legitimate log rotation or administrative cleanup of system or audit logs.

Techniques

T1070

Sample rules

MacOS Log Removal

source: splunk
technicques:
- T1070

Description

Detects the deletion or modification of logs on MacOS systems by identifying execution of the rm command with command-line arguments referencing system.log or audit-related paths. Adversaries may remove or alter log files to cover their tracks and hinder detection and forensic analysis. This behavior commonly occurs during post-exploitation cleanup.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process = "*system.log*"
AND
(
    (Processes.process = "*rm *")
    OR
    (
        Processes.process = "*audit*"
        Processes.process = "* -s *"
    )
)

by Processes.dest Processes.original_file_name Processes.parent_process_id
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_current_directory Processes.process_name
   Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `macos_log_removal_filter`