- Tactics
- defense-impairment
- Platforms
- Linux, macOS
- Reference
- attack.mitre.org/techniques/T1685.006
Description
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
/var/log/messages:: General and system-related messages/var/log/secure or /var/log/auth.log: Authentication logs/var/log/utmp or /var/log/wtmp: Login records/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs/var/log/maillog: Mail server logs/var/log/httpd/: Web server access and error logs
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the defense-impairment tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1112 — Modify Registry
- T1207 — Rogue Domain Controller
- T1222 — File and Directory Permissions Modification
- T1484 — Domain or Tenant Policy Modification
- T1553 — Subvert Trust Controls
- T1556 — Modify Authentication Process
- T1578 — Modify Cloud Compute Infrastructure
- T1599 — Network Boundary Bridging
- T1600 — Weaken Encryption
- T1601 — Modify System Image
- T1647 — Plist File Modification
- T1666 — Modify Cloud Resource Hierarchy