Query Details

Attempt To Disable Syslog Service

Query

// Attempt to Disable Syslog Service
DeviceProcessEvents
| where ProcessCommandLine has_any ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service")
| where FileName in~ ("systemctl", "service", "chkconfig", "update-rc.d")
| where (
    (FileName =~ "systemctl" and ProcessCommandLine has_any ("disable", "stop", "kill", "mask")) or
    (FileName =~ "service" and ProcessCommandLine has "stop") or
    (FileName =~ "chkconfig" and ProcessCommandLine has "off") or
    (FileName =~ "update-rc.d" and ProcessCommandLine has_any ("remove", "disable"))
)
// Exclude known log rotation or HUP signals
| where InitiatingProcessFileName !~ "rsyslog-rotate"
| where ProcessCommandLine !has "HUP"

About this query

Attempt to Disable Syslog Service

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1562.006Indicator Blockinghttps://attack.mitre.org/techniques/T1562/006/

Description

Detects attempts to disable or stop syslog services (syslog, rsyslog, syslog-ng) using common system utilities like systemctl, service, chkconfig, or update-rc.d. This activity could indicate an adversary attempting to impair defenses by preventing logging of their actions.

Risk

Defense Evasion

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect attempts to disable or stop syslog services on a system, which could be an indication of malicious activity aimed at evading detection by preventing logging. Here's a simple breakdown of what the query does:

  1. Targeted Services: It looks for commands related to syslog services, including syslog, rsyslog, and syslog-ng.

  2. Command Line Utilities: It checks if these services are being manipulated using common system utilities like systemctl, service, chkconfig, or update-rc.d.

  3. Suspicious Actions: The query specifically searches for commands that attempt to disable, stop, kill, or mask these services. For example:

    • Using systemctl with actions like "disable", "stop", "kill", or "mask".
    • Using service with the "stop" command.
    • Using chkconfig with the "off" command.
    • Using update-rc.d with "remove" or "disable".
  4. Exclusions: It excludes known benign activities such as log rotation or sending a HUP signal to avoid false positives.

Overall, the query is part of a defense strategy to identify potential attempts by an adversary to block indicators of their presence by disabling logging services, which is a technique known as "Indicator Blocking" under the MITRE ATT&CK framework.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 26, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

has_anyin~=~has!~!has

MITRE Techniques

Actions

GitHub