AN0116: Analytic 0116
Detects adversary removal of persistence implants (e.g., rc.local entries or crontab injections) via CLI (`rm`, `sed`, `crontab -r`) and deletion of startup or management scripts.
Analyst context for executives and security teams
This analytic matters because removal of persistence artifacts on ESXi can be part of an intruder cleaning up after maintaining access, changing tooling, or attempting to reduce forensic evidence. For leaders, the practical question is whether the organization can see administrative command-line activity and script deletion on virtualization infrastructure, not just whether endpoint tools cover user workstations.
Executive priority
Prioritize this as a resilience and incident-readiness validation for ESXi environments. If virtualization hosts are in scope for critical workloads, security teams should be able to prove they collect enough host and administrative activity to investigate suspicious removal of startup scripts, management scripts, rc.local entries, or crontab entries. This supports incident response decisions, audit evidence, and control prioritization around privileged administration of core infrastructure.
Technical view
AN0116 is an ESXi-focused detection analytic for identifying possible removal of persistence implants through command-line activity such as rm, sed, and crontab -r, as well as deletion of startup or management scripts. Because no ATT&CK tactic, detection logic, or relationship context is supplied, teams should treat this as a validation prompt: confirm whether ESXi shell and administrative command activity, file deletion events, and changes to startup or scheduled execution mechanisms are observable and retained for investigation.
Likely telemetry
- ESXi shell or command-line activity involving rm, sed, or crontab -r
- Administrative session logs for ESXi hosts
- File deletion or modification evidence for startup scripts and management scripts
- Changes to rc.local-style startup entries where present
- Changes to crontab or scheduled execution configuration
Detection direction
- Validate that ESXi administrative command execution is logged with user, host, timestamp, and command context where available.
- Tune for suspicious deletion or editing of persistence-relevant startup and scheduled execution locations rather than alerting on every legitimate maintenance action.
- Correlate command activity with authorized change windows and known administrator accounts to reduce false positives.
- Investigate unexpected use of rm, sed, or crontab -r on ESXi hosts, especially when followed by deletion of startup or management scripts.
- Account for blind spots where ESXi shell logging, remote administration logging, or file-change telemetry is not enabled or centrally retained.
Mitigation priorities
- Restrict and monitor privileged administrative access to ESXi hosts.
- Require change-control evidence for modification or deletion of startup, scheduled, or management scripts on virtualization infrastructure.
- Centralize and retain ESXi host and administrative logs so incident responders can reconstruct activity.
- Review persistence-relevant startup and scheduled execution locations during incident response and high-risk maintenance events.
- Use least privilege and administrative accountability controls to make unauthorized cleanup activity easier to attribute and investigate.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. The object identifies an ESXi detection analytic for removal of persistence implants using CLI tools and deletion of startup or management scripts. No relationships, tactic mapping, procedure examples, or official detection logic were supplied, so local telemetry design and environment-specific baselining are required.
ATT&CK did not provide detection pseudocode, data source mappings, relationships, aliases, or tactic context in the supplied object. This summary should not be read as evidence of active exploitation, specific adversary attribution, or guaranteed detection coverage.
Analytic 0116
Detects adversary removal of persistence implants (e.g., rc.local entries or crontab injections) via CLI (`rm`, `sed`, `crontab -r`) and deletion of startup or management scripts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7e60054a6b6a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0116Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.