Detect Disable or Modify Linux Audit System in IBM QRadar
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules. With root privileges, adversaries may disable the Audit system service, edit the configuration/rule files, or hook the Audit system library functions. This technique was used by the Ebury malware and the SkidMap cryptominer variant.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.012 Disable or Modify Linux Audit System
- Canonical reference
- https://attack.mitre.org/techniques/T1562/012/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
QIDNAME(qid) AS event_name,
LOGSOURCENAME(logsourceid) AS log_source,
"Command" AS command_line,
CASE
WHEN "Command" ILIKE '%systemctl%stop%auditd%' OR "Command" ILIKE '%service%auditd%stop%' OR "Command" ILIKE '%killall%auditd%' OR "Command" ILIKE '%pkill%auditd%' THEN 'ServiceStop'
WHEN "Command" ILIKE '%systemctl%disable%auditd%' OR "Command" ILIKE '%service%auditd%disable%' THEN 'ServiceDisable'
WHEN "Command" ILIKE '%auditctl%-e 0%' THEN 'AuditingDisabled'
WHEN "Command" ILIKE '%auditctl%-D%' THEN 'RulesFlushed'
WHEN "Command" ILIKE '%auditctl%-a never%' OR "Command" ILIKE '%auditctl%-a exclude%' THEN 'RuleSuppression'
WHEN "Command" ILIKE '%/etc/audit/%' THEN 'ConfigModified'
ELSE 'Unknown'
END AS tampering_type
FROM events
WHERE
starttime > NOW() - 86400000
AND (
(LOGSOURCETYPEID(logsourceid) IN (11, 352, 2))
AND (
"Command" ILIKE '%systemctl%stop%auditd%'
OR "Command" ILIKE '%systemctl%disable%auditd%'
OR "Command" ILIKE '%service%auditd%stop%'
OR "Command" ILIKE '%service%auditd%disable%'
OR "Command" ILIKE '%killall%auditd%'
OR "Command" ILIKE '%pkill%auditd%'
OR "Command" ILIKE '%auditctl%-e 0%'
OR "Command" ILIKE '%auditctl%-D%'
OR "Command" ILIKE '%auditctl%-a never%'
OR "Command" ILIKE '%auditctl%-a exclude%'
OR "Command" ILIKE '%/etc/audit/audit.rules%'
OR "Command" ILIKE '%/etc/audit/auditd.conf%'
)
)
ORDER BY starttime DESCQRadar AQL query detecting Linux auditd tampering via service stop/disable commands, auditctl rule suppression, or direct modification of audit configuration files. Maps to MITRE T1562.012 Defense Evasion. LOGSOURCETYPEID 11 = Linux, 352 = Universal DSM, 2 = Syslog.
Data Sources
Required Tables
False Positives & Tuning
- Authorized system administrators performing auditd maintenance or reconfiguration during change windows
- Automated compliance tools flushing and reloading audit rules as part of scheduled policy enforcement
- Linux OS patching pipelines that restart auditd as part of kernel or auditd package upgrades
Other platforms for T1562.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop auditd Service via systemctl
Expected signal: Syslog entry for auditd service stopping. Systemd journal entry for the unit state change. If Sysmon for Linux is installed, a process creation event for systemctl with the 'stop auditd' arguments. The audit.log will show a final DAEMON_END event before stopping.
- Test 2Disable Audit Subsystem via auditctl
Expected signal: The audit log will show an AUDIT_ENABLED record with enabled=0. A CONFIG_CHANGE event is generated immediately before auditing stops. Syslog may capture the auditctl process execution. After -e 0, NO further audit events will be generated until re-enabled.
- Test 3Flush All Audit Rules via auditctl
Expected signal: The audit log will show a CONFIG_CHANGE event with op=remove_rule for each deleted rule. A final entry shows 'audit_enabled=1 ... rules=0' confirming all rules were flushed. The auditd service remains running (systemctl status auditd shows active).
- Test 4Modify audit.rules Configuration File
Expected signal: File modification event for /etc/audit/audit.rules (Sysmon for Linux file create/modify or audit SYSCALL event for open/write on the file). Process creation events for cp, tee, and augenrules. CONFIG_CHANGE audit events when new (empty) rules are loaded.
References (7)
- https://attack.mitre.org/techniques/T1562/012/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.012/T1562.012.md
- https://man7.org/linux/man-pages/man8/auditctl.8.html
Unlock Pro Content
Get the full detection package for T1562.012 including response playbook, investigation guide, and atomic red team tests.