Techniques
Sample rules
Audit Rules Deleted Via Auditctl
- source: sigma
- technicques:
- t1562
- t1562.012
Description
Detects the execution of ‘auditctl’ with the ‘-D’ command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Detection logic
condition: selection
selection:
CommandLine|re: -D
Image|endswith: /auditctl