Detection: MacOS Log Removal

Updated Date: 2026-04-15 ID: a7f2e891-3c4d-4a1b-9e6f-2b8d0c5a1f3e Author: Raven Tait, Splunk Type: TTP Product: Splunk Enterprise Security

Description

Detects the deletion or modification of logs on MacOS systems by identifying execution of the rm command with command-line arguments referencing system.log or audit-related paths. Adversaries may remove or alter log files to cover their tracks and hinder detection and forensic analysis. This behavior commonly occurs during post-exploitation cleanup.

Search

 1
 2| tstats `security_content_summariesonly`
 3  count min(_time) as firstTime
 4        max(_time) as lastTime
 5
 6from datamodel=Endpoint.Processes where
 7
 8Processes.process = "*system.log*"
 9AND
10(
11    (Processes.process = "*rm *")
12    OR
13    (
14        Processes.process = "*audit*"
15        Processes.process = "* -s *"
16    )
17)
18
19by Processes.dest Processes.original_file_name Processes.parent_process_id
20   Processes.process Processes.process_exec Processes.process_guid
21   Processes.process_hash Processes.process_id
22   Processes.process_current_directory Processes.process_name
23   Processes.process_path Processes.user
24   Processes.user_id Processes.vendor_product
25
26
27| `drop_dm_object_name(Processes)`
28
29| `security_content_ctime(firstTime)`
30
31| `security_content_ctime(lastTime)`
32
33| `macos_log_removal_filter`

Data Source

Name	Platform	Sourcetype	Source
Osquery Results	Other	`'osquery:results'`	`'osquery'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
macos_log_removal_filter	`search *`

macos_log_removal_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1070	Indicator Removal	Defense Evasion

Exploitation

DE.CM

CIS 10

APT5

Lazarus Group

Mustang Panda

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. Also the TA-OSquery must be deployed across your indexers and universal forwarders in order to have the osquery data populate the data models.

Known False Positives

Legitimate log rotation or administrative cleanup of system or audit logs.

Associated Analytic Story

MacOS Post-Exploitation

Risk Based Analytics (RBA)

Risk Message:

Log removal or modification on $dest$ by $user$

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	55	process
dest	system	55	process

References

https://osquery.readthedocs.io/en/stable/deployment/process-auditing/

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`osquery`	`osquery:results`
Integration	✅ Passing	Dataset	`osquery`	`osquery:results`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2