CKCL Log Disabled

Rule Info

Name
CKCL Log Disabled
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects tampering attempts to disable performance CKCL logs. These logs often contain useful information about the boot and shutdown process. Attackers might want to disable them in order to hinder a forensic investigation.
Reference
Internal Research
Date
2024-01-24 00:00:00
Modified
None
Id
d15b413c-6a52-4fdc-9ce6-cc7e9b936bfc
Tags
attack.defense_evasion attack.t1564.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022