Skip to content

Hide Navigation Hide TOC

Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall (eca5e022-d368-4043-98e5-9736fb01f72f)

Detects the use of the syslog syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running dmesg -c, which triggers this syscall internally.

Cluster A Galaxy A Cluster B Galaxy B Level
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall (eca5e022-d368-4043-98e5-9736fb01f72f) Sigma-Rules Clear Linux or Mac System Logs - T1685.006 (5e29d64d-2b14-4f92-875e-4c9c498e213c) Attack Pattern 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Clear Linux or Mac System Logs - T1685.006 (5e29d64d-2b14-4f92-875e-4c9c498e213c) Attack Pattern 2