diff --git a/Mac/Defense_Evasion/Indicator_Removal_On_Host.md b/Mac/Defense_Evasion/Indicator_Removal_On_Host.md
new file mode 100644
index 00000000..3a2e917b
--- /dev/null
+++ b/Mac/Defense_Evasion/Indicator_Removal_On_Host.md
@@ -0,0 +1,9 @@
+# Indicator Removal on Host
+
+MITRE ATT&CK Technique: [T1070](https://attack.mitre.org/wiki/Technique/T1070)
+
+### Delete System Logs
+    rm -rf /private/var/log/system.log*
+
+### Delete BSM Audit Logs
+    rm -rf /private/var/audit/*
diff --git a/Mac/README.md b/Mac/README.md
index 7d9223d1..686f830c 100644
--- a/Mac/README.md
+++ b/Mac/README.md
@@ -15,7 +15,7 @@
 | Logon Scripts                |                               | [Hidden Users](Defense_Evasion/Hidden_Users.md)                  | Private Keys                           | System Network Configuration Discovery |                                 |                          |                                |                                               | Multiband Communication                 |
 | Plist Modification           |                               | Hidden Window                 | Securityd Memory                       | System Network Connections Discovery   |                                 |                          |                                |                                               | Multilayer Encryption                   |
 | Rc.common                    |                               | Indicator Removal from Tools  | Two-Factor Authentication Interception | System Owner/User Discovery            |                                 |                          |                                |                                               | Remote File Copy                        |
-| Re-opened Applications       |                               | Indicator Removal on Host     |                                        |                                        |                                 |                          |                                |                                               | Standard Application Layer Protocol     |
+| Re-opened Applications       |                               | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host)     |                                        |                                        |                                 |                          |                                |                                               | Standard Application Layer Protocol     |
 | Redundant Access             |                               | LC_MAIN Hijacking             |                                        |                                        |                                 |                          |                                |                                               | Standard Cryptographic Protocol         |
 | Startup Items                |                               | Launchctl                     |                                        |                                        |                                 |                          |                                |                                               | Standard Non-Application Layer Protocol |
 | Trap                         |                               | Masquerading                  |                                        |                                        |                                 |                          |                                |                                               | Uncommonly Used Port                    |