Skip to content
Threat Feed
medium advisory

Linux Log Clearing Attempts via Common Utilities

Adversaries attempt to clear Linux system logs using utilities like rm, rmdir, shred, and unlink to conceal malicious activity and evade detection.

Attackers often remove or modify system logs to hide their actions and hinder forensic investigations. This activity involves the use of common Linux utilities to delete or overwrite log files, making it difficult to trace the attacker’s entry point, lateral movement, and actions performed on the system. Log clearing is a common post-exploitation technique used by a wide range of threat actors across various campaigns. This brief focuses on detecting the usage of common utilities like rm

Detection coverage 3

Detect Log Clearing via rm Utility

medium

Detects log clearing attempts using the 'rm' command targeting common log directories.

sigma tactics: defense-evasion techniques: T1070.002 sources: process_creation, linux

Detect Log Clearing via shred Utility

medium

Detects log clearing attempts using the 'shred' command to overwrite log files.

sigma tactics: defense-evasion techniques: T1070.002 sources: process_creation, linux

Detect Log Clearing via unlink Utility

medium

Detects log clearing attempts using the 'unlink' command to remove log files.

sigma tactics: defense-evasion techniques: T1070.002 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →