Techniques
Sample rules
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
- source: sigma
- technicques:
- t1070
- t1070.002
Description
Detects the use of the syslog syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running dmesg -c, which triggers this syscall internally.
Detection logic
condition: selection
selection:
a0:
- 4
- 5
- 6
syscall: syslog
type: SYSCALL