From 5802bb2df8cf955d52bb0ef73330600b8b99b347 Mon Sep 17 00:00:00 2001 From: atmathis Date: Mon, 1 Jan 2018 17:07:42 -0500 Subject: [PATCH] Mac Indicator Removal on Host * Added Mac Defense Evasion / Indicator Removal on Host and updated Matrix --- Mac/Defense_Evasion/Indicator_Removal_On_Host.md | 9 +++++++++ Mac/README.md | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 Mac/Defense_Evasion/Indicator_Removal_On_Host.md diff --git a/Mac/Defense_Evasion/Indicator_Removal_On_Host.md b/Mac/Defense_Evasion/Indicator_Removal_On_Host.md new file mode 100644 index 00000000..3a2e917b --- /dev/null +++ b/Mac/Defense_Evasion/Indicator_Removal_On_Host.md @@ -0,0 +1,9 @@ +# Indicator Removal on Host + +MITRE ATT&CK Technique: [T1070](https://attack.mitre.org/wiki/Technique/T1070) + +### Delete System Logs + rm -rf /private/var/log/system.log* + +### Delete BSM Audit Logs + rm -rf /private/var/audit/* diff --git a/Mac/README.md b/Mac/README.md index 7d9223d1..686f830c 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -15,7 +15,7 @@ | Logon Scripts | | [Hidden Users](Defense_Evasion/Hidden_Users.md) | Private Keys | System Network Configuration Discovery | | | | | Multiband Communication | | Plist Modification | | Hidden Window | Securityd Memory | System Network Connections Discovery | | | | | Multilayer Encryption | | Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | Remote File Copy | -| Re-opened Applications | | Indicator Removal on Host | | | | | | | Standard Application Layer Protocol | +| Re-opened Applications | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host) | | | | | | | Standard Application Layer Protocol | | Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol | | Startup Items | | Launchctl | | | | | | | Standard Non-Application Layer Protocol | | Trap | | Masquerading | | | | | | | Uncommonly Used Port |