AN0522: Analytic 0522
Detects clearing of unified logs, deletion of plist files tied to persistence, and manipulation of Terminal history after initial execution.
Analyst context for executives and security teams
This analytic is about macOS post-execution cleanup behavior: clearing unified logs, deleting persistence-related plist files, and manipulating Terminal history. For leaders, the significance is not the individual file or log action alone; it is that an incident may become harder to investigate if endpoint telemetry, shell history, or persistence evidence is removed after execution.
Executive priority
Prioritize this as an incident readiness and audit-evidence concern for macOS environments. Security leaders should ask whether macOS log sources, endpoint records, and persistence artifacts are retained somewhere attackers or users cannot easily erase. The business value is preserving investigation evidence, validating containment decisions, and reducing uncertainty during a suspected compromise.
Technical view
For SOC, detection engineering, and IR teams, validate whether macOS telemetry can show: unified log clearing, deletion of plist files associated with persistence, and Terminal history manipulation after execution. Because no official detection logic or ATT&CK tactic mapping is supplied, treat this as a detection validation target rather than a complete rule. Focus on whether endpoint and log pipelines preserve before-and-after evidence when local artifacts are removed.
Likely telemetry
- macOS unified log activity and evidence of log clearing
- Endpoint file deletion events involving plist files tied to persistence locations
- Shell or Terminal history file modification, truncation, or deletion events
- Endpoint process execution context around the time of cleanup activity
- Centralized endpoint or log retention records that survive local artifact deletion
Detection direction
- Confirm that macOS endpoint visibility captures file deletion and modification events for persistence-related plist files.
- Validate that clearing of unified logs is observable through central logging, EDR, or endpoint audit sources rather than relying only on local logs.
- Tune detections to consider temporal context after initial execution, as the official description frames the behavior as occurring after execution.
- Review false positives from legitimate administration, troubleshooting, privacy cleanup, or system maintenance activity.
- Because no official detection text is provided, document local assumptions, tested data sources, and known gaps before treating this as covered.
Mitigation priorities
- Ensure macOS security telemetry is centrally collected and retained so local log or history manipulation does not remove all evidence.
- Harden access to administrative actions that can clear logs or alter persistence artifacts.
- Monitor and govern persistence-related plist locations as part of macOS endpoint security baselines.
- Include macOS artifact-preservation steps in incident response playbooks.
- Use detection validation exercises to prove whether cleanup behavior remains visible after local artifacts are deleted or modified.
Analyst notes and limits
This object is a detection analytic for macOS only. The available ATT&CK content describes the behavior but does not provide detection logic, tactics, relationships, aliases, or labels. Glexia would use it as a control-validation prompt for macOS evidence preservation and post-execution cleanup detection.
The supplied fields do not support claims about specific adversaries, active exploitation, impact, prevalence, or guaranteed detection. Local environment evidence is required to determine whether unified log clearing, plist deletion, or Terminal history manipulation is actually collected and alertable.
Analytic 0522
Detects clearing of unified logs, deletion of plist files tied to persistence, and manipulation of Terminal history after initial execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3ad8bfdeb1a4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0522Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.