The hypothesis is that an adversary is attempting to clear or remove syslog logs to erase evidence of their activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential log tampering and detect early-stage compromises.
Detection Rule
title: Syslog Clearing or Removal Via System Utilities
id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
status: test
description: |
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2025-10-15
tags:
- attack.defense-evasion
- attack.t1070.002
logsource:
product: linux
category: process_creation
detection:
selection_file:
CommandLine|contains: '/var/log/syslog'
selection_command_rm:
# Examples:
# rm -f /var/log/syslog
Image|endswith: '/rm'
CommandLine|contains:
- ' -r '
- ' -f '
- ' -rf '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
selection_command_unlink:
# Examples:
# unlink /var/log/syslog
Image|endswith: '/unlink'
selection_command_mv:
# Examples:
# mv /var/log/syslog
Image|endswith: '/mv'
selection_command_truncate:
# Examples:
# truncate --size 0 /var/log/syslog
Image|endswith: '/truncate'
CommandLine|contains|all:
- '0 '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-s '
- '-c '
- '--size'
selection_command_ln:
# Examples:
# ln -sfn /dev/null /var/log/syslog
Image|endswith: '/ln'
CommandLine|contains|all:
- '/dev/null '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-sf '
- '-sfn '
- '-sfT '
selection_command_cp:
# Examples:
# cp /dev/null /var/log/syslog
Image|endswith: '/cp'
CommandLine|contains: '/dev/null'
selection_command_shred:
# Examples:
# shred -u /var/log/syslog
Image|endswith: '/shred'
CommandLine|contains: '-u '
selection_unique_other:
CommandLine|contains:
- ' > /var/log/syslog'
- ' >/var/log/syslog'
- ' >| /var/log/syslog' # redirection empties w spacing, noclobber
- ': > /var/log/syslog'
- ':> /var/log/syslog'
- ':>/var/log/syslog'
- '>|/var/log/syslog'
selection_unique_journalctl:
CommandLine|contains:
- 'journalctl --vacuum'
- 'journalctl --rotate' # archives current journal files and creates new empty ones
condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
falsepositives:
- Log rotation.
- Maintenance.
level: high
imProcessCreate
| where (TargetProcessCommandLine contains "/var/log/syslog" and ((TargetProcessName endswith "/rm" and (TargetProcessCommandLine contains " -r " or TargetProcessCommandLine contains " -f " or TargetProcessCommandLine contains " -rf " or TargetProcessCommandLine contains "/var/log/syslog")) or TargetProcessName endswith "/unlink" or TargetProcessName endswith "/mv" or (TargetProcessName endswith "/truncate" and (TargetProcessCommandLine contains "0 " and TargetProcessCommandLine contains "/var/log/syslog") and (TargetProcessCommandLine contains "-s " or TargetProcessCommandLine contains "-c " or TargetProcessCommandLine contains "--size")) or (TargetProcessName endswith "/ln" and (TargetProcessCommandLine contains "/dev/null " and TargetProcessCommandLine contains "/var/log/syslog") and (TargetProcessCommandLine contains "-sf " or TargetProcessCommandLine contains "-sfn " or TargetProcessCommandLine contains "-sfT ")) or (TargetProcessName endswith "/cp" and TargetProcessCommandLine contains "/dev/null") or (TargetProcessName endswith "/shred" and TargetProcessCommandLine contains "-u "))) or ((TargetProcessCommandLine contains " > /var/log/syslog" or TargetProcessCommandLine contains " >/var/log/syslog" or TargetProcessCommandLine contains " >| /var/log/syslog" or TargetProcessCommandLine contains ": > /var/log/syslog" or TargetProcessCommandLine contains ":> /var/log/syslog" or TargetProcessCommandLine contains ":>/var/log/syslog" or TargetProcessCommandLine contains ">|/var/log/syslog") or (TargetProcessCommandLine contains "journalctl --vacuum" or TargetProcessCommandLine contains "journalctl --rotate"))Scenario: Scheduled Log Rotation or Cleanup Task
Description: A legitimate scheduled task (e.g., via logrotate on Linux or Event Viewer cleanup on Windows) is configured to clear or rotate logs as part of routine maintenance.
Filter/Exclusion: Check for command-line arguments or log rotation configurations (e.g., logrotate config files, crontab entries with logrotate or rm with specific log file paths).
Scenario: System Log Purge via truncate or dd for Disk Space Management
Description: An admin uses truncate -s 0 /var/log/syslog or dd if=/dev/zero of=/var/log/syslog to free up disk space by zeroing out the syslog file.
Filter/Exclusion: Filter commands that include /var/log/syslog or /var/log/messages and check for presence of truncate, dd, or rm with specific file paths used for log rotation.
Scenario: Log Clearing via syslog-ng or rsyslog Configuration
Description: A system administrator modifies the rsyslog or syslog-ng configuration to clear logs periodically, such as by setting *.*;authpriv.none;cron.none;local0.none;local1.none;local2.none;local3.none;local4.none;local5.none;local6.none;local7.none to discard logs.
Filter/Exclusion: Filter for configuration changes in /etc/rsyslog.conf or /etc/syslog-ng/syslog-ng.conf that include log discard directives.
Scenario: Log File Truncation for Compliance or Testing Purposes
Description: A test environment or compliance task requires clearing logs to reset the system state, such as using truncate or `echo