Attempt to Disable Auditd Service

  1[metadata]
  2creation_date = "2024/08/28"
  3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/24"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Adversaries may attempt to disable the Auditd service to evade detection. Auditd is a Linux service that
 13provides system auditing and logging. Disabling the Auditd service can prevent the system from logging important
 14security events, which can be used to detect malicious activity.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Attempt to Disable Auditd Service"
 21risk_score = 21
 22rule_id = "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf"
 23setup = """## Setup
 24
 25This rule requires data coming in from Elastic Defend.
 26
 27### Elastic Defend Integration Setup
 28Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 29
 30#### Prerequisite Requirements:
 31- Fleet is required for Elastic Defend.
 32- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 33
 34#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 35- Go to the Kibana home page and click "Add integrations".
 36- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 37- Click "Add Elastic Defend".
 38- Configure the integration name and optionally add a description.
 39- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 40- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 41- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 42- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 43For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 44- Click "Save and Continue".
 45- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 46For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 47"""
 48severity = "low"
 49tags = [
 50    "Domain: Endpoint",
 51    "OS: Linux",
 52    "Use Case: Threat Detection",
 53    "Tactic: Defense Evasion",
 54    "Data Source: Elastic Defend",
 55    "Data Source: Elastic Endgame",
 56    "Data Source: Crowdstrike",
 57    "Data Source: SentinelOne",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "eql"
 62query = '''
 63process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and (
 64  (process.name == "service" and process.args == "stop") or
 65  (process.name == "chkconfig" and process.args == "off") or
 66  (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
 67) and
 68process.args in ("auditd", "auditd.service") and 
 69not process.parent.name == "auditd.prerm"
 70'''
 71note = """## Triage and analysis
 72
 73> **Disclaimer**:
 74> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 75
 76### Investigating Attempt to Disable Auditd Service
 77
 78Auditd is a critical Linux service responsible for system auditing and logging, capturing security-relevant events. Adversaries may target this service to evade detection by disabling it, thus preventing the logging of their activities. The detection rule identifies suspicious processes attempting to stop or disable Auditd, such as using commands like `service stop` or `systemctl disable`, signaling potential defense evasion tactics.
 79
 80### Possible investigation steps
 81
 82- Review the process details to identify the user account associated with the suspicious command execution, focusing on the process fields such as process.name and process.args.
 83- Check the system logs for any preceding or subsequent suspicious activities around the time of the alert, particularly looking for other defense evasion tactics or unauthorized access attempts.
 84- Investigate the command history of the user identified to determine if there are any other unauthorized or suspicious commands executed.
 85- Verify the current status of the Auditd service on the affected host to ensure it is running and properly configured.
 86- Correlate the alert with any other security events or alerts from the same host or user to identify potential patterns or broader attack campaigns.
 87
 88### False positive analysis
 89
 90- System administrators may intentionally stop or disable the Auditd service during maintenance or troubleshooting. To handle this, create exceptions for known maintenance windows or specific administrator accounts.
 91- Automated scripts or configuration management tools might stop or disable Auditd as part of routine system updates or deployments. Identify these scripts and whitelist their activities to prevent false alerts.
 92- Some Linux distributions or custom setups might have alternative methods for managing services that could trigger this rule. Review and adjust the detection criteria to align with the specific service management practices of your environment.
 93- In environments where Auditd is not used or is replaced by another logging service, the rule might trigger unnecessarily. Consider disabling the rule or adjusting its scope in such cases.
 94
 95### Response and remediation
 96
 97- Immediately isolate the affected system from the network to prevent further malicious activity and potential lateral movement by the adversary.
 98- Terminate any suspicious processes identified in the alert that are attempting to disable the Auditd service to stop the adversary's actions.
 99- Re-enable and restart the Auditd service on the affected system to ensure that auditing and logging are resumed, capturing any further suspicious activities.
100- Conduct a thorough review of the system logs and audit records to identify any unauthorized changes or additional indicators of compromise that may have occurred prior to the alert.
101- Apply any necessary security patches or updates to the affected system to address vulnerabilities that may have been exploited by the adversary.
102- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected.
103- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable critical security services."""
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108[[rule.threat.technique]]
109id = "T1562"
110name = "Impair Defenses"
111reference = "https://attack.mitre.org/techniques/T1562/"
112
113[[rule.threat.technique.subtechnique]]
114id = "T1562.001"
115name = "Disable or Modify Tools"
116reference = "https://attack.mitre.org/techniques/T1562/001/"
117
118[rule.threat.tactic]
119id = "TA0005"
120name = "Defense Evasion"
121reference = "https://attack.mitre.org/tactics/TA0005/"