Attackers may delete audit rules using ‘auditctl -D’ to evade detection and persist undetected on Linux systems by disabling audit logging. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial tampering with system monitoring capabilities.
Detection Rule
title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
- https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.defense-evasion
- attack.t1562.012
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/auditctl'
CommandLine|re: '-D'
condition: selection
falsepositives:
- An administrator troubleshooting. Investigate all attempts.
level: high
imProcessCreate
| where TargetProcessName endswith "/auditctl" and TargetProcessCommandLine matches regex "-D"Scenario: Scheduled Job to Clear Audit Rules for Maintenance
Description: A system administrator schedules a cron job to periodically clear audit rules as part of a maintenance routine.
Filter/Exclusion: Check the command line arguments for the presence of --dry-run or --test flags, or verify if the command is executed via a known maintenance script (e.g., /etc/cron.daily/audit_cleanup).
Scenario: Audit Rule Reset During System Upgrade
Description: During a system upgrade, the audit configuration is reset to a default state, which may involve running auditctl -D followed by reapplying rules.
Filter/Exclusion: Filter events where the command is executed from a known upgrade script (e.g., /usr/sbin/upgrade_auditd.sh) or check for subsequent auditctl -a commands that reapply rules.
Scenario: Admin Task to Temporarily Disable Audit Rules for Debugging
Description: An administrator temporarily disables audit rules to debug a system issue or perform a security audit.
Filter/Exclusion: Check for the presence of a --debug flag, or correlate with a known administrative task (e.g., /var/log/audit/auditd.log entries indicating a temporary audit suspension).
Scenario: Automated Script to Cleanse Audit Rules Before Patching
Description: A script runs before applying system patches to ensure that audit rules do not interfere with the patching process.
Filter/Exclusion: Filter commands that are executed from a known patching script (e.g., /opt/patching/audit_cleanup.sh) or check for a subsequent auditctl -a command to restore rules.
Scenario: System Reboot Triggering Audit Rule Reset
Description: Upon system reboot, the audit rules may be reset due to the system