Sample rules
Syslog Clearing or Removal Via System Utilities
- source: sigma
- technicques:
- t1070
- t1070.002
Description
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Detection logic
condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
selection_command_cp:
CommandLine|contains: /dev/null
Image|endswith: /cp
selection_command_ln:
CommandLine|contains:
- '-sf '
- '-sfn '
- '-sfT '
CommandLine|contains|all:
- '/dev/null '
- /var/log/syslog
Image|endswith: /ln
selection_command_mv:
Image|endswith: /mv
selection_command_rm:
CommandLine|contains:
- ' -r '
- ' -f '
- ' -rf '
- /var/log/syslog
Image|endswith: /rm
selection_command_shred:
CommandLine|contains: '-u '
Image|endswith: /shred
selection_command_truncate:
CommandLine|contains:
- '-s '
- '-c '
- --size
CommandLine|contains|all:
- '0 '
- /var/log/syslog
Image|endswith: /truncate
selection_command_unlink:
Image|endswith: /unlink
selection_file:
CommandLine|contains: /var/log/syslog
selection_unique_journalctl:
CommandLine|contains:
- journalctl --vacuum
- journalctl --rotate
selection_unique_other:
CommandLine|contains:
- ' > /var/log/syslog'
- ' >/var/log/syslog'
- ' >| /var/log/syslog'
- ': > /var/log/syslog'
- :> /var/log/syslog
- :>/var/log/syslog
- '>|/var/log/syslog'
Commands to Clear or Remove the Syslog - Builtin
- source: sigma
- technicques:
- t1565
- t1565.001
Description
Detects specific commands commonly used to remove or empty the syslog
Detection logic
condition: selection and not falsepositives
falsepositives:
- /syslog.
selection:
- rm /var/log/syslog
- rm -r /var/log/syslog
- rm -f /var/log/syslog
- rm -rf /var/log/syslog
- mv /var/log/syslog
- ' >/var/log/syslog'
- ' > /var/log/syslog'