Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0163: Analytic 0163

Detect unauthorized manipulation of log files, database entries, or system configuration files through auditd and syslog. Correlate shell commands that alter HISTFILE or data-related processes with abnormal file access patterns.

EnterpriseAN0163AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because manipulation of Linux logs, database entries, shell history, or configuration files can weaken an organization’s ability to understand what happened during an incident. For executives and security leaders, the decision value is not just whether an alert exists, but whether Linux audit and syslog evidence is collected with enough integrity and context to support incident response, compliance evidence, and operational recovery decisions.

Executive priority

Prioritize this as an evidence-integrity and incident-readiness control for Linux environments. Leaders should ask whether critical Linux systems generate auditd and syslog records, whether those records are protected from local tampering, and whether SOC teams can correlate suspicious command activity with abnormal file access. This supports business continuity by preserving trustworthy evidence when investigating outages, intrusions, or unauthorized administrative activity.

Technical view

AN0163 is a Linux-focused detection analytic for unauthorized manipulation of log files, database entries, or system configuration files using auditd and syslog. SOC and detection engineering teams should validate correlation between shell commands that alter HISTFILE or related shell history behavior, data-related processes, and unusual access or modification patterns against sensitive files. Because no ATT&CK tactic, technique relationship, or official detection logic is supplied, teams should treat this as a detection design objective rather than a complete rule.

Likely telemetry

  • Linux auditd events for file access, modification, and permission changes
  • Syslog records from relevant Linux hosts
  • Shell command telemetry where available, especially commands affecting HISTFILE or shell history behavior
  • Process execution records for data-related processes
  • File access and modification events for log files, database entries, and system configuration files

Detection direction

  • Confirm auditd and syslog collection is enabled on the Linux systems where this analytic is expected to apply.
  • Define the local list of sensitive log files, database-related paths, and system configuration files that should be monitored.
  • Correlate shell activity involving HISTFILE changes with abnormal file access or modification patterns rather than alerting on isolated commands alone.
  • Tune for authorized administrative, maintenance, backup, log rotation, and database operations to reduce false positives.
  • Validate whether telemetry is forwarded off-host quickly enough to preserve evidence if local files are modified or removed.

Mitigation priorities

  • Establish reliable auditd and syslog forwarding for in-scope Linux systems before relying on this analytic for response evidence.
  • Harden permissions and administrative access around log files, database-related files, shell history, and system configuration files.
  • Protect security-relevant logs from local-only storage where possible by forwarding to centralized collection.
  • Review authorized change procedures so legitimate configuration, database, and log maintenance activity is distinguishable from suspicious manipulation.
  • Use incident response playbooks that preserve volatile command, process, file, and log evidence when this behavior is suspected.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique entry. It provides a Linux platform scope and a high-level description centered on auditd, syslog, HISTFILE manipulation, data-related processes, and abnormal file access. No relationship context, tactic mapping, or official detection query is supplied, so implementation should be based on local Linux logging architecture and protected-file definitions.

This take is limited to the official STIX fields, external reference, and absence of relationships supplied for AN0163. It does not assert active exploitation, actor use, impact, or guaranteed detection coverage. The object does not provide a concrete detection rule, tactic, or related technique, so local validation is required.

Official MITRE ATT&CK definition

Analytic 0163

Detect unauthorized manipulation of log files, database entries, or system configuration files through auditd and syslog. Correlate shell commands that alter HISTFILE or data-related processes with abnormal file access patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
06fae3ed2b5781db...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 06fae3ed2b57…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0163
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use