Generated docs from job=generate-docs branch=master [ci skip]

2023-03-22 22:32:09 +00:00
parent 517271c38f
commit a1aaef3294
13 changed files with 781 additions and 15 deletions
@@ -71,8 +71,20 @@ defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,4,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,5,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,6,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,7,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,8,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,9,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,10,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,11,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,12,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,13,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,14,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,15,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
@@ -22,8 +22,9 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,13,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,14,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,15,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
@@ -16,6 +16,17 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,4,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,5,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,6,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,7,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,8,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,9,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,10,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,11,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,12,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
 defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
@@ -108,8 +108,20 @@
  - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
 - [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
  - Atomic Test #1: rm -rf [macos, linux]
-  - Atomic Test #2: Overwrite Linux Mail Spool [linux]
-  - Atomic Test #3: Overwrite Linux Log [linux]
+  - Atomic Test #2: Delete log files using built-in log utility [macos]
+  - Atomic Test #3: Truncate system log files via truncate utility [macos]
+  - Atomic Test #4: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
+  - Atomic Test #5: System log file deletion via find utility [macos]
+  - Atomic Test #6: Overwrite macOS system log via echo utility [macos]
+  - Atomic Test #7: Real-time system log clearance/deletion [macos]
+  - Atomic Test #8: Delete system log files via unlink utility [macos]
+  - Atomic Test #9: Delete system log files using shred utility [macos]
+  - Atomic Test #10: Delete system log files using srm utility [macos]
+  - Atomic Test #11: Delete system log files using OSAScript [macos]
+  - Atomic Test #12: Delete system log files using Applescript [macos]
+  - Atomic Test #13: Delete system journal logs via rm and journalctl utilities [linux]
+  - Atomic Test #14: Overwrite Linux Mail Spool [linux]
+  - Atomic Test #15: Overwrite Linux Log [linux]
 - [T1218.004 Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md)
  - Atomic Test #1: CheckIfInstallable method call [windows]
  - Atomic Test #2: InstallHelper method call [windows]
@@ -36,8 +36,9 @@
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
 - [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
  - Atomic Test #1: rm -rf [macos, linux]
-  - Atomic Test #2: Overwrite Linux Mail Spool [linux]
-  - Atomic Test #3: Overwrite Linux Log [linux]
+  - Atomic Test #13: Delete system journal logs via rm and journalctl utilities [linux]
+  - Atomic Test #14: Overwrite Linux Mail Spool [linux]
+  - Atomic Test #15: Overwrite Linux Log [linux]
 - T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
  - Atomic Test #1: Clear Bash history (rm) [linux, macos]
@@ -32,6 +32,17 @@
  - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
 - [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
  - Atomic Test #1: rm -rf [macos, linux]
+  - Atomic Test #2: Delete log files using built-in log utility [macos]
+  - Atomic Test #3: Truncate system log files via truncate utility [macos]
+  - Atomic Test #4: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
+  - Atomic Test #5: System log file deletion via find utility [macos]
+  - Atomic Test #6: Overwrite macOS system log via echo utility [macos]
+  - Atomic Test #7: Real-time system log clearance/deletion [macos]
+  - Atomic Test #8: Delete system log files via unlink utility [macos]
+  - Atomic Test #9: Delete system log files using shred utility [macos]
+  - Atomic Test #10: Delete system log files using srm utility [macos]
+  - Atomic Test #11: Delete system log files using OSAScript [macos]
+  - Atomic Test #12: Delete system log files using Applescript [macos]
 - T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
  - Atomic Test #1: Gatekeeper Bypass [macos]
@@ -4292,6 +4292,179 @@ defense-evasion:
          sudo rm -rf /private/var/audit/*
        name: sh
        elevation_required: true
+    - name: Delete log files using built-in log utility
+      auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
+      description: 'This test deletes main log datastore, inflight log data, time-to-live
+        data(TTL), fault and error content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo log erase --all
+          sudo log erase --ttl #Deletes only time-to-live log content
+          sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
+        name: sh
+        elevation_required: true
+    - name: Truncate system log files via truncate utility
+      auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
+      description: 'This test truncates the system log files using the truncate utility
+        with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying
+        the file content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
+          truncate --size=0 /var/log/system.log #size parameter \n"
+        name: sh
+        elevation_required: true
+    - name: Delete log files via cat utility by appending /dev/null or /dev/zero
+      auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
+      description: 'The first sub-test truncates the log file to zero bytes via /dev/null
+        and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero,
+        using cat utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
+          sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+        name: sh
+        elevation_required: true
+    - name: System log file deletion via find utility
+      auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+      description: 'This test finds and deletes the system log files within /var/log/
+        directory using various executions(rm, shred, unlink)
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
+          sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+          sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+        name: sh
+        elevation_required: true
+    - name: Overwrite macOS system log via echo utility
+      auto_generated_guid: '0208ea60-98f1-4e8c-8052-930dce8f742c'
+      description: 'This test overwrites the contents of system log file with an empty
+        string using echo utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo echo '''' > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Real-time system log clearance/deletion
+      auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+      description: 'This test reads real-time system log file and writes empty string
+        to it, thus clearing the log file without tampering with the logging process
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo log -f /var/log/system.log | : > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files via unlink utility
+      auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
+      description: 'This test deletes the system log file using unlink utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo unlink /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using shred utility
+      auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+      description: 'This test overwrites the contents of the log file with zero bytes(-z)
+        using three passes(-n 3) of data, and then delete the file(-u) securely
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo shred -u -z -n 3 /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using srm utility
+      auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+      description: |
+        This test securely deletes the system log files individually and recursively using the srm utility.
+        Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
+        Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo srm /var/log/system.log #system log file deletion
+          sudo srm -r /var/log/ #recursive deletion of log files
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using OSAScript
+      auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
+      description: 'This test deletes the system log file using osascript via "do
+        shell script"(sh/bash by default) which in-turn spawns rm utility, requires
+        admin privileges
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
+          privileges''
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using Applescript
+      auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
+      description: |
+        This test deletes the system log file using applescript using osascript via Finder application
+        Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
+        Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system journal logs via rm and journalctl utilities
+      auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+      description: 'The first sub-test deletes the journal files using rm utility
+        in the "/var/log/journal/" directory and the second sub-test clears the journal
+        by modifiying time period of logs that should be retained to zero.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: |
+          sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+          sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
+        name: sh
+        elevation_required: true
    - name: Overwrite Linux Mail Spool
      auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
      description: 'This test overwrites the Linux mail spool of a specified user.
@@ -3022,6 +3022,21 @@ defense-evasion:
          sudo rm -rf /private/var/audit/*
        name: sh
        elevation_required: true
+    - name: Delete system journal logs via rm and journalctl utilities
+      auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+      description: 'The first sub-test deletes the journal files using rm utility
+        in the "/var/log/journal/" directory and the second sub-test clears the journal
+        by modifiying time period of logs that should be retained to zero.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: |
+          sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+          sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
+        name: sh
+        elevation_required: true
    - name: Overwrite Linux Mail Spool
      auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
      description: 'This test overwrites the Linux mail spool of a specified user.
@@ -2745,6 +2745,164 @@ defense-evasion:
          sudo rm -rf /private/var/audit/*
        name: sh
        elevation_required: true
+    - name: Delete log files using built-in log utility
+      auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
+      description: 'This test deletes main log datastore, inflight log data, time-to-live
+        data(TTL), fault and error content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo log erase --all
+          sudo log erase --ttl #Deletes only time-to-live log content
+          sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
+        name: sh
+        elevation_required: true
+    - name: Truncate system log files via truncate utility
+      auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
+      description: 'This test truncates the system log files using the truncate utility
+        with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying
+        the file content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
+          truncate --size=0 /var/log/system.log #size parameter \n"
+        name: sh
+        elevation_required: true
+    - name: Delete log files via cat utility by appending /dev/null or /dev/zero
+      auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
+      description: 'The first sub-test truncates the log file to zero bytes via /dev/null
+        and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero,
+        using cat utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
+          sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+        name: sh
+        elevation_required: true
+    - name: System log file deletion via find utility
+      auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+      description: 'This test finds and deletes the system log files within /var/log/
+        directory using various executions(rm, shred, unlink)
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
+          sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+          sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+        name: sh
+        elevation_required: true
+    - name: Overwrite macOS system log via echo utility
+      auto_generated_guid: '0208ea60-98f1-4e8c-8052-930dce8f742c'
+      description: 'This test overwrites the contents of system log file with an empty
+        string using echo utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo echo '''' > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Real-time system log clearance/deletion
+      auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+      description: 'This test reads real-time system log file and writes empty string
+        to it, thus clearing the log file without tampering with the logging process
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo log -f /var/log/system.log | : > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files via unlink utility
+      auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
+      description: 'This test deletes the system log file using unlink utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo unlink /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using shred utility
+      auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+      description: 'This test overwrites the contents of the log file with zero bytes(-z)
+        using three passes(-n 3) of data, and then delete the file(-u) securely
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo shred -u -z -n 3 /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using srm utility
+      auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+      description: |
+        This test securely deletes the system log files individually and recursively using the srm utility.
+        Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
+        Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo srm /var/log/system.log #system log file deletion
+          sudo srm -r /var/log/ #recursive deletion of log files
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using OSAScript
+      auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
+      description: 'This test deletes the system log file using osascript via "do
+        shell script"(sh/bash by default) which in-turn spawns rm utility, requires
+        admin privileges
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
+          privileges''
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using Applescript
+      auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
+      description: |
+        This test deletes the system log file using applescript using osascript via Finder application
+        Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
+        Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
+
+          '
+        name: sh
+        elevation_required: true
  T1218.004:
    technique:
      x_mitre_platforms:
@@ -15,9 +15,33 @@

 - [Atomic Test #1 - rm -rf](#atomic-test-1---rm--rf)

- [Atomic Test #2 - Overwrite Linux Mail Spool](#atomic-test-2---overwrite-linux-mail-spool)
+- [Atomic Test #2 - Delete log files using built-in log utility](#atomic-test-2---delete-log-files-using-built-in-log-utility)

- [Atomic Test #3 - Overwrite Linux Log](#atomic-test-3---overwrite-linux-log)
+- [Atomic Test #3 - Truncate system log files via truncate utility](#atomic-test-3---truncate-system-log-files-via-truncate-utility)
+
+- [Atomic Test #4 - Delete log files via cat utility by appending /dev/null or /dev/zero](#atomic-test-4---delete-log-files-via-cat-utility-by-appending-devnull-or-devzero)
+
+- [Atomic Test #5 - System log file deletion via find utility](#atomic-test-5---system-log-file-deletion-via-find-utility)
+
+- [Atomic Test #6 - Overwrite macOS system log via echo utility](#atomic-test-6---overwrite-macos-system-log-via-echo-utility)
+
+- [Atomic Test #7 - Real-time system log clearance/deletion](#atomic-test-7---real-time-system-log-clearancedeletion)
+
+- [Atomic Test #8 - Delete system log files via unlink utility](#atomic-test-8---delete-system-log-files-via-unlink-utility)
+
+- [Atomic Test #9 - Delete system log files using shred utility](#atomic-test-9---delete-system-log-files-using-shred-utility)
+
+- [Atomic Test #10 - Delete system log files using srm utility](#atomic-test-10---delete-system-log-files-using-srm-utility)
+
+- [Atomic Test #11 - Delete system log files using OSAScript](#atomic-test-11---delete-system-log-files-using-osascript)
+
+- [Atomic Test #12 - Delete system log files using Applescript](#atomic-test-12---delete-system-log-files-using-applescript)
+
+- [Atomic Test #13 - Delete system journal logs via rm and journalctl utilities](#atomic-test-13---delete-system-journal-logs-via-rm-and-journalctl-utilities)
+
+- [Atomic Test #14 - Overwrite Linux Mail Spool](#atomic-test-14---overwrite-linux-mail-spool)
+
+- [Atomic Test #15 - Overwrite Linux Log](#atomic-test-15---overwrite-linux-log)


 <br/>
@@ -51,7 +75,355 @@ sudo rm -rf /private/var/audit/*
 <br/>
 <br/>

-## Atomic Test #2 - Overwrite Linux Mail Spool
+## Atomic Test #2 - Delete log files using built-in log utility
+This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 653d39cd-bae7-499a-898c-9fb96b8b5cd1
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo log erase --all
+sudo log erase --ttl #Deletes only time-to-live log content
+sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Truncate system log files via truncate utility
+This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 6290f8a8-8ee9-4661-b9cf-390031bf6973
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo truncate -s 0 /var/log/system.log #size parameter shorthand
+sudo truncate --size=0 /var/log/system.log #size parameter
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Delete log files via cat utility by appending /dev/null or /dev/zero
+The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** c23bdb88-928d-493e-b46d-df2906a50941
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
+sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - System log file deletion via find utility
+This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
+sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Overwrite macOS system log via echo utility
+This test overwrites the contents of system log file with an empty string using echo utility
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 0208ea60-98f1-4e8c-8052-930dce8f742c
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo echo '' > /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Real-time system log clearance/deletion
+This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo log -f /var/log/system.log | : > /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Delete system log files via unlink utility
+This test deletes the system log file using unlink utility
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 03013b4b-01db-437d-909b-1fdaa5010ee8
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo unlink /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Delete system log files using shred utility
+This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo shred -u -z -n 3 /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Delete system log files using srm utility
+This test securely deletes the system log files individually and recursively using the srm utility.
+Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
+Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo srm /var/log/system.log #system log file deletion
+sudo srm -r /var/log/ #recursive deletion of log files
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Delete system log files using OSAScript
+This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 810a465f-cd4f-47bc-b43e-d2de3b033ecc
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Delete system log files using Applescript
+This test deletes the system log file using applescript using osascript via Finder application
+Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
+Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e62f8694-cbc7-468f-862c-b10cd07e1757
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Delete system journal logs via rm and journalctl utilities
+The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Overwrite Linux Mail Spool
 This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

 **Supported Platforms:** Linux
@@ -84,7 +456,7 @@ echo 0> /var/spool/mail/#{username}
 <br/>
 <br/>

-## Atomic Test #3 - Overwrite Linux Log
+## Atomic Test #15 - Overwrite Linux Log
 This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

 **Supported Platforms:** Linux