Description
Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: IzyKnows auditd threat detection 2022)(Citation: Red Hat Linux Disable or Mod)
With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: ESET Ebury Feb 2014)
Platforms
Mitigations (2)
User Account ManagementM1018
An adversary must already have root level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
AuditM1047
Routinely check account role permissions to ensure only expected users and roles have permission to modify logging settings.
To ensure Audit rules can not be modified at runtime, add the auditctl -e 2 as the last command in the audit.rules files. Once started, any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) disables OpenSSH, system (`systemd`), and audit logs (`/sbin/auditd`) when the backdoor is active.(Ci... |
References
- IzySec. (2022, January 26). Linux auditd for Threat Detection. Retrieved September 29, 2023.
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- Red Hat. (n.d.). Retrieved April 15, 2026.
Frequently Asked Questions
What is T1685.004 (Disable or Modify Linux Audit System Log)?
T1685.004 is a MITRE ATT&CK technique named 'Disable or Modify Linux Audit System Log'. It belongs to the Defense Impairment tactic(s). Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The...
How can T1685.004 be detected?
Detection of T1685.004 (Disable or Modify Linux Audit System Log) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1685.004?
There are 2 documented mitigations for T1685.004. Key mitigations include: User Account Management, Audit.
Which threat groups use T1685.004?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.