Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0520: Behavioral Detection of Log File Clearing on Linux and macOS

This detection strategy matters because clearing Linux or macOS system logs is a defense-impairment behavior that can reduce an organization’s ability to p...

EnterpriseDET0520Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because clearing Linux or macOS system logs is a defense-impairment behavior that can reduce an organization’s ability to prove what happened during an incident. Even when the ATT&CK detection strategy object has no official detection text, its relationship to Clear Linux or Mac System Logs makes the business issue clear: if logs under common system logging locations are deleted, truncated, or otherwise cleared, incident responders may lose evidence needed for containment, recovery decisions, audit support, and root-cause analysis.

Executive priority

Security leaders should treat this as an evidence-preservation and incident-readiness control question: can the organization reliably detect and investigate suspicious clearing of Linux and macOS system logs before critical evidence is lost? Priority is highest for systems where authentication, administrative activity, or operational continuity depends on local logs, and where compliance or post-incident reporting requires defensible records.

Technical view

SOC and IR teams should validate behavioral monitoring for activity consistent with clearing system logs on Linux and macOS, especially logs associated with general system events and authentication records under /var/log/ as described in the related ATT&CK technique. Because the supplied detection strategy has no official detection logic, teams should base engineering work on local telemetry: file deletion or truncation events, suspicious changes to log files, process context around log modification, and correlation with administrative sessions or recent security alerts. Detection should distinguish expected log rotation or maintenance from unusual clearing activity.

Likely telemetry

  • File integrity or endpoint telemetry for changes to system log files and directories such as /var/log/
  • Process execution telemetry showing commands or utilities modifying, deleting, or truncating logs
  • Authentication and session telemetry around the time log files are changed
  • Endpoint security alerts or EDR events from Linux and macOS systems
  • Centralized log forwarding status, including gaps or sudden loss of expected log sources

Detection direction

  • Validate that Linux and macOS log-clearing behavior is visible even if local logs are altered; central forwarding or independent endpoint telemetry is important for resilience.
  • Tune detections to account for legitimate log rotation, system maintenance, and administrative cleanup to reduce false positives.
  • Correlate log-clearing signals with recent authentication events, privilege use, or other suspicious activity, since clearing logs is often meaningful as part of a broader intrusion investigation.
  • Measure blind spots: hosts not enrolled in endpoint telemetry, logs not forwarded centrally, and systems where /var/log/ monitoring is incomplete.
  • Document what evidence remains available if local system logs are cleared, because this directly affects incident response confidence.

Mitigation priorities

  • Prioritize centralized collection of Linux and macOS security-relevant logs so local clearing does not fully remove evidence.
  • Restrict administrative access and review privileged activity on systems where local log tampering would materially affect investigations.
  • Use file monitoring or endpoint controls to alert on unexpected modification, deletion, or truncation of important system and authentication logs.
  • Preserve incident response evidence quickly when log-clearing behavior is suspected.
  • Include this scenario in compliance and incident-readiness testing to verify that required audit evidence remains available.
Analyst notes and limits

The ATT&CK detection strategy object itself provides no official description, platforms, tactics, or detection text. The practical interpretation comes from the explicit relationship stating that DET0520 detects T1685.006, Clear Linux or Mac System Logs, which is a defense-impairment technique for Linux and macOS involving system logs commonly stored under /var/log/.

This take is limited to the supplied STIX fields, external reference, and relationship context. It does not assert any specific detection rule, product capability, adversary use, or active exploitation. Local operating system configuration, log forwarding design, endpoint visibility, and administrative practices are required to determine real coverage.

Official MITRE ATT&CK definition

Behavioral Detection of Log File Clearing on Linux and macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1685.006 Clear Linux or Mac System Logs Sub-technique This object detects Clear Linux or Mac System Logs.
Relationship explorer

All related ATT&CK context

detects · Technique T1685.006: Clear Linux or Mac System Logs Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f4d998af0d335cb8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f4d998af0d33…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0520
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use