MITRE ATT&CK Technique
Description
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022) With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-05-24T19:03:03.855Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may disable or modify the Linux audit system to '
'hide malicious activity and avoid detection. Linux admins use '
'the Linux Audit system to track security-relevant information '
'on a system. The Linux Audit system operates at the '
'kernel-level and maintains event logs on application and '
'system activity such as process, network, file, and login '
'events based on pre-configured rules.\n'
'\n'
'Often referred to as `auditd`, this is the name of the daemon '
'used to write events to disk and is governed by the '
'parameters set in the `audit.conf` configuration file. Two '
'primary ways to configure the log generation rules are '
'through the command line `auditctl` utility and the file '
'`/etc/audit/audit.rules`, containing a sequence of '
'`auditctl` commands loaded at boot time.(Citation: Red Hat '
'System Auditing)(Citation: IzyKnows auditd threat detection '
'2022)\n'
'\n'
'With root privileges, adversaries may be able to ensure their '
'activity is not logged through disabling the Audit system '
'service, editing the configuration/rule files, or by hooking '
'the Audit system library functions. Using the command line, '
'adversaries can disable the Audit system service through '
'killing processes associated with `auditd` daemon or use '
'`systemctl` to stop the Audit service. Adversaries can also '
'hook Audit system functions to disable logging or modify the '
'rules contained in the `/etc/audit/audit.rules` or '
'`audit.conf` files to ignore malicious activity.(Citation: '
'Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb '
'2014)',
'external_references': [{'external_id': 'T1562.012',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/012'},
{'description': 'IzySec. (2022, January 26). Linux '
'auditd for Threat Detection. '
'Retrieved September 29, 2023.',
'source_name': 'IzyKnows auditd threat detection '
'2022',
'url': 'https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505'},
{'description': 'Jahoda, M. et al.. (2017, March 14). '
'Red Hat Security Guide - Chapter 7 '
'- System Auditing. Retrieved '
'December 20, 2017.',
'source_name': 'Red Hat System Auditing',
'url': 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing'},
{'description': 'M.Léveillé, M.. (2014, February 21). '
'An In-depth Analysis of Linux/Ebury. '
'Retrieved April 19, 2019.',
'source_name': 'ESET Ebury Feb 2014',
'url': 'https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/'},
{'description': 'Radoslaw Zdonczyk. (2023, July 30). '
'Honeypot Recon: New Variant of '
'SkidMap Targeting Redis. Retrieved '
'September 29, 2023.',
'source_name': 'Trustwave Honeypot SkidMap 2023',
'url': 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/'}],
'id': 'attack-pattern--562e9b64-7239-493d-80f4-2bff900d9054',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T22:20:10.121Z',
'name': 'Disable or Modify Linux Audit System',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tim (Wadhwa-)Brown'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux'],
'x_mitre_version': '1.0'}