rm" execution
sudo find /var/log -name "#{system_log_name2}*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log -name "#{system_log_name3}*" -exec unlink {} \; #using "unlink" execution
shelevatedmacosOverwrite macOS system log via echo utility
This test overwrites the contents of system log file with an empty string using echo utility 
sudo echo '' > #{system_log_path}
shelevatedlinuxOverwrite FreeBSD system log via echo utility
This test overwrites the contents of system log file with an empty string using echo utility 
echo '' > /var/log/messages
shelevatedmacosReal-time system log clearance/deletion
This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process 
sudo log -f /var/log/system.log | : > /var/log/system.log
shelevatedmacosDelete system log files via unlink utility
This test deletes the system log file using unlink utility 
sudo unlink #{system_log_path}
shelevatedlinuxDelete system log files via unlink utility (freebsd)
This test deletes the messages log file using unlink utility 
unlink /var/log/messages
shelevatedmacosDelete system log files using shred utility
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely 
sudo shred -u -z -n 3 #{system_log_path}
shelevatedmacosDelete system log files using srm utility
This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation 
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
shelevatedmacosDelete system log files using OSAScript
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges 
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
shelevatedmacosDelete system log files using Applescript
This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive 
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
shelevatedlinuxDelete system journal logs via rm and journalctl utilities
The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero. 
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
bashelevatedlinuxOverwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers. 
echo 0> /var/spool/mail/#{username}
bashelevatedlinuxOverwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. 
echo 0> #{log_path}

Mitigations

3
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1022Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions
  • Remove unnecessary write permissions on sensitive files and directories.
  • Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder.
  • Properties.
  • Security tab.
  • Adjust permissions for NTFS ACLs.
Harden File Shares
  • Disable anonymous access to shared folders.
  • Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access. On Linux, apply: chmod 750 /etc/sensitive.conf `chown root:admin /etc/sensitive.
conf` File Integrity Monitoring (FIM)
  • Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.
Audit File System Access
  • Enable auditing to track permission changes or unauthorized access attempts.
  • Use auditd (Linux) or Event Viewer (Windows) to log activities.
Restrict Startup Directories
  • Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu. Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
  • On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F.
  • On Linux, monitor permissions using tools like lsattr or auditd.
M1029Remote Data Storage

Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data.

Centralized Log Management
  • Configure endpoints to forward security logs to a centralized log collector or SIEM.
  • Use tools like Splunk Graylog, or Security Onion to aggregate and store logs.
  • Example command (Linux): sudo auditd | tee /var/log/audit/audit.log | nc <remote-log-server> 514 Remote File Storage Solutions:.
  • Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data.
  • Ensure proper encryption at rest and access control policies (IAM roles, ACLs).
Intrusion Detection Log Forwarding
  • Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system.
Example for Suricata log forwarding: `outputs
  • type: syslog protocol: tls address: <remote-syslog-server>` Immutable Backup Configurations:.
  • Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data.
  • Example: AWS S3 Object Lock.
Data Encryption
  • Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLocker, LUKS for Linux.
M1041Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering.

Encrypt Data at Rest
  • Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
  • Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit
  • Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
  • Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups
  • Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
  • Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets
  • Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
  • Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption
  • Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
  • Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 4
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin