Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Sigma rule (View on GitHub)
1title: Audit Rules Deleted Via Auditctl
2id: bed26dea-4525-47f4-b24a-76e30e44ffb0
3status: experimental
4description: |
5 Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
6 This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
7 Removal of audit rules can significantly impair detection of malicious activities on the affected system.
8references:
9 - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
10 - https://linux.die.net/man/8/auditct
11author: Mohamed LAKRI
12date: 2025-10-17
13tags:
14 - attack.defense-evasion
15 - attack.t1562.012
16logsource:
17 product: linux
18 category: process_creation
19detection:
20 selection:
21 Image|endswith: '/auditctl'
22 CommandLine|re: '-D'
23 condition: selection
24falsepositives:
25 - An administrator troubleshooting. Investigate all attempts.
26level: high
References
Related rules
- Kaspersky Endpoint Security Stopped Via CommandLine - Linux
- GitHub Repository Archive Status Changed
- WFP Filter Added via Registry
- APT27 - Emissary Panda Activity
- AWS Console GetSigninToken Potential Abuse