Logging Configuration Changes on Linux Host

Aug 12, 2024 · attack.defense-evasion attack.t1562.006 ·

Detect changes of syslog daemons configuration files

Sigma rule (View on GitHub)

 1title: Logging Configuration Changes on Linux Host
 2id: c830f15d-6f6e-430f-8074-6f73d6807841
 3status: test
 4description: Detect changes of syslog daemons configuration files
 5references:
 6    - self experience
 7author: Mikhail Larin, oscd.community
 8date: 2019-10-25
 9modified: 2021-11-27
10tags:
11    - attack.defense-evasion
12    - attack.t1562.006
13logsource:
14    product: linux
15    service: auditd
16detection:
17    selection:
18        type: 'PATH'
19        name:
20            - /etc/syslog.conf
21            - /etc/rsyslog.conf
22            - /etc/syslog-ng/syslog-ng.conf
23    condition: selection
24fields:
25    - exe
26    - comm
27    - key
28falsepositives:
29    - Legitimate administrative activity
30level: high

References

self experience

Read More

Related rules

Auditing Configuration Changes on Linux Host
Disable of ETW Trace - Powershell
ETW Trace Evasion Activity
Okta User Session Start Via An Anonymising Proxy Service
AD Object WriteDAC Access