Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

Rule Info

Name
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Author
Milad Cheraghi
Description
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Reference
https://man7.org/linux/man-pages/man2/syslog.2.html
Date
2025-05-27 00:00:00
Modified
2025-06-05 00:00:00
Id
eca5e022-d368-4043-98e5-9736fb01f72f
Tags
attack.defense-evasion attack.t1070.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=eca5e022-d368-4043-98e5-9736fb01f72f

Rule History

Author
Title
Date
Commit
phantinuss
Merge PR #5467 from @phantinuss - use syscall names instead of ids
2025-06-05
298e18c9c
Milad Cheraghi
Merge PR #5438 from @CheraghiMilad - new: clean dmesg logs
2025-05-31
ad1bfd3d2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022