MITRE ATT&CK - Technique Clear Linux or Mac System Logs

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Indicator Removal: Clear Linux or Mac System Logs

Other sub-techniques of Indicator Removal (9)

ID	Name
.001	Clear Windows Event Logs
.002	Clear Linux or Mac System Logs
.003	Clear Command History
.004	File Deletion
.005	Network Share Connection Removal
.006	Timestomp
.007	Clear Network Connection History and Configurations
.008	Clear Mailbox Data
.009	Clear Persistence

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs) * /var/log/messages:: General and system-related messages * /var/log/secure or /var/log/auth.log: Authentication logs * /var/log/utmp or /var/log/wtmp: Login records * /var/log/kern.log: Kernel logs * /var/log/cron.log: Crond logs * /var/log/maillog: Mail server logs * /var/log/httpd/: Web server access and error logs

ID: T1070.002

Sub-technique of: T1070

Tactic(s): Defense Evasion

Platforms: Linux, macOS

Data Sources: Command: Command Execution, File: File Deletion, File: File Modification

Version: 1.0

Created: 28 Jan 2020

Last Modified: 29 Mar 2020

Name	Description
Procedure Examples
MacMa	MacMa can clear possible malware traces such as application logs.(Citation: ESET DazzleSpy Jan 2022)
TeamTNT	TeamTNT has removed system logs from `/var/log/syslog`.(Citation: Aqua TeamTNT August 2020)
Rocke	Rocke has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019)
Proton	Proton removes logs from `/var/logs` and `/Library/logs`.(Citation: objsee mac malware 2017)

Mitigation	Description
Mitigations
Remote Data Storage	Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
Indicator Removal on Host Mitigation	Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
Restrict File and Directory Permissions	Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Encrypt Sensitive Information	Protect sensitive information with strong encryption.

Detection

File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.