Attempt to Disable Syslog Service

Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
13detection by security controls.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Attempt to Disable Syslog Service"
20risk_score = 47
21rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
29 ( (process.name == "service" and process.args == "stop") or
30   (process.name == "chkconfig" and process.args == "off") or
31   (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
32 ) and process.args in ("syslog", "rsyslog", "syslog-ng")
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1562"
40name = "Impair Defenses"
41reference = "https://attack.mitre.org/techniques/T1562/"
42[[rule.threat.technique.subtechnique]]
43id = "T1562.001"
44name = "Disable or Modify Tools"
45reference = "https://attack.mitre.org/techniques/T1562/001/"
46
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top