Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0467: Analytic 0467

Detects adversary behavior clearing command history via `history -c`, deletion or modification of ~/.bash_history, or manipulation of the HISTFILE environment variable post-login.

EnterpriseAN0467AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Linux shell history is often one of the first evidence sources responders use to reconstruct what happened after an interactive login. Attempts to clear command history, alter the user history file, or manipulate the history file setting can reduce incident visibility and slow containment decisions. For leaders, the practical question is not only whether this behavior can be detected, but whether Linux endpoint and audit telemetry is retained well enough to prove what actions occurred before the history was changed.

Executive priority

Treat this as an incident-readiness and evidence-preservation control point for Linux environments. It supports business continuity by helping SOC and IR teams identify possible anti-forensics behavior after login and preserve investigative context. Priority should be higher for Linux systems that host critical services, privileged administration paths, regulated workloads, or production infrastructure where loss of command evidence would affect auditability and response confidence.

Technical view

AN0467 is a Linux-focused detection analytic for behavior involving clearing shell command history via `history -c`, deletion or modification of `~/.bash_history`, or manipulation of the `HISTFILE` environment variable after login. Because ATT&CK provides no official detection logic and no relationship context here, teams should validate coverage against their own Linux telemetry sources rather than assume a specific rule exists. SOC and detection engineering should focus on post-login user activity, file modification/deletion events for shell history artifacts, and process or session evidence that can show history-clearing behavior in context.

Likely telemetry

  • Linux process execution telemetry for interactive shell sessions and commands
  • File creation, modification, truncation, or deletion events involving user shell history files such as `~/.bash_history`
  • Environment variable or shell session telemetry where `HISTFILE` changes can be observed
  • Authentication and login/session records to place the activity after user login
  • Endpoint audit logs or EDR sensor data from Linux systems

Detection direction

  • Validate whether Linux endpoints generate and forward process, file, and session telemetry before local artifacts can be altered or deleted.
  • Correlate history-clearing or history-file modification behavior with recent logins, privileged sessions, administrative activity, and other suspicious post-login actions.
  • Tune carefully for legitimate administrator workflows, maintenance scripts, user privacy practices, or shell configuration changes that may generate benign history-file events.
  • Do not rely on shell history alone for investigations; confirm independent telemetry such as process execution, audit, and centralized logs.
  • Because no ATT&CK detection logic is supplied, document local assumptions, data source dependencies, and tested conditions for any implementation of this analytic.

Mitigation priorities

  • Prioritize centralized collection and retention of Linux authentication, process, and file activity logs so evidence survives local history changes.
  • Limit and monitor privileged interactive access on critical Linux systems, especially where command accountability is required.
  • Establish baseline expectations for legitimate shell history management by administrators to reduce false positives and improve triage.
  • Use incident response procedures that preserve volatile and endpoint evidence quickly when history tampering is suspected.
  • Include Linux evidence-preservation controls in compliance and audit readiness reviews where administrator activity tracking is required.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied fields identify Linux platform scope and the behavior categories the analytic is intended to detect, but provide no tactic, no official detection query, and no ATT&CK relationships. The strongest use is as a validation prompt for Linux logging, SOC triage playbooks, and IR evidence preservation.

Assessment is limited to the supplied ATT&CK analytic fields and the single external reference. No active exploitation, actor attribution, business impact, specific data source component, or guaranteed detection coverage is stated by the source. Local shell configurations, logging agents, audit policies, and retention practices will determine whether this behavior is observable.

Official MITRE ATT&CK definition

Analytic 0467

Detects adversary behavior clearing command history via `history -c`, deletion or modification of ~/.bash_history, or manipulation of the HISTFILE environment variable post-login.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0c8acbf181d0fac8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0c8acbf181d0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0467
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use