From cd35bee3892a5f1629b39dcdb48d616fec54046b Mon Sep 17 00:00:00 2001
From: vahidmalekk <46035912+vahidmalekk@users.noreply.github.com>
Date: Mon, 3 Feb 2025 01:07:05 +0330
Subject: [PATCH] monitor execveat

check this https://github.com/vahidmalekk/bypass-Neo23x0-auditd-config/
---
 audit.rules | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/audit.rules b/audit.rules
index dd38f51..4301b34 100644
--- a/audit.rules
+++ b/audit.rules
@@ -790,6 +790,10 @@
 ## Root command executions
 -a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd
 
+## in memory file execution
+-a always,exit -F arch=b64 -F auid>=1000 -F auid!=-1 -S execveat -k Memory-Process-creation
+-a always,exit -F arch=b64  -F auid>=1000 -F auid!=-1 -S execveat -k Memory-Process-creation
+
 ## File Deletion Events by User
 -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete