From 346ff26809121faa445c102a5b4ffd58eae76bee Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Tue, 21 Sep 2021 14:22:17 +0200
Subject: [PATCH] feat: Add rule for syslog removal

---
 rules/linux/lnx_clear_syslog.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/linux/lnx_clear_syslog.yml

diff --git a/rules/linux/lnx_clear_syslog.yml b/rules/linux/lnx_clear_syslog.yml
new file mode 100644
index 000000000..4ca3a5a26
--- /dev/null
+++ b/rules/linux/lnx_clear_syslog.yml
@@ -0,0 +1,27 @@
+title: Clearing syslog
+id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
+status: experimental
+description: Detects removal of the syslog
+author: Max Altgelt
+date: 2021/09/10
+references:
+    - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
+logsource:
+    product: linux
+detection:
+    selection:
+        - 'rm /var/log/syslog'
+        - 'rm -r /var/log/syslog'
+        - 'rm -f /var/log/syslog'
+        - 'rm -rf /var/log/syslog'
+        - 'mv /var/log/syslog'
+        - ' >/var/log/syslog'
+        - ' > /var/log/syslog'
+    falsepositives:
+        - '/syslog.'
+    condition: selection and not falsepositives
+falsepositives:
+    - Log rotation
+level: high
+tags:
+    - attack.persistence