T1685.006 - Clear Linux or Mac System Logs
Sub-technique
Tactics:
Defense Impairment
Defense Impairment
Platforms:
Linux macOS
Linux macOS
Detection:
Not specified
Not specified
Description:
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the `/var/log/` directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
* `/var/log/messages:`: General and system-related messages
* `/var/log/secure or /var/log/auth.log`: Authentication logs
* `/var/log/utmp or /var/log/wtmp`: Login records
* `/var/log/kern.log`: Kernel logs
* `/var/log/cron.log`: Crond logs
* `/var/log/maillog`: Mail server logs
* `/var/log/httpd/`: Web server access and error logs
* `/var/log/messages:`: General and system-related messages
* `/var/log/secure or /var/log/auth.log`: Authentication logs
* `/var/log/utmp or /var/log/wtmp`: Login records
* `/var/log/kern.log`: Kernel logs
* `/var/log/cron.log`: Crond logs
* `/var/log/maillog`: Mail server logs
* `/var/log/httpd/`: Web server access and error logs
Used by Actors (4)
Malware (4)
Metadata
| MITRE ID: | T1685.006 |
| STIX ID: | attack-pattern--5e29d64d-2b14-... |
| Platforms: | Linux, macOS |
| Created: | 28/04/2026 16:00 |
| Updated: | 01/05/2026 16:00 |