Indicator Removal: Clear Linux or Mac System Logs

Other sub-techniques of Indicator Removal (10)

ID	Name
ATAGS-T1099.001	Clear Command History
ATAGS-T1099.002	Clear Linux or Mac System Logs
ATAGS-T1099.003	Clear Mailbox Data
ATAGS-T1099.004	Clear Network Connection History and Configurations
ATAGS-T1099.005	Clear Persistence
ATAGS-T1099.006	Clear Windows Event Logs
ATAGS-T1099.007	File Deletion
ATAGS-T1099.008	Network Share Connection Removal
ATAGS-T1099.009	Relocate Malware
ATAGS-T1099.010	Timestomp

Threat Actors may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:

ID: ATAGS-T1099.002

Sub-technique of: ATAGS-T1099

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.