Esc
Clear Linux or Mac System Logs - T1070.002
(ATT&CK® Technique)
Definition
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1070002["Clear Linux or Mac System Logs"] --> |modifies| OperatingSystemLogFile["Operating System Log File"]; class T1070002 OffensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode; click OperatingSystemLogFile href "../../../dao/artifact/d3f:OperatingSystemLogFile";
click T1070002 href "../../../offensive-technique/attack/T1070.002/"; click OperatingSystemLogFile href "../../../dao/artifact/d3f:OperatingSystemLogFile"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemLogFile["Operating System Log File"];
FileEviction["File Eviction"] -.->
| may-evict | T1070002["Clear Linux or Mac System Logs"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemLogFile["Operating System Log File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1070002["Clear Linux or Mac System Logs"] ;
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemLogFile["Operating System Log File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1070002["Clear Linux or Mac System Logs"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1070002["Clear Linux or Mac System Logs"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; ContentModification["Content Modification"] -->
| modifies | OperatingSystemLogFile["Operating System Log File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1070002["Clear Linux or Mac System Logs"] ;
class ContentModification DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | OperatingSystemLogFile["Operating System Log File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1070002["Clear Linux or Mac System Logs"] ;
class ContentQuarantine DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemLogFile["Operating System Log File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1070002["Clear Linux or Mac System Logs"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation"; ContentFiltering["Content Filtering"] -->
| filters | OperatingSystemLogFile["Operating System Log File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1070002["Clear Linux or Mac System Logs"] ;
class ContentFiltering DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1070002["Clear Linux or Mac System Logs"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click SystemFileAnalysis href "../../../technique/d3f:SystemFileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemLogFile["Operating System Log File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1070002["Clear Linux or Mac System Logs"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemLogFile["Operating System Log File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1070002["Clear Linux or Mac System Logs"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | OperatingSystemLogFile["Operating System Log File"];
RestoreFile["Restore File"] -.->
| may-restore | T1070002["Clear Linux or Mac System Logs"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemLogFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile";