https://detection.fyi/tags/attack.t1685.004/ Recent content in attack.t1685.004 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_auditctl_clear_rules/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_auditctl_clear_rules/ Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.