Sample rules
Commands to Clear or Remove the Syslog
- source: sigma
- technicques:
- t1070
- t1070.002
Description
Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks
Detection logic
condition: selection
selection:
CommandLine|contains:
- rm /var/log/syslog
- rm -r /var/log/syslog
- rm -f /var/log/syslog
- rm -rf /var/log/syslog
- unlink /var/log/syslog
- unlink -r /var/log/syslog
- unlink -f /var/log/syslog
- unlink -rf /var/log/syslog
- mv /var/log/syslog
- ' >/var/log/syslog'
- ' > /var/log/syslog'
Commands to Clear or Remove the Syslog - Builtin
- source: sigma
- technicques:
- t1565
- t1565.001
Description
Detects specific commands commonly used to remove or empty the syslog
Detection logic
condition: selection and not falsepositives
falsepositives:
- /syslog.
selection:
- rm /var/log/syslog
- rm -r /var/log/syslog
- rm -f /var/log/syslog
- rm -rf /var/log/syslog
- mv /var/log/syslog
- ' >/var/log/syslog'
- ' > /var/log/syslog'