AN0394: Analytic 0394
Detects removal of adversary artifacts via `rm`, `unlink`, or secure tools, with focus on shell sessions, temp files, and modified LaunchAgents or system directories.
Analyst context for executives and security teams
This analytic is relevant because artifact removal on macOS can erase evidence needed to understand an intrusion, scope impact, and restore confidence after an incident. The supplied ATT&CK object focuses on detecting use of deletion utilities such as `rm`, `unlink`, or secure deletion tools in shell sessions, especially around temporary files, modified LaunchAgents, and system directories.
Executive priority
Security leaders should treat this as an evidence-preservation and incident-readiness concern for macOS environments. The business question is whether the organization can still reconstruct attacker activity if files, temporary artifacts, or persistence-related LaunchAgent changes are removed. Priority should go to confirming macOS endpoint telemetry, shell activity visibility, and retention are sufficient to support managed detection, incident response, and audit evidence needs.
Technical view
For SOC and IR teams, validate whether macOS telemetry can show command execution involving deletion utilities, the user or process context that launched them, affected file paths, and timing around shell sessions. Because the object names LaunchAgents and system directories, detection engineering should pay attention to deletion or cleanup activity near those locations and temporary directories. No ATT&CK tactics, relationships, or detailed detection logic were supplied, so local baselining is required to distinguish routine administration or software maintenance from suspicious cleanup.
Likely telemetry
- macOS process execution events for `rm`, `unlink`, and secure deletion utilities
- Shell session command history or equivalent endpoint command-line telemetry where available
- File deletion or file modification events in temporary directories
- File activity involving LaunchAgents
- File activity involving system directories
Detection direction
- Confirm that macOS endpoint logging captures command-line arguments and parent-child process context for deletion utilities.
- Tune detections around sensitive paths named by the analytic focus: temporary files, LaunchAgents, and system directories.
- Baseline legitimate administrative cleanup, software updates, and maintenance scripts to reduce false positives.
- Correlate deletion activity with preceding suspicious shell activity or recent modifications to the same paths when telemetry supports it.
- Validate retention periods so evidence remains available after suspected artifact removal.
Mitigation priorities
- Prioritize reliable macOS endpoint telemetry collection and retention before relying on this analytic operationally.
- Restrict and monitor administrative access capable of modifying LaunchAgents and system directories.
- Use change-control and file integrity expectations for sensitive macOS persistence and system locations where appropriate.
- Ensure incident response procedures account for possible artifact deletion and preserve endpoint evidence quickly.
- Review logging coverage as part of compliance readiness and incident response tabletop exercises.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its value is strongest as a validation checklist for macOS artifact-removal visibility: can defenders see who deleted what, from which shell or process, and in which sensitive locations? Relationship context was not supplied, so no linked technique, tactic, software, or actor context should be inferred.
The official detection field is not provided, tactics are not specified, and no relationships were supplied. The take is therefore limited to the official description, platform, and external reference. Local environment data is required to define exact queries, thresholds, false-positive handling, and operational severity.
Analytic 0394
Detects removal of adversary artifacts via `rm`, `unlink`, or secure tools, with focus on shell sessions, temp files, and modified LaunchAgents or system directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 15511f955c5a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0394Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.