Description
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
/var/log/messages:: General and system-related messages
/var/log/secure or /var/log/auth.log: Authentication logs
/var/log/utmp or /var/log/wtmp: Login records
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs
/var/log/maillog: Mail server logs
* /var/log/httpd/: Web server access and error logs
Platforms
Mitigations (3)
Restrict File and Directory PermissionsM1022
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
Remote Data StorageM1029
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
Encrypt Sensitive InformationM1041
Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has cleared logs including .bash_history, auth.log, lastlog, wtmp, and btmp.(Citation: Cisco Sal... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019) |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) has overwritten Linux system logs and unsets the Bash history file (effectively removing logging) ... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has removed system logs from <code>/var/log/syslog</code>.(Citation: Aqua TeamTNT August 2020) |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S1164 | UPSTYLE | Malware | [UPSTYLE](https://attack.mitre.org/software/S1164) clears error logs after reading embedded commands for execution.(Citation: Volexity UPSTYLE 2024) |
| S0279 | Proton | Malware | [Proton](https://attack.mitre.org/software/S0279) removes logs from <code>/var/logs</code> and <code>/Library/logs</code>.(Citation: objsee mac malwar... |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) can clear possible malware traces such as application logs.(Citation: ESET DazzleSpy Jan 2022) |
| S1206 | JumbledPath | Malware | [JumbledPath](https://attack.mitre.org/software/S1206) can clear logs on all devices used along its connection path to compromised network infrastruct... |
References
Frequently Asked Questions
What is T1685.006 (Clear Linux or Mac System Logs)?
T1685.006 is a MITRE ATT&CK technique named 'Clear Linux or Mac System Logs'. It belongs to the Defense Impairment tactic(s). Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored...
How can T1685.006 be detected?
Detection of T1685.006 (Clear Linux or Mac System Logs) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1685.006?
There are 3 documented mitigations for T1685.006. Key mitigations include: Restrict File and Directory Permissions, Remote Data Storage, Encrypt Sensitive Information.
Which threat groups use T1685.006?
Known threat groups using T1685.006 include: Salt Typhoon, Rocke, Sea Turtle, TeamTNT.