MITRE ATT&CK T1562.012 Impair Defenses: Disable or Modify Linux Audit System

Disable or Modify Linux Audit System is a defense evasion technique that adversaries use to tamper with the Linux auditing system to evade detection and obscure their malicious activities. Linux Audit System is a critical security component that records system events, including user activity, file modifications, process execution, and privilege escalations. Security teams rely on audit logs to detect anomalies, investigate incidents, and ensure compliance with security policies. By disabling or modifying audit rules, attackers can erase traces of their presence, making forensic analysis significantly more difficult.

In this blog post, we explain the T1562.012 Disable or Modify Linux Audit System technique of the MITRE ATT&CK® framework and explore how adversaries employ Disable or Modify Linux Audit System with real-world attack examples in detail.

What is the Linux Audit System?

Linux Audit System is designed to provide a comprehensive framework for monitoring and logging system events in Linux operating systems. The system is introduced to address the growing need for accountability and transparency in computing environments, and it captures a detailed record of various activities and interactions occurring within the operating system.

Linux Audit System functions by generating detailed logs of system calls, file accesses, process creations, network activities, and other critical events. These logs are instrumental in tracking user actions, privilege escalations, and potential security incidents. By meticulously recording these events, the Linux Audit System enables system administrators and security professionals to establish a chronological timeline of activities, facilitating the identification and investigation of suspicious or unauthorized actions within the system.

Adversary Use of Disable or Modify Linux Audit System 

The Linux Audit System, often referred to as auditd, operates at the kernel level to capture and log security-relevant information about activities in the operating system. The auditd daemon operates within the parameters set in the audit.conf configuration file and writes events to disk accordingly. The log generation rules can be configured using either the auditctl command line utility or the /etc/audit/audit.rules file, containing a sequence of auditctl commands loaded during system boot.

Adversaries disable the audit system service to prevent the logging of their malicious activities. This can be accomplished by terminating processes associated with the auditd daemon using command-line tools or by employing systemctl to halt the audit service. Disabling or modifying the audit system creates a vacuum in the audit trail, allowing adversaries to operate without leaving the customary traces that would alert administrators to their presence.

In the Disable or Modify Linux Audit System technique, adversaries often target the configuration and rule files governing the Linux Audit System. This involves editing files such as /etc/audit/audit.rules or audit.conf to manipulate the audit rules, effectively excluding specific activities from being logged. This way, adversaries can selectively disable the logging of events related to their malicious actions, rendering the Audit System blind to their activities and mitigating the risk of detection.

In another method, adversaries utilize more sophisticated techniques, such as hooking into the Audit System library functions. By doing so, they can manipulate the behavior of the Audit System dynamically, either disabling the logging functionality entirely or altering the rules in real time to evade detection. This level of sophistication allows adversaries to adapt to the evolving security landscape, making it challenging for defenders to predict and preemptively counteract their malicious maneuvers.

SkidMap malware uses the following commands to terminate the auditd daemon [1].

Ready to Simulate Real-World Threats from Red Report 2025?

References

[1] R. Zdonczyk, "Honeypot Recon: New Variant of SkidMap Targeting Redis,". https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/