Detect Disable or Modify Linux Audit System in Google Chronicle
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules. With root privileges, adversaries may disable the Audit system service, edit the configuration/rule files, or hook the Audit system library functions. This technique was used by the Ebury malware and the SkidMap cryptominer variant.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.012 Disable or Modify Linux Audit System
- Canonical reference
- https://attack.mitre.org/techniques/T1562/012/
YARA-L Detection Query
rule auditd_tampering_t1562_012 {
meta:
author = "Argus Detection Engineering"
description = "Detects disabling or modification of the Linux Audit system (auditd) to evade detection. Covers service stop/disable, process kill, auditctl suppression, and config file tampering. Associated with Ebury malware and SkidMap cryptominer."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1562.012"
mitre_attack_url = "https://attack.mitre.org/techniques/T1562/012/"
severity = "HIGH"
priority = "HIGH"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and (
(
$e.target.process.command_line = /systemctl\s+(stop|disable)\s+auditd/
) or
(
$e.target.process.command_line = /service\s+auditd\s+(stop|disable)/
) or
(
$e.target.process.command_line = /(killall|pkill)\s+auditd/
) or
(
$e.target.process.file.full_path = /\/bin\/auditctl|\/sbin\/auditctl|\/usr\/sbin\/auditctl/
and $e.target.process.command_line = /(-e\s+0|-D\b|-a\s+(never|exclude))/
)
)
) or
(
$e.metadata.event_type = "FILE_MODIFICATION"
and (
$e.target.file.full_path = /\/etc\/audit\/(auditd\.conf|audit\.rules)$/
or $e.target.file.full_path = /\/etc\/audit\/rules\.d\//
or $e.target.file.full_path = /\/etc\/audisp\//
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting Linux Audit system tampering including auditd service stop/disable, process termination (killall/pkill), auditctl-based suppression of audit logging, and modification of audit configuration files under /etc/audit/ and /etc/audisp/.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate system administrators stopping auditd for emergency disk space recovery or performance troubleshooting
- Configuration management automation (SaltStack, Puppet) applying audit policy updates that temporarily flush rules with auditctl -D before reloading
- Cloud VM initialization scripts that configure auditd on first boot, including stopping and reconfiguring the service
Other platforms for T1562.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop auditd Service via systemctl
Expected signal: Syslog entry for auditd service stopping. Systemd journal entry for the unit state change. If Sysmon for Linux is installed, a process creation event for systemctl with the 'stop auditd' arguments. The audit.log will show a final DAEMON_END event before stopping.
- Test 2Disable Audit Subsystem via auditctl
Expected signal: The audit log will show an AUDIT_ENABLED record with enabled=0. A CONFIG_CHANGE event is generated immediately before auditing stops. Syslog may capture the auditctl process execution. After -e 0, NO further audit events will be generated until re-enabled.
- Test 3Flush All Audit Rules via auditctl
Expected signal: The audit log will show a CONFIG_CHANGE event with op=remove_rule for each deleted rule. A final entry shows 'audit_enabled=1 ... rules=0' confirming all rules were flushed. The auditd service remains running (systemctl status auditd shows active).
- Test 4Modify audit.rules Configuration File
Expected signal: File modification event for /etc/audit/audit.rules (Sysmon for Linux file create/modify or audit SYSCALL event for open/write on the file). Process creation events for cp, tee, and augenrules. CONFIG_CHANGE audit events when new (empty) rules are loaded.
References (7)
- https://attack.mitre.org/techniques/T1562/012/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.012/T1562.012.md
- https://man7.org/linux/man-pages/man8/auditctl.8.html
Unlock Pro Content
Get the full detection package for T1562.012 including response playbook, investigation guide, and atomic red team tests.