Query Details
Attempt To Disable Auditd Service
Query
# *Attempt to Disable Auditd Service*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1562.012 | Disable or Modify Linux Audit System | https://attack.mitre.org/techniques/T1562/012/ |
#### Description
Detects attempts to disable or stop the 'auditd' service on Linux systems using common service management utilities like systemctl, service, chkconfig, or update-rc.d. This activity could indicate an adversary attempting to impair defenses and avoid logging of their malicious actions.
#### Risk
Defense Evasion
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
-
## Defender XDR
```KQL
// Attempt to Disable Auditd Service
DeviceProcessEvents
| where ProcessCommandLine has_any ("auditd", "auditd.service")
| where FileName in~ ("systemctl", "service", "chkconfig", "update-rc.d")
| where (
(FileName =~ "systemctl" and ProcessCommandLine has_any ("disable", "stop", "kill", "mask")) or
(FileName =~ "service" and ProcessCommandLine has "stop") or
(FileName =~ "chkconfig" and ProcessCommandLine has "off") or
(FileName =~ "update-rc.d" and ProcessCommandLine has_any ("remove", "disable"))
)
// Exclude legitimate package scripts
| where InitiatingProcessFileName !~ "auditd.prerm"
```
Explanation
This query is designed to detect attempts to disable or stop the 'auditd' service on Linux systems. The 'auditd' service is crucial for logging and monitoring system activities, and disabling it could be a sign of malicious activity aimed at evading detection.
Here's a simple breakdown of what the query does:
-
Data Source: It looks at events related to processes (
DeviceProcessEvents) on devices. -
Targeted Commands: The query filters for command lines that mention "auditd" or "auditd.service", which are related to the audit service.
-
Service Management Tools: It checks if any of the following tools are used to manage services:
systemctlservicechkconfigupdate-rc.d
-
Suspicious Actions: The query identifies specific actions that suggest an attempt to disable or stop the audit service:
- For
systemctl: Commands like "disable", "stop", "kill", or "mask". - For
service: The "stop" command. - For
chkconfig: The "off" command. - For
update-rc.d: Commands like "remove" or "disable".
- For
-
Exclusion of Legitimate Actions: It excludes any processes initiated by scripts named "auditd.prerm", which are likely legitimate package management scripts.
Overall, this query helps in identifying potential defense evasion tactics by detecting unauthorized attempts to disable critical logging services on Linux systems.
Details
Benjamin Zulliger
Released: February 26, 2026
Tables
Keywords
Operators