AN1438: Analytic 1438

Detects log-clearing behavior by correlating suspicious command execution targeting log files under /var/log/, anomalous deletions or truncations of system logs, and unusual child processes (e.g., shell pipelines or redirections).

EnterpriseAN1438AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because Linux log clearing can remove the evidence SOC and incident response teams need to reconstruct an intrusion, prove scope, and support audit or legal follow-up. For leaders, the decision value is not just whether a rule exists, but whether critical Linux systems retain command, file, and process evidence when an attacker attempts to delete or truncate logs under /var/log/.

Executive priority

Treat this as an incident-readiness and resilience validation item for Linux environments. Security leaders should ask whether high-value Linux hosts send logs off-host quickly enough, whether destructive changes to system logs generate alerts, and whether responders can still investigate if local /var/log/ contents are altered. This supports budget and control prioritization around managed detection, endpoint telemetry, centralized logging, retention, and audit evidence preservation.

Technical view

AN1438 is a Linux-focused detection analytic for log-clearing behavior. The supplied description centers on correlation across three evidence patterns: suspicious command execution targeting files under /var/log/, anomalous deletion or truncation of system logs, and unusual child processes such as shell pipelines or redirections. SOC and detection engineering teams should validate whether endpoint/process telemetry and file activity telemetry can connect the actor process, child process chain, target log path, and file operation. Because no ATT&CK tactic or formal detection logic is supplied, implementation should be locally tested against legitimate log rotation, administrative maintenance, and application cleanup activity to reduce false positives.

Likely telemetry

Linux process creation telemetry, including command line and parent/child process relationships
File deletion, truncation, rename, or modification events for paths under /var/log/
Shell activity involving pipelines, redirections, or child processes interacting with log files
Centralized syslog or log forwarding records showing gaps, drops, or sudden absence of expected host logs
Endpoint or audit telemetry capable of tying a user, process, timestamp, and target log file together

Detection direction

Correlate command execution with file operations against /var/log/ rather than alerting only on isolated commands or isolated file changes.
Baseline expected log rotation and administrative maintenance jobs so routine truncation or archival activity does not dominate alert queues.
Prioritize unusual parent/child process chains, shell redirections, and pipelines that target system logs, as highlighted by the analytic description.
Validate that telemetry survives local log tampering by forwarding relevant process and file events to a centralized platform quickly.
Review alert logic for blind spots where minimal shell environments, missing command-line capture, or incomplete file monitoring prevent correlation.

Mitigation priorities

Ensure critical Linux logs and security telemetry are forwarded to centralized storage with appropriate retention before local alteration can erase evidence.
Restrict administrative access to Linux systems and review who can modify or remove system logs under /var/log/.
Harden and monitor logging configuration, log rotation behavior, and file permissions on high-value Linux hosts.
Use incident response playbooks that treat log deletion or truncation as potential evidence destruction and trigger preservation of remaining host, endpoint, and centralized telemetry.
Periodically test detection coverage with benign administrative simulations that validate process, child-process, and file-operation correlation without using offensive procedures.

Analyst notes and limits

The object is a detection analytic, not a technique or campaign report. Its value is strongest as a coverage validation prompt for Linux logging, endpoint telemetry, and IR evidence preservation. The relationship context is empty, so this take does not infer associated techniques, actors, software, or tactics beyond the supplied description.

Official detection logic is not provided, tactics are not specified, and no relationships are supplied. The guidance therefore remains implementation-level and conservative. Local environment details such as Linux distribution, audit configuration, EDR coverage, log rotation policy, and SIEM ingestion latency are required to determine actual detection quality.

Official MITRE ATT&CK definition

Analytic 1438

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: fd4757590707bff6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`fd4757590707…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1438
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use