Mask System Power Settings Via Systemctl
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
Sigma rule (View on GitHub)
1title: Mask System Power Settings Via Systemctl
2id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
3status: experimental
4description: |
5 Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
6 Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
7 This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
8author: Milad Cheraghi, Nasreddine Bencherchali
9date: 2025-10-17
10references:
11 - https://www.man7.org/linux/man-pages/man1/systemctl.1.html
12 - https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
13tags:
14 - attack.persistence
15 - attack.impact
16 - attack.t1653
17logsource:
18 category: process_creation
19 product: linux
20detection:
21 selection_systemctl:
22 Image|endswith: '/systemctl'
23 CommandLine|contains: ' mask'
24 selection_power_options:
25 CommandLine|contains:
26 - 'suspend.target'
27 - 'hibernate.target'
28 - 'hybrid-sleep.target'
29 condition: all of selection_*
30falsepositives:
31 - Unlikely
32level: high
References
-
systemctl(1) — Linux manual page SYSTEMCTL(1) systemctl SYSTEMCTL(1) NAME top systemctl - Control the systemd system and service manager SYNOPSIS top systemctl [OPTIONS...] COMMAND ...
Read More -
Want to disable a systemd service unit, but wondering the difference between systemctl disable and systemctl mask? This article explains the differences.
Read More
Related rules
- Shai-Hulud NPM Attack GitHub Activity
- Cisco Modify Configuration
- Github Self Hosted Runner Changes Detected
- Potential Exploitation of GoAnywhere MFT Vulnerability
- Suspicious Startup Folder Persistence