Detect Disable or Modify Linux Audit System in Microsoft Sentinel
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules. With root privileges, adversaries may disable the Audit system service, edit the configuration/rule files, or hook the Audit system library functions. This technique was used by the Ebury malware and the SkidMap cryptominer variant.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.012 Disable or Modify Linux Audit System
- Canonical reference
- https://attack.mitre.org/techniques/T1562/012/
KQL Detection Query
let AuditdTampering = dynamic([
"service auditd stop", "systemctl stop auditd",
"systemctl disable auditd", "service auditd disable",
"killall auditd", "kill -9", "pkill auditd",
"auditctl -e 0", "auditctl -D",
"auditctl -a never", "auditctl -a exclude"
]);
let AuditConfigFiles = dynamic([
"/etc/audit/auditd.conf", "/etc/audit/audit.rules",
"/etc/audit/rules.d/", "/etc/audisp/"
]);
union
(
Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (AuditdTampering)
| project TimeGenerated, Computer, HostName, Facility,
SeverityLevel, SyslogMessage,
DetectionType="AuditdServiceTampering"
),
(
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (AuditdTampering)
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine,
DetectionType="AuditdProcessTampering"
),
(
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (AuditConfigFiles)
| where ActionType in ("FileModified", "FileDeleted", "FileCreated")
| project Timestamp, DeviceName, AccountName,
FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType="AuditConfigModified"
)
| sort by TimeGenerated descDetects Linux audit system tampering through three vectors: (1) Process commands that stop, disable, or kill the auditd daemon or use auditctl to disable auditing (-e 0) or flush rules (-D); (2) Syslog messages indicating audit service manipulation; (3) File modifications to audit configuration files (/etc/audit/auditd.conf, /etc/audit/audit.rules, /etc/audit/rules.d/). Covers both direct service manipulation and configuration file tampering used by threats like Ebury and SkidMap.
Data Sources
Required Tables
False Positives & Tuning
- System administrators performing legitimate auditd maintenance — restarting the service after updating audit rules (systemctl restart auditd is expected, but stop/disable is not)
- Configuration management tools (Ansible, Puppet, Chef) that deploy new audit.rules files and restart the service as part of regular security hardening
- OS package updates (apt/yum update audit) that modify auditd configuration files as part of the package upgrade process
- Security teams performing auditctl -l to list rules or auditctl -s to check status (note: these are read-only operations, not -e 0 or -D)
Other platforms for T1562.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop auditd Service via systemctl
Expected signal: Syslog entry for auditd service stopping. Systemd journal entry for the unit state change. If Sysmon for Linux is installed, a process creation event for systemctl with the 'stop auditd' arguments. The audit.log will show a final DAEMON_END event before stopping.
- Test 2Disable Audit Subsystem via auditctl
Expected signal: The audit log will show an AUDIT_ENABLED record with enabled=0. A CONFIG_CHANGE event is generated immediately before auditing stops. Syslog may capture the auditctl process execution. After -e 0, NO further audit events will be generated until re-enabled.
- Test 3Flush All Audit Rules via auditctl
Expected signal: The audit log will show a CONFIG_CHANGE event with op=remove_rule for each deleted rule. A final entry shows 'audit_enabled=1 ... rules=0' confirming all rules were flushed. The auditd service remains running (systemctl status auditd shows active).
- Test 4Modify audit.rules Configuration File
Expected signal: File modification event for /etc/audit/audit.rules (Sysmon for Linux file create/modify or audit SYSCALL event for open/write on the file). Process creation events for cp, tee, and augenrules. CONFIG_CHANGE audit events when new (empty) rules are loaded.
References (7)
- https://attack.mitre.org/techniques/T1562/012/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.012/T1562.012.md
- https://man7.org/linux/man-pages/man8/auditctl.8.html
Unlock Pro Content
Get the full detection package for T1562.012 including response playbook, investigation guide, and atomic red team tests.