atomic-red-team/atomics/T1070/T1070.md

# T1070 - Indicator Removal on Host
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
<blockquote>Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .

Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.

### Clear Windows Event Logs

Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.
 
Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.

The event logs can be cleared with the following utility commands:

* <code>wevtutil cl system</code>
* <code>wevtutil cl application</code>
* <code>wevtutil cl security</code>

Logs may also be cleared through other mechanisms, such as [PowerShell](https://attack.mitre.org/techniques/T1086).</blockquote>

## Atomic Tests

- [Atomic Test #1 - Clear Logs](#atomic-test-1---clear-logs)

- [Atomic Test #2 - FSUtil](#atomic-test-2---fsutil)

- [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf)

- [Atomic Test #4 - Overwrite Linux Mail Spool](#atomic-test-4---overwrite-linux-mail-spool)

- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)


<br/>

## Atomic Test #1 - Clear Logs
Clear Windows Event Logs

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| log_name | Windows Log Name, ex System | String | System|

#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
```
wevtutil cl #{log_name}
```



<br/>
<br/>

## Atomic Test #2 - FSUtil
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.

**Supported Platforms:** Windows


#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
```
fsutil usn deletejournal /D C:
```



<br/>
<br/>

## Atomic Test #3 - rm -rf
Delete system and audit logs

**Supported Platforms:** macOS, Linux


#### Run it with `sh`! 
```
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
```



<br/>
<br/>

## Atomic Test #4 - Overwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

**Supported Platforms:** Linux


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| username | Username of mail spool | String | root|

#### Run it with `bash`! 
```
echo 0> /var/spool/mail/#{username}
```



<br/>
<br/>

## Atomic Test #5 - Overwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.

**Supported Platforms:** Linux


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| log_path | Path of specified log | Path | /var/log/secure|

#### Run it with `bash`! 
```
echo 0> #{log_path}
```



<br/>