Detectionhighexperimental

Audit Rules Deleted Via Auditctl

Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mohamed LAKRICreated Fri Oct 17bed26dea-4525-47f4-b24a-76e30e44ffb0linux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '/auditctl'
        CommandLine|re: '-D'
    condition: selection

False Positives

An administrator troubleshooting. Investigate all attempts.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.012 · Disable or Modify Linux Audit System

Rule Metadata

Rule ID

bed26dea-4525-47f4-b24a-76e30e44ffb0

Status

experimental

Level

high

Type

Detection

Created

Fri Oct 17

Author

Mohamed LAKRI

Path

rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml

Raw Tags

attack.defense-evasionattack.t1562.012

View on GitHub