AN0395: Analytic 0395
Detects manual or scripted removal of logs, artifacts, or malware droppings via `rm` or PowerCLI in ESXi shell. Focus on deletions from /tmp/, /var/core/, or /scratch.
Analyst context for executives and security teams
This analytic matters because deletion of logs, crash artifacts, temporary files, or malware droppings on ESXi can remove evidence needed to understand and contain an incident. For leaders, the decision point is whether ESXi hosts are treated as monitored, evidence-bearing infrastructure—not just virtualization plumbing. If teams cannot see or reconstruct suspicious removals from /tmp/, /var/core/, or /scratch, incident response may lose critical context during a hypervisor investigation.
Executive priority
Prioritize validation of ESXi logging and response readiness where virtualization supports business-critical workloads. This is less about a single command and more about whether the organization can preserve evidence, support audit questions, and make timely incident decisions when activity occurs on ESXi hosts. Security leaders should ask whether SOC and IR teams have visibility into ESXi shell and PowerCLI activity, whether relevant filesystem locations are monitored or retained, and whether evidence preservation procedures cover hypervisor systems.
Technical view
AN0395 is an ESXi-focused detection analytic for manual or scripted removal of logs, artifacts, or malware droppings using rm or PowerCLI, with emphasis on deletions from /tmp/, /var/core/, and /scratch. SOC and detection teams should validate whether command activity and file deletion evidence from ESXi hosts is collected, normalized, retained, and searchable. Because ATT&CK provides no formal detection logic for this analytic, implementation should be locally tested against legitimate administrative cleanup activity and tuned around sensitive paths, user context, execution method, timing, and change-management context.
Likely telemetry
- ESXi shell command execution records where available
- PowerCLI activity or administrative automation logs involving ESXi hosts
- File deletion or filesystem activity for /tmp/, /var/core/, and /scratch
- ESXi host logs relevant to local shell access and administrative actions
- Change-management or maintenance records to distinguish approved cleanup from unexpected deletion
Detection direction
- Confirm that ESXi hosts generate and forward telemetry sufficient to identify rm usage or PowerCLI-driven deletion activity.
- Focus detection review on deletions from /tmp/, /var/core/, and /scratch, as specified by the analytic.
- Tune against expected administrator maintenance, scripted cleanup, and lifecycle operations to reduce false positives without suppressing unusual deletion patterns.
- Correlate deletion activity with user identity, access method, host, time window, and nearby security-relevant events when available.
- Treat absence of official ATT&CK detection logic as a requirement for local engineering, testing, and documented assumptions rather than as out-of-the-box coverage.
Mitigation priorities
- Establish ESXi evidence retention and forwarding expectations before an incident, especially for business-critical virtualization hosts.
- Restrict and review administrative access paths capable of ESXi shell or PowerCLI-based deletion activity.
- Document approved cleanup procedures for /tmp/, /var/core/, and /scratch so SOC teams can distinguish maintenance from suspicious activity.
- Include ESXi hosts in incident response evidence preservation playbooks and tabletop exercises.
- Periodically validate that telemetry remains available after upgrades, configuration changes, or operational maintenance.
Analyst notes and limits
The supplied object is a detection analytic, not a technique or campaign object. It provides a clear ESXi scope and deletion behavior but no tactic mapping, relationship context, or official detection logic. The strongest use of this object is as a coverage validation item for hypervisor monitoring, incident evidence preservation, and SOC tuning around suspicious cleanup activity.
This take is limited to the supplied ATT&CK fields. No active exploitation, adversary attribution, impact outcome, or guaranteed detection coverage is implied. Local ESXi configuration, logging capabilities, retention, administrative practices, and PowerCLI usage patterns are required to determine practical coverage and alert fidelity.
Analytic 0395
Detects manual or scripted removal of logs, artifacts, or malware droppings via `rm` or PowerCLI in ESXi shell. Focus on deletions from /tmp/, /var/core/, or /scratch.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5b4be2c044bb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0395Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.