Detect Disable or Modify Linux Audit System in CrowdStrike LogScale
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules. With root privileges, adversaries may disable the Audit system service, edit the configuration/rule files, or hook the Audit system library functions. This technique was used by the Ebury malware and the SkidMap cryptominer variant.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.012 Disable or Modify Linux Audit System
- Canonical reference
- https://attack.mitre.org/techniques/T1562/012/
LogScale Detection Query
#event_simpleName = ProcessRollup2
| CommandLine = /systemctl\s+(stop|disable)\s+auditd|service\s+auditd\s+(stop|disable)|killall\s+auditd|pkill\s+auditd|auditctl\s+(-e\s+0|-D\b|-a\s+(never|exclude))/
| FileName = /systemctl|service|killall|pkill|auditctl/
| eval tampering_type = if(CommandLine = /systemctl\s+stop|service.*stop|killall|pkill/, "ServiceStop",
if(CommandLine = /systemctl\s+disable|service.*disable/, "ServiceDisable",
if(CommandLine = /auditctl\s+-e\s+0/, "AuditingDisabled",
if(CommandLine = /auditctl\s+-D/, "RulesFlushed",
if(CommandLine = /auditctl\s+-a\s+(never|exclude)/, "RuleSuppression", "Unknown")))))
| groupBy(
[ComputerName, UserName, FileName, CommandLine, tampering_type, ParentBaseFileName],
function=[
count(as=EventCount),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
]
)
| sort(LastSeen, order=desc)
// Also detect auditd config file writes via FileCreateUpdateInfo
// Run separately:
// #event_simpleName = FileCreateUpdateInfo
// | TargetFileName = /\/etc\/audit\/(auditd\.conf|audit\.rules)|(\/etc\/audit\/rules\.d\/|\/etc\/audisp\/).*\.rules/
// | groupBy([ComputerName, UserName, TargetFileName, CommandLine], function=[count(as=WriteCount), max(@timestamp, as=LastSeen)])
// | sort(LastSeen, order=desc)CrowdStrike LogScale (Falcon) query detecting Linux auditd tampering using ProcessRollup2 events. Identifies service stop/disable commands, auditctl rule suppression flags (-e 0, -D, -a never/exclude), and process kill targeting auditd. Includes a commented companion query for file write detection against /etc/audit/ configuration paths.
Data Sources
Required Tables
False Positives & Tuning
- IT operations staff running auditctl -D followed by auditctl -R to reload a new ruleset during planned maintenance
- Vulnerability scanners or CIS benchmark tools that probe auditd configuration by executing auditctl commands in read-only mode
- Container orchestration platforms (Kubernetes DaemonSets, Docker) that may restart auditd on node initialization when running privileged security agents
Other platforms for T1562.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop auditd Service via systemctl
Expected signal: Syslog entry for auditd service stopping. Systemd journal entry for the unit state change. If Sysmon for Linux is installed, a process creation event for systemctl with the 'stop auditd' arguments. The audit.log will show a final DAEMON_END event before stopping.
- Test 2Disable Audit Subsystem via auditctl
Expected signal: The audit log will show an AUDIT_ENABLED record with enabled=0. A CONFIG_CHANGE event is generated immediately before auditing stops. Syslog may capture the auditctl process execution. After -e 0, NO further audit events will be generated until re-enabled.
- Test 3Flush All Audit Rules via auditctl
Expected signal: The audit log will show a CONFIG_CHANGE event with op=remove_rule for each deleted rule. A final entry shows 'audit_enabled=1 ... rules=0' confirming all rules were flushed. The auditd service remains running (systemctl status auditd shows active).
- Test 4Modify audit.rules Configuration File
Expected signal: File modification event for /etc/audit/audit.rules (Sysmon for Linux file create/modify or audit SYSCALL event for open/write on the file). Process creation events for cp, tee, and augenrules. CONFIG_CHANGE audit events when new (empty) rules are loaded.
References (7)
- https://attack.mitre.org/techniques/T1562/012/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.012/T1562.012.md
- https://man7.org/linux/man-pages/man8/auditctl.8.html
Unlock Pro Content
Get the full detection package for T1562.012 including response playbook, investigation guide, and atomic red team tests.