Title:Audit Rules Deleted Via Auditctl Status:experimental Description:Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
References: -https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012 -https://linux.die.net/man/8/auditct Author: Mohamed LAKRI Date: 2025-10-17 modified:None Tags:
