Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.
Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.
The event logs can be cleared with the following utility commands:
wevtutil cl system
wevtutil cl application
wevtutil cl security
Logs may also be cleared through other mechanisms, such as PowerShell.
Clear Windows Event Logs
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
log_name | Windows Log Name, ex System | String | System |
wevtutil cl #{log_name}
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
Supported Platforms: Windows
fsutil usn deletejournal /D C:
Delete system and audit logs
Supported Platforms: macOS, Linux
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: Linux
Name | Description | Type | Default Value |
---|---|---|---|
username | Username of mail spool | String | root |
echo 0> /var/spool/mail/#{username}
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: Linux
Name | Description | Type | Default Value |
---|---|---|---|
log_path | Path of specified log | Path | /var/log/secure |
echo 0> #{log_path}
Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments
Supported Platforms: Windows
$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
Stop-Process -Id $eventLogId -Force
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
Start-Service -Name EventLog
Clear event logs using built-in PowerShell commands
Supported Platforms: Windows
Clear-EventLog -logname Application