Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Sigma rule (View on GitHub)
1title: Commands to Clear or Remove the Syslog - Builtin
2id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
3status: test
4description: Detects specific commands commonly used to remove or empty the syslog
5references:
6 - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
7author: Max Altgelt (Nextron Systems)
8date: 2021-09-10
9modified: 2022-11-26
10tags:
11 - attack.impact
12 - attack.t1565.001
13logsource:
14 product: linux
15detection:
16 selection:
17 - 'rm /var/log/syslog'
18 - 'rm -r /var/log/syslog'
19 - 'rm -f /var/log/syslog'
20 - 'rm -rf /var/log/syslog'
21 - 'mv /var/log/syslog'
22 - ' >/var/log/syslog'
23 - ' > /var/log/syslog'
24 falsepositives:
25 - '/syslog.'
26 condition: selection and not falsepositives
27falsepositives:
28 - Log rotation
29level: high
References
Related rules
- Azure DNS Zone Modified or Deleted
- Azure Device or Configuration Modified or Deleted
- Cisco Denial of Service
- History File Deletion
- Potential Suspicious Change To Sensitive/Critical Files