AN0114: Analytic 0114
Detects removal of persistence artifacts such as crontab entries, systemd service units, and malicious user accounts through commands like `crontab -r`, `rm /etc/systemd/system/*.service`, or `userdel`.
Analyst context for executives and security teams
AN0114 is a Linux-focused detection analytic for spotting removal of persistence artifacts such as crontab entries, systemd service units, and user accounts. Its practical value is in incident response and SOC assurance: cleanup activity can be legitimate administration, but it can also remove evidence, disable persistence, or signal a shift in attacker behavior. Leaders should treat this as a validation point for whether Linux administrative changes are logged well enough to support investigations and recovery decisions.
Executive priority
Prioritize this analytic where Linux systems support critical services, regulated workloads, or incident-response evidence requirements. The business question is not only “can we detect persistence,” but also “can we prove when persistence was removed, by whom, and from which host?” That evidence supports containment decisions, audit narratives, root-cause analysis, and confidence that recovery actions did not erase important forensic context.
Technical view
For SOC and IR teams, validate visibility into Linux commands and file/account changes related to crontab removal, systemd service unit deletion, and user account deletion. Because ATT&CK provides no official detection logic for this analytic and no tactic mapping in the supplied object, teams should implement it as behavior validation rather than a fixed rule. Tune for administrative baselines: package uninstallers, configuration management, system hardening, and authorized user lifecycle operations may produce similar events.
Likely telemetry
- Linux process execution telemetry for administrative commands that remove scheduled tasks, service units, or users
- Shell command-line logging where available
- File deletion or modification events under systemd service paths such as /etc/systemd/system/
- Crontab modification/removal audit records
- Linux user account lifecycle logs, including account deletion
Detection direction
- Confirm that Linux endpoints actually collect command-line and process execution data with sufficient user, parent process, host, and timestamp context.
- Correlate artifact removal with recent persistence findings, incident timelines, or unauthorized access indicators rather than treating every deletion as malicious.
- Create allowlists or suppression logic for approved automation, system maintenance, decommissioning, and identity lifecycle workflows.
- Watch for blind spots on servers without audit logging, ephemeral workloads, minimal Linux images, or hosts where command-line collection is disabled.
- Preserve context when alerting: removed artifact type, path or account name, initiating user, parent process, source session, and whether the host is under active investigation.
Mitigation priorities
- Establish approved change paths for Linux scheduled tasks, systemd services, and local account management.
- Enable and retain Linux audit, process, and account-management logs long enough to support incident response and compliance evidence needs.
- Restrict privileged administrative actions to authorized users and managed automation, with accountability for service and local account changes.
- Use configuration management or file integrity monitoring to identify unexpected removal of service units or scheduled-task artifacts.
- During incident response, preserve forensic evidence before cleanup or remediation where operationally feasible.
Analyst notes and limits
This object is a detection analytic, not a technique, and the supplied ATT&CK data includes Linux as the only platform. No relationship context was supplied, so this take does not infer related techniques, malware, groups, or campaigns. The analytic is most useful as a control-validation prompt for Linux persistence cleanup and evidence retention.
Official detection logic, tactics, relationships, aliases, and labels were not provided. Local baselines are required to separate authorized administration from suspicious removal activity. This summary does not claim active exploitation, attribution, or existing detection coverage.
Analytic 0114
Detects removal of persistence artifacts such as crontab entries, systemd service units, and malicious user accounts through commands like `crontab -r`, `rm /etc/systemd/system/*.service`, or `userdel`.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e8d8bb2d9cca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0114Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.