Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0134: Analytic 0134

Detects deletion or overwriting of logs/configs that store SSH or proxy activity, such as /var/log/auth.log or custom .bash_history clearing tied to SSH sessions or firewall rule changes.

EnterpriseAN0134AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because deletion or overwriting of Linux SSH, proxy, shell history, or related firewall activity records can remove the evidence needed to understand remote access and administrative changes during an incident. For executives and security leaders, the practical issue is not just log tampering; it is whether the organization can still reconstruct who connected, what changed, and whether business-critical systems remain trustworthy after a suspected intrusion.

Executive priority

Prioritize this as an incident readiness and audit-evidence question for Linux environments: are authentication, proxy, shell history, and configuration-change records protected well enough to support containment and investigation? The ATT&CK object does not specify a tactic or relationship context, so the value is in validating resilience of logging pipelines, retention, and tamper visibility rather than assuming a specific threat actor or campaign.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for deletion, truncation, overwriting, or suspicious clearing of Linux log and configuration artifacts associated with SSH and proxy activity, including examples named by MITRE such as /var/log/auth.log and custom .bash_history clearing tied to SSH sessions or firewall rule changes. Because no official detection logic is provided, teams should translate this into local file-integrity, audit, endpoint, and log-pipeline checks and test whether events remain visible when local files are modified or removed.

Likely telemetry

  • Linux file creation, deletion, rename, truncation, and permission-change events for authentication, proxy, shell history, and firewall-related files
  • Audit or endpoint telemetry showing processes and users modifying /var/log/auth.log, shell history files, or relevant configuration/log paths
  • SSH session records and authentication logs collected before local deletion or overwrite occurs
  • Proxy activity logs and related configuration-change records where applicable
  • Firewall rule change telemetry on Linux systems where those changes are logged or audited

Detection direction

  • Confirm whether Linux log and configuration files named or implied by the analytic are monitored for deletion, overwrite, truncation, and unexpected modification.
  • Tune for administrative maintenance noise, such as legitimate log rotation or approved configuration management, while preserving alerts for unusual timing, users, processes, or correlation with SSH sessions and firewall changes.
  • Test blind spots where shell history is disabled, redirected, customized, or cleared outside standard paths.
  • Validate that centralized logging receives relevant SSH, proxy, and firewall-change events before an attacker or administrator can modify local files.
  • Because no ATT&CK detection logic or relationships are supplied, avoid overfitting to a single path; build detections around evidence loss affecting SSH/proxy activity records and local Linux auditability.

Mitigation priorities

  • Centralize and retain Linux authentication, proxy, and firewall-change logs so investigations do not depend only on mutable local files.
  • Apply least privilege and administrative control around log directories, shell history handling, and configuration files relevant to SSH, proxy, and firewall activity.
  • Use file-integrity or audit controls for high-value log and configuration paths, with documented exceptions for log rotation and approved maintenance.
  • Review incident response playbooks to ensure suspected log deletion triggers preservation steps and alternate evidence collection.
  • Maintain compliance evidence showing log retention, integrity controls, and monitoring coverage for Linux systems in scope.
Analyst notes and limits

This is a detection analytic object for Linux with a narrow official description and no supplied tactic, detection logic, or relationship context. The strongest use is as a coverage-validation prompt for SOC and IR readiness around Linux evidence tampering affecting SSH, proxy, shell history, and firewall-change records.

The supplied ATT&CK fields do not include official detection pseudocode, data sources, tactics, mitigations, procedures, or relationships. Any production detection, severity, and response workflow must be based on local Linux logging architecture, approved administrative behavior, retention requirements, and system criticality.

Official MITRE ATT&CK definition

Analytic 0134

Detects deletion or overwriting of logs/configs that store SSH or proxy activity, such as /var/log/auth.log or custom .bash_history clearing tied to SSH sessions or firewall rule changes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
875a187cd2ed1bf9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 875a187cd2ed…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0134
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use