← Library
splApache-2.0from splunk/security_content

MacOS Log Removal

Detects the deletion or modification of logs on MacOS systems by identifying execution of the rm command with command-line arguments referencing system.log or audit-related paths. Adversaries may remove or alter log files to cover their tracks and hinder detection and forensic analysis. This behavior commonly occurs during post-exploitation cleanup.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/macos_log_removal.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process = "*system.log*"
AND
(
    (Processes.process = "*rm *")
    OR
    (
        Processes.process = "*audit*"
        Processes.process = "* -s *"
    )
)

by Processes.dest Processes.original_file_name Processes.parent_process_id
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_current_directory Processes.process_name
   Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_log_removal_filter`