Esc
Clear Linux or Mac System Logs - T1070.002

(ATT&CK® Technique)
Definition

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1070002["Clear Linux or Mac System Logs"] --> |modifies| OperatingSystemLogFile["Operating System Log File"]; class T1070002 OffensiveTechniqueNode;
        class OperatingSystemLogFile ArtifactNode; click OperatingSystemLogFile href "/dao/artifact/d3f:OperatingSystemLogFile";
        click T1070002 href "/offensive-technique/attack/T1070.002/"; click OperatingSystemLogFile href "/dao/artifact/d3f:OperatingSystemLogFile";             SystemFileAnalysis["System File Analysis"] -->
          | analyzes | OperatingSystemLogFile["Operating System Log File"];

          SystemFileAnalysis["System File Analysis"] -.->
            | may-detect | T1070002["Clear Linux or Mac System Logs"] ;
          class SystemFileAnalysis DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis";              RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | OperatingSystemLogFile["Operating System Log File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1070002["Clear Linux or Mac System Logs"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";              FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | OperatingSystemLogFile["Operating System Log File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1070002["Clear Linux or Mac System Logs"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | OperatingSystemLogFile["Operating System Log File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1070002["Clear Linux or Mac System Logs"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
          | restores | OperatingSystemLogFile["Operating System Log File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1070002["Clear Linux or Mac System Logs"] ;
          class RestoreFile DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                      DecoyFile["Decoy File"] -->
          | spoofs | OperatingSystemLogFile["Operating System Log File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1070002["Clear Linux or Mac System Logs"] ;
          class DecoyFile DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                FileEviction["File Eviction"] -->
          | deletes | OperatingSystemLogFile["Operating System Log File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1070002["Clear Linux or Mac System Logs"] ;
          class FileEviction DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | OperatingSystemLogFile["Operating System Log File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1070002["Clear Linux or Mac System Logs"] ;
          class FileEncryption DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                           FileAnalysis["File Analysis"] -->
          | analyzes | OperatingSystemLogFile["Operating System Log File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1070002["Clear Linux or Mac System Logs"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class OperatingSystemLogFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";
json