This rule detects the deletion of existing Auditd rules

SigmaHQ / sigma

Main Sigma Rule Repository

Other

8.4k stars 2.21k forks source link

Closed mlakri closed 1 week ago

mlakri commented 1 week ago

This is a rule that detects in the Auditd logs themselves the deletion of existing rules, which can be considered as a defense evasion attempt.

type=EXECVE msg=audit(1731504735.671:71132): argc=2 a0="auditctl" a1="-D"

If your PR adds new rules, please consider following and applying these conventions

nasbench commented 1 week ago

This rule is already in #5079 so i'll handle both of them there.