T1562.012 Disable or Modify Linux Audit System Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AuditdTampering = dynamic([
  "service auditd stop", "systemctl stop auditd",
  "systemctl disable auditd", "service auditd disable",
  "killall auditd", "kill -9", "pkill auditd",
  "auditctl -e 0", "auditctl -D",
  "auditctl -a never", "auditctl -a exclude"
]);
let AuditConfigFiles = dynamic([
  "/etc/audit/auditd.conf", "/etc/audit/audit.rules",
  "/etc/audit/rules.d/", "/etc/audisp/"
]);
union
(
  Syslog
  | where TimeGenerated > ago(24h)
  | where SyslogMessage has_any (AuditdTampering)
  | project TimeGenerated, Computer, HostName, Facility,
           SeverityLevel, SyslogMessage,
           DetectionType="AuditdServiceTampering"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where ProcessCommandLine has_any (AuditdTampering)
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           DetectionType="AuditdProcessTampering"
),
(
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where FolderPath has_any (AuditConfigFiles)
  | where ActionType in ("FileModified", "FileDeleted", "FileCreated")
  | project Timestamp, DeviceName, AccountName,
           FileName, FolderPath, ActionType,
           InitiatingProcessFileName, InitiatingProcessCommandLine,
           DetectionType="AuditConfigModified"
)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Modification Application Log: Application Log Content

Required Tables

Syslog DeviceProcessEvents DeviceFileEvents

False Positives

System administrators performing legitimate auditd maintenance — restarting the service after updating audit rules (systemctl restart auditd is expected, but stop/disable is not)
Configuration management tools (Ansible, Puppet, Chef) that deploy new audit.rules files and restart the service as part of regular security hardening
OS package updates (apt/yum update audit) that modify auditd configuration files as part of the package upgrade process
Security teams performing auditctl -l to list rules or auditctl -s to check status (note: these are read-only operations, not -e 0 or -D)

Splunk

spl

index=linux sourcetype="linux_audit" OR sourcetype="syslog" OR sourcetype="linux_secure"
  ("auditd" AND ("stop" OR "disable" OR "killed" OR "signal"))
  OR ("auditctl" AND ("-e 0" OR "-D" OR "-a never" OR "-a exclude"))
  OR ("audit.rules" AND ("modified" OR "deleted" OR "truncated"))
| eval CommandLine=coalesce(a0." ".a1." ".a2." ".a3, msg, _raw)
| eval IsServiceStop=if(match(CommandLine, "(systemctl\s+stop\s+auditd|service\s+auditd\s+stop|killall\s+auditd|pkill\s+auditd)"), 1, 0)
| eval IsAuditDisable=if(match(CommandLine, "auditctl\s+-e\s+0"), 1, 0)
| eval IsRuleFlush=if(match(CommandLine, "auditctl\s+-D"), 1, 0)
| eval IsConfigTamper=if(match(CommandLine, "(audit\.rules|auditd\.conf)"), 1, 0)
| eval SeverityScore=IsServiceStop*3 + IsAuditDisable*3 + IsRuleFlush*2 + IsConfigTamper*2
| where SeverityScore > 0
| table _time, host, user, CommandLine, IsServiceStop, IsAuditDisable, IsRuleFlush, IsConfigTamper, SeverityScore
| sort - SeverityScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Linux Audit Log Syslog

Required Sourcetypes

linux_audit syslog

False Positives

System administrators performing legitimate auditd maintenance such as rule updates followed by service restarts
Configuration management tools (Ansible, Puppet, Chef) deploying updated audit rules as part of security hardening automation
OS package updates that modify auditd configuration files during audit package upgrades
Auditd log rotation that triggers a service HUP signal (kill -HUP) for log file reopening — this is normal operation, not a stop

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and (
      process.command_line : ("*systemctl stop auditd*", "*systemctl disable auditd*",
                               "*service auditd stop*", "*service auditd disable*",
                               "*killall auditd*", "*pkill auditd*") or
      (process.name == "auditctl" and process.command_line : ("*-e 0*", "*-D*", "*-a never*", "*-a exclude*"))
    )
  ) or
  (
    event.category == "file" and
    event.type in ("change", "deletion", "creation") and
    file.path : ("/etc/audit/auditd.conf", "/etc/audit/audit.rules",
                 "/etc/audit/rules.d/*", "/etc/audisp/*")
  )

high severity high confidence

Data Sources

Linux process execution logs (Elastic Agent/Auditbeat) Linux file integrity monitoring (Elastic Agent/Auditbeat)

Required Tables

logs-* auditbeat-* filebeat-*

False Positives

System administrators legitimately stopping auditd during maintenance windows or OS upgrades
Configuration management tools (Ansible, Chef, Puppet) modifying audit rules as part of CIS benchmark hardening
Package manager upgrades (apt/yum) modifying /etc/audit/audit.rules or /etc/audit/auditd.conf during auditd package updates

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "Command" AS command_line,
  CASE
    WHEN "Command" ILIKE '%systemctl%stop%auditd%' OR "Command" ILIKE '%service%auditd%stop%' OR "Command" ILIKE '%killall%auditd%' OR "Command" ILIKE '%pkill%auditd%' THEN 'ServiceStop'
    WHEN "Command" ILIKE '%systemctl%disable%auditd%' OR "Command" ILIKE '%service%auditd%disable%' THEN 'ServiceDisable'
    WHEN "Command" ILIKE '%auditctl%-e 0%' THEN 'AuditingDisabled'
    WHEN "Command" ILIKE '%auditctl%-D%' THEN 'RulesFlushed'
    WHEN "Command" ILIKE '%auditctl%-a never%' OR "Command" ILIKE '%auditctl%-a exclude%' THEN 'RuleSuppression'
    WHEN "Command" ILIKE '%/etc/audit/%' THEN 'ConfigModified'
    ELSE 'Unknown'
  END AS tampering_type
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    (LOGSOURCETYPEID(logsourceid) IN (11, 352, 2))
    AND (
      "Command" ILIKE '%systemctl%stop%auditd%'
      OR "Command" ILIKE '%systemctl%disable%auditd%'
      OR "Command" ILIKE '%service%auditd%stop%'
      OR "Command" ILIKE '%service%auditd%disable%'
      OR "Command" ILIKE '%killall%auditd%'
      OR "Command" ILIKE '%pkill%auditd%'
      OR "Command" ILIKE '%auditctl%-e 0%'
      OR "Command" ILIKE '%auditctl%-D%'
      OR "Command" ILIKE '%auditctl%-a never%'
      OR "Command" ILIKE '%auditctl%-a exclude%'
      OR "Command" ILIKE '%/etc/audit/audit.rules%'
      OR "Command" ILIKE '%/etc/audit/auditd.conf%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Linux syslog Linux audit daemon events Universal DSM for Linux endpoints

Required Tables

events

False Positives

Authorized system administrators performing auditd maintenance or reconfiguration during change windows
Automated compliance tools flushing and reloading audit rules as part of scheduled policy enforcement
Linux OS patching pipelines that restart auditd as part of kernel or auditd package upgrades

Sumo Logic CSE

sql

(_sourceCategory=linux* OR _sourceCategory=*syslog* OR _sourceCategory=*audit*)
| where _raw matches /auditd|auditctl|audit\.rules|auditd\.conf|audisp/
| parse regex "(?P<command_line>(?:systemctl|service|auditctl|killall|pkill|kill)[^\n]{0,200})" nodrop
| parse regex "msg=audit\([^\)]+\):\s*(?P<audit_msg>.+)" nodrop
| where (
    command_line matches /systemctl\s+(stop|disable)\s+auditd/
    OR command_line matches /service\s+auditd\s+(stop|disable)/
    OR command_line matches /(killall|pkill)\s+auditd/
    OR command_line matches /auditctl\s+-e\s+0/
    OR command_line matches /auditctl\s+-D\b/
    OR command_line matches /auditctl\s+-a\s+(never|exclude)/
    OR _raw matches /\/etc\/audit\/(audit\.rules|auditd\.conf)/
  )
| eval tampering_type = if(command_line matches /systemctl\s+stop|service.*stop|killall|pkill/, "ServiceStop",
    if(command_line matches /systemctl\s+disable|service.*disable/, "ServiceDisable",
    if(command_line matches /auditctl\s+-e\s+0/, "AuditingDisabled",
    if(command_line matches /auditctl\s+-D/, "RulesFlushed",
    if(command_line matches /auditctl\s+-a\s+(never|exclude)/, "RuleSuppression",
    if(_raw matches /\/etc\/audit\//, "ConfigModified", "Unknown"))))))
| eval severity_score = if(tampering_type in ("ServiceStop", "AuditingDisabled"), 3,
    if(tampering_type in ("ServiceDisable", "RulesFlushed"), 2, 1))
| fields _messageTime, _sourceHost, _sourceCategory, command_line, tampering_type, severity_score
| sort by severity_score desc, _messageTime desc

high severity medium confidence

Data Sources

Linux syslog Linux audit daemon (auditd) Linux secure logs

Required Tables

Sumo Logic Linux log sources (_sourceCategory=linux*, syslog, audit)

False Positives

Infrastructure-as-Code pipelines (Terraform, Ansible) reconfiguring audit rules during provisioning
Security baseline scripts legitimately flushing and reloading audit rules to apply new CIS benchmark policies
Monitoring agents (Osquery, Wazuh, AIDE) that read or validate audit configuration files generating file-access events

Google Chronicle / SecOps

yaral

rule auditd_tampering_t1562_012 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects disabling or modification of the Linux Audit system (auditd) to evade detection. Covers service stop/disable, process kill, auditctl suppression, and config file tampering. Associated with Ebury malware and SkidMap cryptominer."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.012"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1562/012/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        (
          $e.target.process.command_line = /systemctl\s+(stop|disable)\s+auditd/
        ) or
        (
          $e.target.process.command_line = /service\s+auditd\s+(stop|disable)/
        ) or
        (
          $e.target.process.command_line = /(killall|pkill)\s+auditd/
        ) or
        (
          $e.target.process.file.full_path = /\/bin\/auditctl|\/sbin\/auditctl|\/usr\/sbin\/auditctl/
          and $e.target.process.command_line = /(-e\s+0|-D\b|-a\s+(never|exclude))/
        )
      )
    ) or
    (
      $e.metadata.event_type = "FILE_MODIFICATION"
      and (
        $e.target.file.full_path = /\/etc\/audit\/(auditd\.conf|audit\.rules)$/
        or $e.target.file.full_path = /\/etc\/audit\/rules\.d\//
        or $e.target.file.full_path = /\/etc\/audisp\//
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Linux endpoint telemetry via Chronicle forwarder Google Cloud Ops Agent Linux process and file events

Required Tables

UDM events (PROCESS_LAUNCH, FILE_MODIFICATION)

False Positives

Legitimate system administrators stopping auditd for emergency disk space recovery or performance troubleshooting
Configuration management automation (SaltStack, Puppet) applying audit policy updates that temporarily flush rules with auditctl -D before reloading
Cloud VM initialization scripts that configure auditd on first boot, including stopping and reconfiguring the service

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| CommandLine = /systemctl\s+(stop|disable)\s+auditd|service\s+auditd\s+(stop|disable)|killall\s+auditd|pkill\s+auditd|auditctl\s+(-e\s+0|-D\b|-a\s+(never|exclude))/
| FileName = /systemctl|service|killall|pkill|auditctl/
| eval tampering_type = if(CommandLine = /systemctl\s+stop|service.*stop|killall|pkill/, "ServiceStop",
    if(CommandLine = /systemctl\s+disable|service.*disable/, "ServiceDisable",
    if(CommandLine = /auditctl\s+-e\s+0/, "AuditingDisabled",
    if(CommandLine = /auditctl\s+-D/, "RulesFlushed",
    if(CommandLine = /auditctl\s+-a\s+(never|exclude)/, "RuleSuppression", "Unknown")))))
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, tampering_type, ParentBaseFileName],
    function=[
      count(as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(LastSeen, order=desc)

// Also detect auditd config file writes via FileCreateUpdateInfo
// Run separately:
// #event_simpleName = FileCreateUpdateInfo
// | TargetFileName = /\/etc\/audit\/(auditd\.conf|audit\.rules)|(\/etc\/audit\/rules\.d\/|\/etc\/audisp\/).*\.rules/
// | groupBy([ComputerName, UserName, TargetFileName, CommandLine], function=[count(as=WriteCount), max(@timestamp, as=LastSeen)])
// | sort(LastSeen, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor (Linux process execution telemetry) CrowdStrike Falcon sensor (Linux file write events)

Required Tables

ProcessRollup2 FileCreateUpdateInfo

False Positives

IT operations staff running auditctl -D followed by auditctl -R to reload a new ruleset during planned maintenance
Vulnerability scanners or CIS benchmark tools that probe auditd configuration by executing auditctl commands in read-only mode
Container orchestration platforms (Kubernetes DaemonSets, Docker) that may restart auditd on node initialization when running privileged security agents

Disable or Modify Linux Audit System

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections