Attempt To Disable Syslog Service
Query
// Attempt to Disable Syslog Service
DeviceProcessEvents
| where ProcessCommandLine has_any ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service")
| where FileName in~ ("systemctl", "service", "chkconfig", "update-rc.d")
| where (
(FileName =~ "systemctl" and ProcessCommandLine has_any ("disable", "stop", "kill", "mask")) or
(FileName =~ "service" and ProcessCommandLine has "stop") or
(FileName =~ "chkconfig" and ProcessCommandLine has "off") or
(FileName =~ "update-rc.d" and ProcessCommandLine has_any ("remove", "disable"))
)
// Exclude known log rotation or HUP signals
| where InitiatingProcessFileName !~ "rsyslog-rotate"
| where ProcessCommandLine !has "HUP"About this query
Attempt to Disable Syslog Service
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1562.006 | Indicator Blocking | https://attack.mitre.org/techniques/T1562/006/ |
Description
Detects attempts to disable or stop syslog services (syslog, rsyslog, syslog-ng) using common system utilities like systemctl, service, chkconfig, or update-rc.d. This activity could indicate an adversary attempting to impair defenses by preventing logging of their actions.
Risk
Defense Evasion
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect attempts to disable or stop syslog services on a system, which could be an indication of malicious activity aimed at evading detection by preventing logging. Here's a simple breakdown of what the query does:
-
Targeted Services: It looks for commands related to syslog services, including
syslog,rsyslog, andsyslog-ng. -
Command Line Utilities: It checks if these services are being manipulated using common system utilities like
systemctl,service,chkconfig, orupdate-rc.d. -
Suspicious Actions: The query specifically searches for commands that attempt to disable, stop, kill, or mask these services. For example:
- Using
systemctlwith actions like "disable", "stop", "kill", or "mask". - Using
servicewith the "stop" command. - Using
chkconfigwith the "off" command. - Using
update-rc.dwith "remove" or "disable".
- Using
-
Exclusions: It excludes known benign activities such as log rotation or sending a HUP signal to avoid false positives.
Overall, the query is part of a defense strategy to identify potential attempts by an adversary to block indicators of their presence by disabling logging services, which is a technique known as "Indicator Blocking" under the MITRE ATT&CK framework.
