auditd

ASLR Disabled Via Sysctl or Direct Syscall - Linux

Dec 8, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1562.001 attack.t1055.009 ·

Share on:

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:

Use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
Modification of the /proc/sys/kernel/randomize_va_space file
Execution of the sysctl command to set kernel.randomize_va_space=0 Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Audio Capture

Dec 8, 2025 · attack.collection attack.t1123 ·

Share on:

Detects attempts to record audio using the arecord and ecasound utilities.

Linux Keylogging with Pam.d

Oct 23, 2025 · attack.collection attack.credential-access attack.t1003 attack.t1056.001 ·

Share on:

Detect attempt to enable auditing of TTY input

Suspicious C2 Activities

Oct 18, 2025 · attack.command-and-control ·

Share on:

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)