T1685.006SubTechniquedefense-impairment

T1685.006Clear Linux or Mac System Logs

Sub-technique of T1685

Platforms: Linux · macOS

ATT&CK version: v19.1

What it is

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the `/var/log/` directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs) * `/var/log/messages:`: General and system-related messages * `/var/log/secure or /var/log/auth.log`: Authentication logs * `/var/log/utmp or /var/log/wtmp`: Login records * `/var/log/kern.log`: Kernel logs * `/var/log/cron.log`: Crond logs * `/var/log/maillog`: Mail server logs * `/var/log/httpd/`: Web server access and error logs

ATT&CK tactics· 1

Defense Impairment

References

  1. https://attack.mitre.org/techniques/T1685/006
  2. https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1685.006: Clear Linux or Mac System Logs | SQUR Knowledge Base