Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0468: Analytic 0468

Detects adversary clearing shell history using `history -c` or deleting/altering ~/.zsh_history or ~/.bash_history. Focus on sessions with missing or wiped history.

EnterpriseAN0468AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because cleared or missing shell history on macOS can remove useful incident evidence and slow response decisions. For leaders, the key value is not just detecting a command; it is confirming whether endpoint logging can preserve enough activity context when a user or process attempts to wipe local command history.

Executive priority

Prioritize this as an incident-readiness and audit-evidence control for macOS environments. Security leaders should ask whether SOC and IR teams can still reconstruct user activity when shell history is missing, altered, or wiped, and whether endpoint telemetry is retained outside the user-controlled history files.

Technical view

For macOS, validate detection logic for sessions where shell history is cleared with `history -c` or where `~/.zsh_history` or `~/.bash_history` is deleted or altered. Because no ATT&CK detection text or relationship context is supplied, teams should treat this as a focused analytic around shell-history integrity rather than a complete behavior chain.

Likely telemetry

  • macOS endpoint process execution telemetry for shell commands
  • File deletion or modification events for `~/.zsh_history` and `~/.bash_history`
  • User session context tying shell activity to an account and host
  • Endpoint logs retained outside local shell history files

Detection direction

  • Confirm that macOS endpoints generate and forward process and file activity needed to observe history clearing or history-file tampering.
  • Tune for context: legitimate troubleshooting, privacy cleanup, or administrative maintenance may resemble this behavior.
  • Alert quality should improve when missing or wiped history is correlated with suspicious session context, but no relationship context is supplied for this object.
  • Validate that telemetry survives local file deletion or alteration; relying only on shell history creates a major blind spot.

Mitigation priorities

  • Preserve endpoint activity logs centrally so incident responders are not dependent on user-controlled shell history files.
  • Restrict unnecessary administrative access where practical to reduce opportunities to alter local evidence.
  • Document macOS logging and retention coverage as compliance and IR-readiness evidence.
  • Test incident response playbooks for cases where shell history is unavailable or incomplete.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique description. Its supplied scope is limited to macOS and shell-history clearing or tampering. There are no supplied tactics, relationships, groups, software, mitigations, or official detection details beyond the description.

The source provides no relationship context and no official detection implementation. Local environment baselines are required to distinguish suspicious history wiping from legitimate administrative or user activity. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0468

Detects adversary clearing shell history using `history -c` or deleting/altering ~/.zsh_history or ~/.bash_history. Focus on sessions with missing or wiped history.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
40d9ed82d2510bad...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 40d9ed82d251…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0468
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use