Adversaries may clear Linux logs to erase evidence of their presence and obfuscate their activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential log tampering and uncover hidden intrusion attempts.
Detection Rule
title: Clear Linux Logs
id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
status: stable
description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1070.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/rm' # covers /rmdir as well
- '/shred'
- '/unlink'
CommandLine|contains:
- '/var/log'
- '/var/spool/mail'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where (TargetProcessName endswith "/rm" or TargetProcessName endswith "/shred" or TargetProcessName endswith "/unlink") and (TargetProcessCommandLine contains "/var/log" or TargetProcessCommandLine contains "/var/spool/mail")Scenario: Log Rotation via logrotate
Description: System administrators use logrotate to manage and rotate log files as part of routine maintenance.
Filter/Exclusion: Check for the presence of /etc/logrotate.d/ or logrotate configuration files, or filter by process name logrotate.
Scenario: Scheduled Log Cleanup via cron
Description: A legitimate scheduled job (e.g., cron job) is configured to clean up old log files to save disk space.
Filter/Exclusion: Filter by cron process or check for crontab entries with known cleanup tasks.
Scenario: Log Clearing by System Admin via journalctl
Description: An admin uses journalctl --vacuum-time or --vacuum-size to clear old journal logs as part of system maintenance.
Filter/Exclusion: Filter by process name journalctl and check for known admin user accounts or specific command-line arguments.
Scenario: Log Clearing via truncate for Log File Management
Description: An admin uses truncate to reset log file sizes (e.g., /var/log/syslog) to prevent disk space exhaustion.
Filter/Exclusion: Filter by command truncate and check for known admin users or system maintenance scripts.
Scenario: Log Clearing via syslog-ng or rsyslog Configuration
Description: A system uses syslog-ng or rsyslog to manage log files, which may include clearing logs as part of its configuration.
Filter/Exclusion: Filter by process names syslog-ng or rsyslog, or check for known log management configurations.