AN1555: Analytic 1555
Detection of environment variable tampering (HISTFILE, HISTCONTROL, HISTFILESIZE) and absence of expected bash history writes. Correlation of unset or zeroed history variables with active shell sessions is indicative of adversarial evasion.
Analyst context for executives and security teams
This analytic matters because shell history is often one of the first places responders look to reconstruct what happened on a Linux system. If history-related environment variables such as HISTFILE, HISTCONTROL, or HISTFILESIZE are unset, zeroed, or otherwise tampered with during an active shell session, the organization may lose key evidence needed for incident scoping, accountability, and recovery decisions.
Executive priority
Treat this as an evidence-integrity and response-readiness control, not just a Linux logging rule. Leaders should ask whether critical Linux servers preserve command execution evidence even when local shell history is disabled or manipulated. The business value is strongest for incident response, compliance evidence, privileged access oversight, and operational resilience on systems where administrator or service access could affect production operations.
Technical view
For SOC and detection engineering teams, validate whether Linux telemetry can identify changes to bash history-related environment variables and correlate them with active interactive shell sessions. Because the official object provides no tactic mapping, no relationships, and no detailed detection logic, teams should avoid treating this as a standalone high-confidence alert. It is better used as a supporting signal for evasive behavior when paired with session, process, authentication, and command execution evidence.
Likely telemetry
- Linux process creation and parent/child process context for interactive shells
- Environment variable telemetry where available, especially HISTFILE, HISTCONTROL, and HISTFILESIZE
- Shell session activity, including TTY or interactive login context
- Authentication and privileged access logs for Linux systems
- Bash history file write activity or absence of expected history writes
Detection direction
- Confirm whether current Linux logging captures environment variable state or changes; many environments do not collect this by default.
- Correlate unset, redirected, or zero-sized history settings with active shell sessions rather than alerting on variable values alone.
- Tune for legitimate administrative workflows, automation, hardened shell profiles, or privacy settings that may intentionally reduce shell history.
- Use absence of expected bash history writes as a triage lead, but validate against process, session, and authentication telemetry before escalation.
- Prioritize coverage on high-value Linux servers, bastion hosts, administrator workstations, and systems supporting regulated or operationally critical workloads.
Mitigation priorities
- Preserve independent command and session telemetry so response does not rely solely on user-controlled bash history.
- Standardize Linux shell logging and audit expectations for privileged users and critical servers.
- Restrict and monitor privileged interactive access where business risk is highest.
- Document acceptable shell history configurations so SOC teams can distinguish approved hardening from suspicious tampering.
- Test incident response playbooks against scenarios where local shell history is incomplete or intentionally suppressed.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux environment variable tampering involving bash history controls. It has no supplied tactic mapping, no relationships, and no official detection implementation. Glexia would position this as a useful evasion and evidence-loss signal that should be correlated with stronger host and session telemetry.
This take is limited to the official STIX fields, the external reference, and the absence of relationship context supplied. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local Linux configurations and telemetry availability will determine practical usefulness.
Analytic 1555
Detection of environment variable tampering (HISTFILE, HISTCONTROL, HISTFILESIZE) and absence of expected bash history writes. Correlation of unset or zeroed history variables with active shell sessions is indicative of adversarial evasion.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5a7c2634fc57… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1555Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.