Ctrl+K

T1070.002 - Clear Linux or Mac System Logs

Contents

T1070.002 - Clear Linux or Mac System Logs#

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • /var/log/messages:: General and system-related messages

  • /var/log/secure or /var/log/auth.log: Authentication logs

  • /var/log/utmp or /var/log/wtmp: Login records

  • /var/log/kern.log: Kernel logs

  • /var/log/cron.log: Crond logs

  • /var/log/maillog: Mail server logs

  • /var/log/httpd/: Web server access and error logs

Atomic Tests#

Atomic Test #1 - rm -rf#

Delete system and audit logs

Supported Platforms: macos, linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
if [ -d /var/audit ] ; then stat /var/audit/20220725213300.202208110700021 ; fi && stat /var/log/system.log
Get Prereq Commands:#
touch /var/log/system.log
if [ -d /var/audit ] ; then touch /var/audit/20220725213300.202208110700021 ; fi

Invoke-AtomicTest T1070.002 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with sh#

sudo rm -rf /var/log/system.log
if [ -d /var/audit ] ; then sudo rm -rf /var/audit/20220725213300.202208110700021 ; fi

Invoke-AtomicTest T1070.002 -TestNumbers 1

Atomic Test #2 - rm -rfDelete messages and security logs#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

rm -rf /var/log/messages
rm -rf /var/log/security

Invoke-AtomicTest T1070.002 -TestNumbers 2

Atomic Test #3 - Delete log files using built-in log utilityThis test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content#

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content

Invoke-AtomicTest T1070.002 -TestNumbers 3

Atomic Test #4 - Truncate system log files via truncate utility#

This test truncates the system log files using the truncate utility with (-s 0 or –size=0) parameter which sets file size to zero, thus emptying the file content

Supported Platforms: macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/system.log
Get Prereq Commands:#
touch /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with sh#

sudo truncate -s 0 /var/log/system.log #size parameter shorthand
sudo truncate --size=0 /var/log/system.log #size parameter 

Invoke-AtomicTest T1070.002 -TestNumbers 4

Atomic Test #5 - Truncate system log files via truncate utility (freebsd)This test truncates the system log files using the truncate utility with (-s 0 or –size=0) parameter which sets file size to zero, thus emptying the file content#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

truncate -s 0 /var/log/messages #size parameter shorthand
truncate --size=0 /var/log/security #size parameter 

Invoke-AtomicTest T1070.002 -TestNumbers 5

Atomic Test #6 - Delete log files via cat utility by appending /dev/null or /dev/zero#

The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility

Supported Platforms: macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/system.log
Get Prereq Commands:#
touch /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 6 -GetPreReqs

Attack Commands: Run with sh#

sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=/var/log/system.log #log file filled with null bytes(zeros)

Invoke-AtomicTest T1070.002 -TestNumbers 6

Atomic Test #7 - Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

cat /dev/null > /var/log/messages #truncating the file to zero bytes
cat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros)

Invoke-AtomicTest T1070.002 -TestNumbers 7

Atomic Test #8 - System log file deletion via find utility#

This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)

Supported Platforms: macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/system.log /var/log/system.log.97.gz /var/log/system.log.98.gz
Get Prereq Commands:#
touch /var/log/system.log /var/log/system.log.97.gz /var/log/system.log.98.gz

Invoke-AtomicTest T1070.002 -TestNumbers 8 -GetPreReqs

Attack Commands: Run with sh#

sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.97.gz.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.98.gz.*" -exec unlink {} \; #using "unlink" execution

Invoke-AtomicTest T1070.002 -TestNumbers 8

Atomic Test #9 - Overwrite macOS system log via echo utilityThis test overwrites the contents of system log file with an empty string using echo utility#

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

sudo echo '' > /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 9

Atomic Test #10 - Overwrite FreeBSD system log via echo utilityThis test overwrites the contents of system log file with an empty string using echo utility#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

echo '' > /var/log/messages

Invoke-AtomicTest T1070.002 -TestNumbers 10

Atomic Test #11 - Real-time system log clearance/deletionThis test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process#

Supported Platforms: macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

sudo log -f /var/log/system.log | : > /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 11

Atomic Test #14 - Delete system log files using shred utility#

This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely

Supported Platforms: macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/system.log
Get Prereq Commands:#
touch /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 14 -GetPreReqs

Attack Commands: Run with sh#

sudo shred -u -z -n 3 /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 14

Atomic Test #15 - Delete system log files using srm utility#

This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: khell/homebrew-srm#1 for installation

Supported Platforms: macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/system.log /var/log/
Get Prereq Commands:#
mkdir -p /var/log/ && touch /var/log/system.log /var/log//system.log

Invoke-AtomicTest T1070.002 -TestNumbers 15 -GetPreReqs

Attack Commands: Run with sh#

sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files

Invoke-AtomicTest T1070.002 -TestNumbers 15

Atomic Test #16 - Delete system log files using OSAScript#

This test deletes the system log file using osascript via “do shell script”(sh/bash by default) which in-turn spawns rm utility, requires admin privileges

Supported Platforms: macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/system.log
Get Prereq Commands:#
touch /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 16 -GetPreReqs

Attack Commands: Run with sh#

osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'

Invoke-AtomicTest T1070.002 -TestNumbers 16

Atomic Test #17 - Delete system log files using Applescript#

This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive

Supported Platforms: macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/system.log
Get Prereq Commands:#
touch /var/log/system.log

Invoke-AtomicTest T1070.002 -TestNumbers 17 -GetPreReqs

Attack Commands: Run with sh#

osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'

Invoke-AtomicTest T1070.002 -TestNumbers 17

Atomic Test #18 - Delete system journal logs via rm and journalctl utilities#

The first sub-test deletes the journal files using rm utility in the “/var/log/journal/” directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.

Supported Platforms: linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/log/journal
Get Prereq Commands:#
mkdir -p /var/log/journal && touch /var/log/journal/T1070_002.journal

Invoke-AtomicTest T1070.002 -TestNumbers 18 -GetPreReqs

Attack Commands: Run with sh#

sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place

Invoke-AtomicTest T1070.002 -TestNumbers 18

Atomic Test #19 - Overwrite Linux Mail Spool#

This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

Supported Platforms: linux

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: target files must exist#
Check Prereq Commands:#
stat /var/spool/mail/root
Get Prereq Commands:#
touch /var/spool/mail/root

Invoke-AtomicTest T1070.002 -TestNumbers 19 -GetPreReqs

Attack Commands: Run with bash#

echo 0> /var/spool/mail/root

Invoke-AtomicTest T1070.002 -TestNumbers 19

Atomic Test #20 - Overwrite Linux LogThis test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

echo 0> /var/log/secure

Invoke-AtomicTest T1070.002 -TestNumbers 20

Cleanup:#

if [ "/var/log/secure" != "/var/log/secure" ] ; then rm -f /var/log/secure ; fi

Invoke-AtomicTest T1070.002 -TestNumbers 20 -Cleanup

Detection#

File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.

Contents