T1685.006: Clear Linux or Mac System Logs
Essential information
- MITRE technique ID
T1685.006- Confidence
- 75/100
- Revoked
- No
- Published
- 04/05/2026 16:32
- Modified
- 04/05/2026 16:32
- Author / Source
- The MITRE Corporation
Platforms
macos linux
Description
Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the `/var/log/` directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
* `/var/log/messages:`: General and system-related messages
* `/var/log/secure or /var/log/auth.log`: Authentication logs
* `/var/log/utmp or /var/log/wtmp`: Login records
* `/var/log/kern.log`: Kernel logs
* `/var/log/cron.log`: Crond logs
* `/var/log/maillog`: Mail server logs
* `/var/log/httpd/`: Web server access and error logs
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-impairment |
| mitre-attack-v19 | defense-impairment |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.