MITRE ATT&CK Technique
Description
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs) * <code>/var/log/messages:</code>: General and system-related messages * <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs * <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records * <code>/var/log/kern.log</code>: Kernel logs * <code>/var/log/cron.log</code>: Crond logs * <code>/var/log/maillog</code>: Mail server logs * <code>/var/log/httpd/</code>: Web server access and error logs
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-28T17:11:54.034Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may clear system logs to hide evidence of an '
'intrusion. macOS and Linux both keep track of system or '
'user-initiated actions via system logs. The majority of '
'native system logging is stored under the '
'<code>/var/log/</code> directory. Subfolders in this '
'directory categorize logs by their related functions, such '
'as:(Citation: Linux Logs)\n'
'\n'
'* <code>/var/log/messages:</code>: General and system-related '
'messages\n'
'* <code>/var/log/secure</code> or '
'<code>/var/log/auth.log</code>: Authentication logs\n'
'* <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: '
'Login records\n'
'* <code>/var/log/kern.log</code>: Kernel logs\n'
'* <code>/var/log/cron.log</code>: Crond logs\n'
'* <code>/var/log/maillog</code>: Mail server logs\n'
'* <code>/var/log/httpd/</code>: Web server access and error '
'logs\n',
'external_references': [{'external_id': 'T1070.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1070/002'},
{'description': 'Marcel. (2018, April 19). 12 '
'Critical Linux Log Files You Must be '
'Monitoring. Retrieved March 29, '
'2020.',
'source_name': 'Linux Logs',
'url': 'https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/'}],
'id': 'attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:34.441Z',
'name': 'Clear Linux or Mac System Logs',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS'],
'x_mitre_version': '1.0'}