diff --git a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
index fb925de1f..58f1090e3 100644
--- a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
+++ b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
@@ -1,19 +1,21 @@
-title: Disable ASLR Via Personality Syscall - Linux
+title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
 id: e497a24e-9345-4a62-9803-b06d7d7cb132
 status: experimental
 description: |
-    Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
-    which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
-    exploit development, or to bypass memory protection mechanisms.
-    A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
-    attacks more reliable.
+    Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
+      - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
+      - Modification of the /proc/sys/kernel/randomize_va_space file
+      - Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
+    Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
+    A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
 references:
     - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
     - https://man7.org/linux/man-pages/man2/personality.2.html
     - https://manual.cs50.io/2/personality
+    - https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
 author: Milad Cheraghi
 date: 2025-05-26
-modified: 2025-06-05
+modified: 2025-10-18
 tags:
     - attack.privilege-escalation
     - attack.defense-evasion
@@ -23,11 +25,16 @@ logsource:
     product: linux
     service: auditd
 detection:
-    selection:
+    selection_syscall:
         type: 'SYSCALL'
         syscall: 'personality'
         a0: 40000
-    condition: selection
+    selection_sysctl:
+        type: 'EXECVE'
+        a0: 'sysctl'
+        a1: '-w'
+        a2: 'kernel.randomize_va_space=0' # 0 = disable
+    condition: 1 of selection_*
 falsepositives:
     - Debugging or legitimate software testing
-level: low
+level: high