Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.Detection: File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems
Clear Windows Event Logs
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| log_name | Windows Log Name, ex System | String | System |
wevtutil cl #{log_name}
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
Supported Platforms: Windows
fsutil usn deletejournal /D C:
Delete system and audit logs
Supported Platforms: macOS, Linux
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*