Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0887: Analytic 0887

Execution of commands that stop or kill processes associated with logging or security daemons (auditd, syslog, falco). Detect modifications to iptables or disabling SELinux/AppArmor enforcement. Correlate sudo/root context with abrupt service halts.

EnterpriseAN0887AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on Linux activity that can remove or weaken the evidence defenders rely on during an incident: logging services, security daemons, firewall rules, and enforcement controls such as SELinux or AppArmor. For leaders, the practical issue is not only detecting a single stopped service; it is knowing whether the organization can still investigate and contain an incident when core Linux visibility or protections are abruptly disabled.

Executive priority

Treat this as a resilience and incident-readiness control check for Linux environments. Security leaders should ask whether critical Linux systems generate independent evidence when auditd, syslog, Falco, iptables, SELinux, or AppArmor are changed or stopped, and whether SOC and IR teams have authority and procedures to respond quickly to loss of telemetry. This also supports compliance evidence where continuous logging, privileged activity monitoring, and control integrity are expected.

Technical view

For SOC and detection engineering teams, validate monitoring for command execution and service-control activity that stops, kills, or disables logging and security-related daemons on Linux. Correlate abrupt service halts or enforcement-mode changes with sudo or root context, and review iptables modification events alongside process and authentication context. Because the ATT&CK object does not provide a formal detection implementation or tactic mapping, teams should convert the description into local analytics based on available Linux audit, endpoint, service manager, firewall, and authentication telemetry.

Likely telemetry

  • Linux process execution events for service-control, kill, and configuration commands
  • Service status and daemon lifecycle events for auditd, syslog, Falco, and similar security/logging services
  • Privilege context and authentication records, including sudo and root activity
  • Firewall configuration change evidence, including iptables modifications
  • SELinux and AppArmor enforcement or configuration change events

Detection direction

  • Validate that service stop, kill, disable, and configuration-change events are collected before relying on this analytic.
  • Correlate privileged user context with abrupt logging or security daemon termination rather than alerting only on service state changes.
  • Tune for legitimate administrative maintenance, package upgrades, and troubleshooting activity to reduce false positives.
  • Prioritize high-value Linux servers and systems where loss of audit, syslog, Falco, firewall, SELinux, or AppArmor visibility would materially impair incident response.
  • Check for blind spots where telemetry is generated only by the same service being stopped; independent or centralized collection may be needed for reliable evidence.

Mitigation priorities

  • Define which Linux logging, security daemon, firewall, and enforcement-control changes require approval, monitoring, and escalation.
  • Restrict and review sudo/root access for users and automation that can stop security services or modify enforcement controls.
  • Ensure critical logs and security events are forwarded or preserved outside the host where feasible, so local service termination does not erase investigative visibility.
  • Establish SOC runbooks for abrupt loss of Linux security telemetry, including validation, containment decision points, and incident-response handoff.
  • Use periodic control validation to confirm auditd, syslog, Falco, iptables, SELinux, and AppArmor monitoring remains functional on in-scope Linux systems.
Analyst notes and limits

The supplied object is a detection analytic for Linux and provides descriptive detection intent but no official detection logic, tactics, relationships, or associated techniques in the provided context. The strongest use is as a validation requirement for Linux telemetry integrity and privileged change monitoring rather than as a ready-to-deploy rule.

This take is limited to the supplied ATT&CK fields and external reference. No active exploitation, adversary attribution, impact outcome, specific product coverage, or guaranteed detection can be inferred. Local command paths, service names, logging architecture, administrative workflows, and approved maintenance patterns are required to operationalize and tune the analytic.

Official MITRE ATT&CK definition

Analytic 0887

Execution of commands that stop or kill processes associated with logging or security daemons (auditd, syslog, falco). Detect modifications to iptables or disabling SELinux/AppArmor enforcement. Correlate sudo/root context with abrupt service halts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
df213cd6e386441a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle df213cd6e386…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0887
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use