AN0521: Analytic 0521
Detects deletion or overwriting of bash history, syslog, audit logs, and .ssh metadata following privilege elevation or suspicious process spawning.
Analyst context for executives and security teams
AN0521 is a Linux-focused detection analytic for signs that an actor or unauthorized user is trying to remove evidence after suspicious activity: deleting or overwriting bash history, syslog, audit logs, or .ssh metadata after privilege elevation or suspicious process spawning. For leaders, this matters because log tampering can reduce incident visibility, slow containment decisions, and weaken audit evidence after a Linux compromise or misuse event.
Executive priority
Treat this as a resilience and evidence-preservation control check for Linux environments. Security leaders should ask whether critical Linux systems generate, protect, and forward shell, authentication, syslog, and audit evidence before it can be locally altered. The priority is highest for servers that support business-critical services, privileged administration, regulated workloads, or SSH-based operational access.
Technical view
SOC and detection teams should validate whether Linux telemetry can correlate suspicious process spawning or privilege elevation with subsequent deletion or overwriting of bash history, syslog, audit logs, and .ssh metadata. Because the official analytic does not provide detection logic, teams should define local conditions carefully: which files are monitored, which users or service accounts are expected to modify them, how privilege changes are represented, and whether events are collected centrally before local tampering can remove them.
Likely telemetry
- Linux process execution events, including parent-child process context
- Privilege elevation evidence such as sudo, su, or equivalent authentication/audit records
- File deletion, truncation, overwrite, or permission-change activity affecting shell history files
- Syslog and Linux audit log file modification or deletion events
- SSH metadata file activity under user home directories, including .ssh-related paths
Detection direction
- Validate that the environment collects Linux file activity for bash history, syslog, audit logs, and .ssh metadata on systems where this analytic is expected to apply.
- Correlate file tampering with preceding privilege elevation or suspicious process spawning rather than alerting on every log rotation or administrative maintenance event.
- Account for legitimate activity such as log rotation, system maintenance, user shell configuration changes, and authorized cleanup jobs to reduce false positives.
- Prioritize alerts where local log deletion coincides with gaps in centralized logging, privileged interactive sessions, or unexpected process ancestry.
- Review blind spots where endpoint telemetry is absent, audit rules are incomplete, shell history is disabled by policy, or logs are only stored locally.
Mitigation priorities
- Forward Linux security and audit logs to centralized storage with retention controls so local deletion does not erase the primary evidence source.
- Restrict and monitor privileged access to log locations, shell history files, and SSH metadata on critical Linux systems.
- Implement file integrity or endpoint monitoring for sensitive log and SSH-related paths where operationally feasible.
- Standardize administrative maintenance and log rotation practices so detection teams can distinguish expected changes from suspicious tampering.
- Test incident response procedures for preserving Linux evidence when local logs or history files appear deleted or overwritten.
Analyst notes and limits
This object is a detection analytic, not a technique entry. It provides a concise description but no official detection logic, no tactic mapping, and no relationship context. The strongest use is as a validation prompt for Linux logging, privilege monitoring, and evidence-preservation coverage.
The supplied ATT&CK fields support only Linux scope and the described evidence classes. No active exploitation, actor attribution, specific tool behavior, impact claim, or guaranteed detection coverage is stated. Local baselines and telemetry availability are required to make this analytic actionable.
Analytic 0521
Detects deletion or overwriting of bash history, syslog, audit logs, and .ssh metadata following privilege elevation or suspicious process spawning.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6c934b56f363… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0521Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.