title: Clear Linux or Mac System Logs (T1070.002)
id: df00tech-t1070-002
status: experimental
description: "Adversaries clear system logs on Linux and macOS to remove evidence of intrusion. Primary targets include /var/log/auth.log or /var/log/secure (authentication), /var/log/syslog or /var/log/messages (general), /var/log/wtmp and /var/log/btmp (login records), and web server logs (/var/log/apache2/, /var/log/nginx/). Common methods include truncating files (echo > /var/log/auth.log), deletion (rm /var/log/*.log), or overwriting with zeros. TeamTNT (crypto-mining), Rocke, Sea Turtle (DNS hijacking), Salt Typhoon (telecom espionage), UPSTYLE (Volt Typhoon PANW exploit), and MacMa (macOS) have all cleared Linux/macOS logs post-compromise."
references:
  - https://attack.mitre.org/techniques/T1070/002/
  - https://df00tech.com/detections/T1070.002
author: df00tech
date: 2026/04/17
tags:
  - attack.t1070.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Logrotate and newsyslog performing scheduled log rotation — though they archive rather than delete
  - System administrators manually clearing logs after legitimate troubleshooting
  - Docker container cleanup processes removing application logs
  - Some security tools that manage their own log files in /var/log directories
level: high