Detect Clear Linux or Mac System Logs in Sumo Logic CSE
Adversaries clear system logs on Linux and macOS to remove evidence of intrusion. Primary targets include /var/log/auth.log or /var/log/secure (authentication), /var/log/syslog or /var/log/messages (general), /var/log/wtmp and /var/log/btmp (login records), and web server logs (/var/log/apache2/, /var/log/nginx/). Common methods include truncating files (echo > /var/log/auth.log), deletion (rm /var/log/*.log), or overwriting with zeros. TeamTNT (crypto-mining), Rocke, Sea Turtle (DNS hijacking), Salt Typhoon (telecom espionage), UPSTYLE (Volt Typhoon PANW exploit), and MacMa (macOS) have all cleared Linux/macOS logs post-compromise.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.002 Clear Linux or Mac System Logs
- Canonical reference
- https://attack.mitre.org/techniques/T1070/002/
Sumo Detection Query
_sourceCategory=linux/auditd OR _sourceCategory=linux/secure
| parse regex "type=SYSCALL\s.*?syscall=(?<syscall>\w+)" nodrop
| parse regex "name=\"(?<filepath>[^\"]+)\"" nodrop
| parse regex "exe=\"(?<exe>[^\"]+)\"" nodrop
| parse regex "auid=(?<auid>\d+)" nodrop
| parse regex "uid=(?<uid>\d+)" nodrop
| where syscall in ("unlink", "unlinkat", "truncate", "ftruncate", "open", "openat")
| where filepath matches "/var/log/*" or filepath matches "/Library/Logs/*" or filepath matches "/private/var/log/*"
| where filepath matches "*.log" or filepath in ["auth.log", "syslog", "messages", "secure", "wtmp", "btmp", "lastlog", "kern.log"]
| where !(exe matches "*logrotate*" or exe matches "*rsyslog*" or exe matches "*syslogd*" or exe matches "*newsyslog*")
| eval ActionType = if(syscall in ("unlink", "unlinkat"), "FileDeleted", if(syscall in ("truncate", "ftruncate"), "FileTruncated", "FileOpenTrunc"))
| fields _messageTime, _sourceHost, auid, uid, exe, filepath, ActionType, syscall
| sort by _messageTime descSumo Logic query against Linux auditd and secure log sources detecting syscall-level file deletion and truncation operations targeting /var/log/, /Library/Logs/, and /private/var/log/ paths. Parses auditd SYSCALL records and filters out legitimate log rotation daemons.
Data Sources
Required Tables
False Positives & Tuning
- Third-party log shippers or SIEM forwarders (Splunk UF, Elastic Agent) that move and recreate log files, appearing as deletions with their own process name
- Application deployments using Ansible, Chef, or Puppet where handlers clean up stale log files after config changes
- Docker or Kubernetes node-level log cleanup by the container runtime's log rotation mechanism (e.g., containerd log-opt max-file settings)
Other platforms for T1070.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Linux Auth Log via Truncation
Expected signal: auditd: SYSCALL records showing open with O_TRUNC flag on /var/log/auth.log. File modification event captured by endpoint telemetry. rsyslog may log a restart after the file is truncated if it monitors file size.
- Test 2Delete /var/log Files Using rm
Expected signal: auditd: SYSCALL records for creat/open (file creation) and unlink (file deletion). File creation and deletion events in endpoint telemetry. The file creation followed immediately by deletion pattern is anomalous.
- Test 3Clear Login History via wtmp Manipulation
Expected signal: auditd: SYSCALL for open with O_TRUNC on /var/log/wtmp. Any process monitoring wtmp (e.g., login daemons) may detect the size change. File modification event in endpoint telemetry for wtmp.
Unlock Pro Content
Get the full detection package for T1070.002 including response playbook, investigation guide, and atomic red team tests.