T1070 - Indicator Removal on Host
Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .
Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
How to Detect
Simulating the attack
rm -rf /var/log/*
Data sources required to detect the attack
Splunk Queries to detect the attack
index=linux sourcetype=linux_audit syscall=263 | table host,auid,uid,euid,exe,key
index=linux sourcetype=linux_audit type=PATH name=*.log nametype=delete
-a always,exit -F arch=b64 -F PATH=/var/log -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete_logs
index=linux sourcetype="bash_history" rm * .log | table host, user_name, bash_command