Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
status experimentalauthor Milad Cheraghi, Nasreddine Bencherchaliid c172b7b5-f3a1-4af2-90b7-822c63df86cb
view Sigma YAML
title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
- attack.persistence
- attack.impact
- attack.t1653
logsource:
category: process_creation
product: linux
detection:
selection_systemctl:
Image|endswith: '/systemctl'
CommandLine|contains: ' mask'
selection_power_options:
CommandLine|contains:
- 'suspend.target'
- 'hibernate.target'
- 'hybrid-sleep.target'
condition: all of selection_*
falsepositives:
- Unlikely
level: high