Uncommon attempt to clear shell history

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Indicator Removal (T1070)

Severity

Low

Description

An attempt to clear or manipulate shell history files was detected.

Attacker's Goals

Attackers may clear or modify shell history files to remove traces of their activities.

Investigative actions

  • Investigate the user and process that executed the command.
  • Examine other related activities on the host to understand the context of this action.

Variations

Globally uncommon attempt to clear shell history

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Indicator Removal (T1070)

Severity

Medium

Description

An attempt to clear or manipulate shell history files was detected.

Attacker's Goals

Attackers may clear or modify shell history files to remove traces of their activities.

Investigative actions

  • Investigate the user and process that executed the command.
  • Examine other related activities on the host to understand the context of this action.