title: Disable or Modify Linux Audit System (T1562.012)
id: df00tech-t1562-012
status: experimental
description: "Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules. With root privileges, adversaries may disable the Audit system service, edit the configuration/rule files, or hook the Audit system library functions. This technique was used by the Ebury malware and the SkidMap cryptominer variant."
references:
  - https://attack.mitre.org/techniques/T1562/012/
  - https://df00tech.com/detections/T1562.012
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators performing legitimate auditd maintenance — restarting the service after updating audit rules (systemctl restart auditd is expected, but stop/disable is not)"
  - "Configuration management tools (Ansible, Puppet, Chef) that deploy new audit.rules files and restart the service as part of regular security hardening"
  - OS package updates (apt/yum update audit) that modify auditd configuration files as part of the package upgrade process
  - "Security teams performing auditctl -l to list rules or auditctl -s to check status (note: these are read-only operations, not -e 0 or -D)"
level: high