T1070.002SubTechniquedefense-evasionagent-callable

T1070.002Clear Linux or Mac System Logs

Sub-technique of T1070

Platforms: Linux · macOS

ATT&CK version: 14.1

What it is

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs) * <code>/var/log/messages:</code>: General and system-related messages * <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs * <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records * <code>/var/log/kern.log</code>: Kernel logs * <code>/var/log/cron.log</code>: Crond logs * <code>/var/log/maillog</code>: Mail server logs * <code>/var/log/httpd/</code>: Web server access and error logs

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1070/002
  2. https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1070.002: Clear Linux or Mac System Logs | SQUR Knowledge Base