Detectionhightest

Auditing Configuration Changes on Linux Host

Detect changes in auditd configuration files

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mikhail Larin, oscd.communityCreated Fri Oct 25Updated Sat Nov 27977ef627-4539-4875-adf4-ed8f780c4922linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: PATH
        name:
            - /etc/audit/*
            - /etc/libaudit.conf
            - /etc/audisp/*
    condition: selection

False Positives

Legitimate administrative activity

References

Resolving title…

github.com

Resolving title…

Self Experience

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.006 · Indicator Blocking

Rule Metadata

Rule ID

977ef627-4539-4875-adf4-ed8f780c4922

Status

test

Level

high

Type

Detection

Created

Fri Oct 25

Modified

Sat Nov 27

Author

Mikhail Larin, oscd.community

Path

rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml

Raw Tags

attack.defense-evasionattack.t1562.006

View on GitHub