Impair Defenses: Disable or Modify Linux Audit System

Other sub-techniques of Impair Defenses (13)

ID	Name
ATAGS-T1097.001	Triggering the clear mode
ATAGS-T1097.002	Disable or Modify Cloud Firewall
ATAGS-T1097.003	Disable or Modify Cloud Logs
ATAGS-T1097.004	Disable or Modify Linux Audit System
ATAGS-T1097.005	Disable or Modify Network Device Firewall
ATAGS-T1097.006	Disable or Modify System Firewall
ATAGS-T1097.007	Disable or Modify Tools
ATAGS-T1097.008	Disable Windows Event Logging
ATAGS-T1097.009	Downgrade Attack
ATAGS-T1097.010	Impair Command History Logging
ATAGS-T1097.011	Indicator Blocking
ATAGS-T1097.012	Safe Mode Boot
ATAGS-T1097.013	Spoof Security Alerting

Threat Actors may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.

ID: ATAGS-T1097.004

Sub-technique of: ATAGS-T1097

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.