Skip to content

Commit

Permalink
detect vacuuming of journald as clearing syslog
Browse files Browse the repository at this point in the history 
Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com>
  • Loading branch information
@wieso-itzi
wieso-itzi committed Oct 14, 2024
1 parent f33530e commit 7445688
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
modified: 2024-10-14
tags:
- attack.defense-evasion
- attack.t1070.002
Expand All @@ -27,6 +27,7 @@ detection:
- 'mv /var/log/syslog'
- ' >/var/log/syslog'
- ' > /var/log/syslog'
- 'journalctl --vacuum'
condition: selection
falsepositives:
- Log rotation.
Expand Down

0 comments on commit 7445688

Please sign in to comment.