By autonomously collecting log files from a system and transporting them to another system, such as a SIEM collector, they are typically no longer accessible by the subject, preventing them from being able to delete them. These can aid in investigations where a subject has deleted local logs.

Sections

ID	Name	Description
AF002	Log Deletion	The subject deliberately deletes logs to eliminate records of their activity and hinder subsequent investigation. This may include host-based logs (e.g., Windows Event Logs, Linux audit logs), application logs (e.g., authentication or access records), or network-level logs (e.g., firewall or proxy logs). Deletion may be selective by targeting specific time ranges, event types, or identifiers, or more broad by wiping entire log files or directories to prevent attribution or timeline reconstruction.
AF026	Log Modification	The subject intentionally alters or removes log entries, either at the host, application, or network level, in a deliberate attempt to conceal or misrepresent their actions. This behavior is typically executed to frustrate forensic reconstruction during an investigation and may include deletion of individual log lines, rewriting timestamps, or manipulating source IPs or usernames. Subjects engaging in this technique may use native administrative tools (e.g., PowerShell, auditpol, journalctl), third-party log scrubbers, or direct file system access to tamper with `.evtx`, `.log`, or flat text logs.
AF002.001	Clear Windows Event Logs	A subject clears Windows Event logs to conceal evidence of their activities. Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events. The logs are stored in `C:/WINDOWS/system32/config`. Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges.
AF002.002	Clear Linux System Logs	A subject deletes Linux system logs to obscure or eliminate evidence of an infringement. Linux log files, such as authentication attempts, sudo usage, system errors, and audit trails, serve as critical forensic artifacts during post-incident analysis. These logs are commonly stored in `/var/log`, and include files such as `auth.log`, `syslog`, `messages`, and `secure`. Deletion may occur manually via the `rm` command, through scripted automation, or by modifying log rotation settings to erase historical activity.
AF002.003	Clear macOS System Logs	A subject deletes macOS system logs to obscure or eliminate evidence of an infringement. macOS stores a range of log data, including authentication attempts, application launches, process crashes, system events, and security audits, within `/private/var/log` and through the unified logging system accessible via the `log` command. Key files may include `system.log`, `install.log`, `asl.log`, and diagnostic logs within `DiagnosticMessages` and `CrashReporter`. Deletion may occur manually via the `rm` or `log erase` commands, through scripted automation, or by modifying log rotation settings to erase historical activity.