Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Syslog Clearing or Removal Via System Utilities

Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTICCreated Fri Oct 15Updated Wed Oct 153fcc9b35-39e4-44c0-a2ad-9e82b6902b31linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic10 selectors
detection:
    selection_file:
        CommandLine|contains: '/var/log/syslog'
    selection_command_rm:
        # Examples:
        #   rm -f /var/log/syslog
        Image|endswith: '/rm'
        CommandLine|contains:
            - ' -r '
            - ' -f '
            - ' -rf '
            - '/var/log/syslog' # We use this to avoid re-writing a separate selection
    selection_command_unlink:
        # Examples:
        #   unlink /var/log/syslog
        Image|endswith: '/unlink'
    selection_command_mv:
        # Examples:
        #   mv /var/log/syslog
        Image|endswith: '/mv'
    selection_command_truncate:
        # Examples:
        #   truncate --size 0 /var/log/syslog
        Image|endswith: '/truncate'
        CommandLine|contains|all:
            - '0 '
            - '/var/log/syslog' # We use this to avoid re-writing a separate selection
        CommandLine|contains:
            - '-s '
            - '-c '
            - '--size'
    selection_command_ln:
        # Examples:
        #   ln -sfn /dev/null /var/log/syslog
        Image|endswith: '/ln'
        CommandLine|contains|all:
            - '/dev/null '
            - '/var/log/syslog' # We use this to avoid re-writing a separate selection
        CommandLine|contains:
            - '-sf '
            - '-sfn '
            - '-sfT '
    selection_command_cp:
        # Examples:
        #   cp /dev/null /var/log/syslog
        Image|endswith: '/cp'
        CommandLine|contains: '/dev/null'
    selection_command_shred:
        # Examples:
        #   shred -u /var/log/syslog
        Image|endswith: '/shred'
        CommandLine|contains: '-u '
    selection_unique_other:
        CommandLine|contains:
            - ' > /var/log/syslog'
            - ' >/var/log/syslog'
            - ' >| /var/log/syslog'  # redirection empties w spacing, noclobber
            - ': > /var/log/syslog'
            - ':> /var/log/syslog'
            - ':>/var/log/syslog'
            - '>|/var/log/syslog'
    selection_unique_journalctl:
        CommandLine|contains:
            - 'journalctl --vacuum'
            - 'journalctl --rotate' # archives current journal files and creates new empty ones
    condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
False Positives

Log rotation.

Maintenance.

References
1
Resolving title…
github.com
2
Resolving title…
virustotal.com
MITRE ATT&CK
Rule Metadata
Rule ID
3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
Status
test
Level
high
Type
Detection
Created
Fri Oct 15
Modified
Wed Oct 15
Author
Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
Path
rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml
Raw Tags
attack.defense-evasionattack.t1070.002
View on GitHub