Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Sigma rule (View on GitHub)
1title: Audit Rules Deleted Via Auditctl
2id: bed26dea-4525-47f4-b24a-76e30e44ffb0
3status: experimental
4description: |
5 Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
6 This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
7 Removal of audit rules can significantly impair detection of malicious activities on the affected system.
8references:
9 - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
10 - https://linux.die.net/man/8/auditct
11author: Mohamed LAKRI
12date: 2025-10-17
13tags:
14 - attack.defense-impairment
15 - attack.t1685.004
16logsource:
17 product: linux
18 category: process_creation
19detection:
20 selection:
21 Image|endswith: '/auditctl'
22 CommandLine|re: '-D'
23 condition: selection
24falsepositives:
25 - An administrator troubleshooting. Investigate all attempts.
26level: high
References
-
Atomic Red Team is an open source library of tests designed to test your organization's security controls, and this website is designed to help security teams better understand Atomic Red Team and the related collection of free and open source tools.
Read More
Related rules
- A Rule Has Been Deleted From The Windows Firewall Exception List
- AD Object WriteDAC Access
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux