AN1556: Analytic 1556
Detection of bash/zsh history suppression via HISTFILE/HISTCONTROL manipulation and absence of ~/.bash_history updates. Observing environment variable changes tied to terminal processes is a strong indicator.
Analyst context for executives and security teams
This analytic matters because shell history is often one of the fastest ways responders reconstruct what happened on a macOS endpoint. Suppression of bash or zsh history through HISTFILE/HISTCONTROL manipulation, especially when paired with missing updates to ~/.bash_history, can reduce investigative visibility and slow containment decisions.
Executive priority
Treat this as a visibility and incident-readiness control point rather than a standalone proof of compromise. Leaders should ask whether macOS endpoint logging can show terminal process context, environment-variable changes, and shell history file activity well enough to support investigations, audit evidence, and recovery decisions when user-level command history is missing or altered.
Technical view
For SOC, detection engineering, and IR teams, validate whether macOS telemetry can observe environment variable changes associated with terminal or shell processes and correlate them with the absence of expected ~/.bash_history updates. Because no ATT&CK tactic or relationship context is supplied, this analytic should be used as supporting evidence of possible history suppression, not as a complete behavioral chain. Tune around legitimate administrative or developer workflows that may intentionally alter shell history behavior.
Likely telemetry
- macOS endpoint process telemetry for terminal and shell processes
- Environment variable change or process environment telemetry involving HISTFILE and HISTCONTROL
- File activity telemetry for ~/.bash_history, including expected update patterns or absence of updates
- User session context tying terminal activity to local accounts
- Endpoint detection and response or host logging data that preserves parent/child process context
Detection direction
- Validate that terminal-launched bash or zsh sessions expose enough process and environment context to identify HISTFILE or HISTCONTROL manipulation.
- Correlate environment-variable changes with shell history file behavior rather than alerting only on a single variable value.
- Baseline legitimate macOS administrator, developer, and automation workflows that may suppress or redirect history to reduce false positives.
- Investigate cases where interactive shell activity is present but ~/.bash_history is not updated as expected.
- Document blind spots where endpoint tools do not capture process environment details or file write activity for user shell history files.
Mitigation priorities
- Prioritize endpoint logging and EDR configuration that retains macOS shell process context and relevant file activity.
- Ensure incident response procedures do not rely solely on shell history and include alternate evidence sources such as process telemetry and session context.
- Review administrative standards for shell configuration so intentional history suppression is documented and distinguishable from suspicious activity.
- Use this analytic as part of broader macOS detection coverage, not as an isolated control or guaranteed compromise indicator.
Analyst notes and limits
The supplied object is a detection analytic for macOS focused on bash/zsh history suppression through HISTFILE/HISTCONTROL manipulation and missing ~/.bash_history updates. No ATT&CK tactics, related techniques, aliases, labels, or relationship context were supplied, and the official detection field is not provided. Local baselining is required to determine what constitutes abnormal shell history behavior.
This take is limited to the official STIX fields, external reference, and the absence of relationship context provided. It does not establish attacker intent, active exploitation, attribution, impact, or complete detection coverage. zsh-specific history file behavior is not detailed in the supplied fields, so recommendations stay anchored to the provided ~/.bash_history and environment-variable indicators.
Analytic 1556
Detection of bash/zsh history suppression via HISTFILE/HISTCONTROL manipulation and absence of ~/.bash_history updates. Observing environment variable changes tied to terminal processes is a strong indicator.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 52e83eb2fa18… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1556Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.