capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

detect journalctl/systemctl/systemd interactions on Linux

Open Still34 opened this issue 9 months ago • 0 comments

Prerequisites

  • [x] Put an X between the brackets on this line if you have done all of the following:
    • Checked that your rule idea isn't already filed: search

Summary

Add a new detection rule for journalctl-related interactions (e.g., enumeration via journalctl -u/--unit, rotation/clearing via journalctl --rotate/--vacuum-time/--vaccum-files, etc.) and/or systemctl-related interactions (e.g., reloading units via systemctl daemon-reload, enabling/disabling/starting/stopping units via systemctl disable/enable/start/stop)

Examples

  • 6a5bda892608df18c543036b71f46dd2ae533c85256c40dffeb23ea78c70f021
    • Journal enumeration via journalctl -xe --no-pager
    • Daemon reload via systemctl daemon-reload
    • Starting/stopping services via systemctl start

Features

  • strings

Additional context

Rule details

Namespace

  • host-interaction/service
  • anti-analysis/anti-forensic/clear-logs

References

Other rule meta information

  • ATT&CK
    • T1562.012: Disable or Modify Linux Audit System // for tampering with systemd services
    • T1562.001: Disable or Modify Tools // for tampering with systemd services
    • T1543.002: Create or Modify System Process (systemd Service)
    • T1082: System Information Discovery // for interacting with jouranld

Still34 avatar Apr 18 '25 04:04 Still34