Linux Logs Clearing Attempts
Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. Adversaries often try to clear logs to cover their tracks after performing malicious activities.
Sigma rule (View on GitHub)
1title: Linux Logs Clearing Attempts
2id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
3status: stable
4description: |
5 Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
6 Adversaries often try to clear logs to cover their tracks after performing malicious activities.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
9author: Ömer Günal, oscd.community
10date: 2020-10-07
11modified: 2026-03-18
12tags:
13 - attack.defense-impairment
14 - attack.t1685.006
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith:
21 - '/rm' # covers /rmdir as well
22 - '/rmdir'
23 - '/shred'
24 - '/unlink'
25 CommandLine|contains:
26 - '/var/log'
27 - '/var/spool/mail'
28 filter_main_legit_systat:
29 Image|endswith: '/rm'
30 CommandLine|startswith: 'rm -f /var/log/sysstat/'
31 filter_main_dmseg:
32 Image|endswith: '/rm'
33 CommandLine|startswith: 'rm -f -- /var/log//dmesg' # // before dmesg is not typo
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Legitimate administration activities
37level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
- Indicator Removal on Host - Clear Mac System Logs
- Syslog Clearing or Removal Via System Utilities
- A Rule Has Been Deleted From The Windows Firewall Exception List
- AD Object WriteDAC Access