Skip to content

DET0062 Detection Strategy for Disable or Modify Linux Audit System

Item Value
ID DET0062
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1562.012 (Disable or Modify Linux Audit System)

Analytics

Linux

AN0171

Disabling or modifying the Linux Audit system through process termination (auditd killed), service management (systemctl stop auditd), or tampering with rule/configuration files (/etc/audit/audit.rules, audit.conf). Defender view: suspicious execution of auditctl/systemctl commands, file modifications to audit rules, or sudden absence of audit logs correlated with privileged execution.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:EXECVE Execution of auditctl, systemctl stop auditd, or kill -9 auditd
Process Modification (DC0020) auditd:SYSCALL kill syscalls targeting auditd process
File Modification (DC0061) auditd:FILE Modification or deletion of /etc/audit/audit.rules or /etc/audit/audit.conf
Service Metadata (DC0041) linux:syslog auditd service stopped or disabled
Mutable Elements
Field Description
ServiceWhitelist Exclude legitimate administrative service stops during system maintenance.
FilePathScope Specify monitored paths (/etc/audit/audit.rules, audit.conf) to avoid false positives from unrelated file writes.
TimeWindow Correlate suspicious commands, file modifications, and audit log gaps in short succession.