KQL Search

Query Details

Attempt To Disable Syslog Service

Query

# *Attempt to Disable Syslog Service*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1562.006 | Indicator Blocking | https://attack.mitre.org/techniques/T1562/006/ |


#### Description
Detects attempts to disable or stop syslog services (syslog, rsyslog, syslog-ng) using common system utilities like systemctl, service, chkconfig, or update-rc.d. This activity could indicate an adversary attempting to impair defenses by preventing logging of their actions.

#### Risk
Defense Evasion

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- 

## Defender XDR
```KQL
// Attempt to Disable Syslog Service
DeviceProcessEvents
| where ProcessCommandLine has_any ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service")
| where FileName in~ ("systemctl", "service", "chkconfig", "update-rc.d")
| where (
    (FileName =~ "systemctl" and ProcessCommandLine has_any ("disable", "stop", "kill", "mask")) or
    (FileName =~ "service" and ProcessCommandLine has "stop") or
    (FileName =~ "chkconfig" and ProcessCommandLine has "off") or
    (FileName =~ "update-rc.d" and ProcessCommandLine has_any ("remove", "disable"))
)
// Exclude known log rotation or HUP signals
| where InitiatingProcessFileName !~ "rsyslog-rotate"
| where ProcessCommandLine !has "HUP"

```

Explanation

This query is designed to detect attempts to disable or stop syslog services on a system, which could be an indication of malicious activity aimed at evading detection by preventing logging. Here's a simple breakdown of what the query does:

  1. Targeted Services: It looks for commands related to syslog services, including syslog, rsyslog, and syslog-ng.

  2. Command Line Utilities: It checks if these services are being manipulated using common system utilities like systemctl, service, chkconfig, or update-rc.d.

  3. Suspicious Actions: The query specifically searches for commands that attempt to disable, stop, kill, or mask these services. For example:

    • Using systemctl with actions like "disable", "stop", "kill", or "mask".
    • Using service with the "stop" command.
    • Using chkconfig with the "off" command.
    • Using update-rc.d with "remove" or "disable".

  4. Exclusions: It excludes known benign activities such as log rotation or sending a HUP signal to avoid false positives.

Overall, the query is part of a defense strategy to identify potential attempts by an adversary to block indicators of their presence by disabling logging services, which is a technique known as "Indicator Blocking" under the MITRE ATT&CK framework.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 26, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

has_anyin~=~has!~!has

Actions