https://detection.fyi/tags/attack.t1685.006/ Recent content in attack.t1685.006 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog/ Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally. https://detection.fyi/sigmahq/sigma/macos/process_creation/proc_creation_macos_clear_system_logs/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/macos/process_creation/proc_creation_macos_clear_system_logs/ Detects deletion of local audit logs https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_clear_logs/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_clear_logs/ Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. Adversaries often try to clear logs to cover their tracks after performing malicious activities. https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_clear_syslog/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_clear_syslog/ Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks