AN0010: Analytic 0010
User modification of the $PATH environment variable in shell configuration files or direct runtime PATH changes, followed by execution of binaries from user-controlled directories. Defender observes file edits to ~/.bashrc, ~/.profile, or /etc/paths.d and process execution resolving to unexpected binary locations.
Analyst context for executives and security teams
This analytic matters because changes to a Linux user’s PATH can cause commands to run from unexpected, user-controlled locations. For leaders, the practical risk is not the variable itself; it is whether the organization can prove that shell startup file changes and resulting command execution are visible enough for SOC or IR teams to distinguish normal customization from suspicious command resolution.
Executive priority
Prioritize this where Linux systems support critical operations, administrator workflows, build environments, or shared infrastructure. The decision question is whether endpoint logging and response procedures can show when shell configuration files such as ~/.bashrc, ~/.profile, or /etc/paths.d are modified and whether subsequent binaries execute from unusual directories. This supports incident scoping, audit evidence, and operational resilience, but the supplied ATT&CK object does not specify a tactic, related technique, or impact outcome.
Technical view
Validate Linux visibility for two linked observations: edits to PATH-related shell configuration locations and process execution where the resolved binary path is outside expected system directories. Since official detection logic is not provided, teams should build and tune analytics around file modification events, environment/context changes where available, and process execution paths. Correlating the file edit and later execution will usually be more useful than alerting on every PATH edit alone.
Likely telemetry
- Linux file modification events for ~/.bashrc, ~/.profile, and /etc/paths.d
- Process execution telemetry including executable path and command context
- User identity, session, and host context for the modifying user
- Shell startup or environment context where collected
- Baseline of expected binary locations and approved user-controlled directories
Detection direction
- Confirm whether endpoint or audit telemetry captures both shell configuration edits and process execution paths on Linux systems.
- Tune for execution from unexpected or user-controlled directories after PATH-related changes, rather than treating all PATH customization as malicious.
- Separate common administrative, developer, or application setup activity from unusual changes on sensitive hosts or privileged accounts.
- Investigate whether logging preserves enough user, host, timestamp, and executable path detail to support incident reconstruction.
- Document blind spots where interactive shell activity, short-lived processes, or per-user configuration files are not collected.
Mitigation priorities
- Establish approved PATH and shell configuration standards for managed Linux systems.
- Restrict write access to system-wide path configuration locations such as /etc/paths.d where appropriate.
- Use endpoint hardening and least-privilege practices to limit unauthorized modification of shell startup files on sensitive systems.
- Maintain baselines for expected executable locations on critical Linux hosts.
- Ensure IR playbooks include review of shell configuration files and unexpected binary paths during Linux host investigations.
Analyst notes and limits
The object describes a detection analytic, not a full ATT&CK technique. It is Linux-specific in the supplied fields and has no supplied tactic or relationship context. The most defensible use is as a coverage validation item for Linux endpoint telemetry and PATH-related command resolution behavior.
Official detection logic is not provided, and no relationships, malware, groups, campaigns, mitigations, or tactics are supplied. Local baselines are required to determine what directories and PATH changes are normal in a given environment.
Analytic 0010
User modification of the $PATH environment variable in shell configuration files or direct runtime PATH changes, followed by execution of binaries from user-controlled directories. Defender observes file edits to ~/.bashrc, ~/.profile, or /etc/paths.d and process execution resolving to unexpected binary locations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 15de3e661a2b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0010Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.