AN0014: Analytic 0014
Execution of renamed common utilities (e.g., `bash`, `nc`, `python`, `sh`) from atypical directories or with names intended to deceive defenders or EDRs.
Analyst context for executives and security teams
This analytic matters because renamed Linux utilities can make ordinary administrative tools look benign, unfamiliar, or harder to recognize during an investigation. For leaders, the value is not in the specific tool names, but in validating whether the organization can see when common interpreters or networking utilities run from unusual locations or under deceptive names.
Executive priority
Prioritize this as a Linux visibility and response-readiness question: can SOC and IR teams prove where key utilities executed from, what name they used, who launched them, and what parent process started them? The business decision value is strongest for environments where Linux systems support critical services, regulated workloads, or operational continuity, because weak process telemetry can slow incident scoping and audit evidence collection.
Technical view
The supplied ATT&CK object describes execution of renamed common utilities such as bash, nc, python, and sh from atypical directories or with names intended to deceive defenders or EDRs. Because no official detection logic or tactic mapping is provided, teams should treat this as a validation pattern: identify Linux process executions where the executable basename, path, or invocation context is inconsistent with approved utility locations and normal administrative behavior. Review parent-child process chains, user context, command line, working directory, and file metadata to distinguish authorized admin activity from suspicious masquerading.
Likely telemetry
- Linux process execution events from EDR, auditd, or equivalent host monitoring
- Executable path, process name, command line, working directory, and parent process details
- User, session, privilege, and host context for the process execution
- File creation or modification events for renamed binaries in non-standard directories
- File hash, permissions, ownership, and timestamp metadata for executed utilities
Detection direction
- Validate that Linux process telemetry includes full executable path and command line, not only process name.
- Baseline expected locations and names for common utilities such as bash, sh, python, and nc in the local environment.
- Look for executions of these utilities from temporary, user-writable, application, or otherwise atypical directories, while tuning for legitimate packaging, development, and administrative workflows.
- Correlate suspicious renamed utility execution with parent process, user privilege, remote session, and recent file-write activity to reduce false positives.
- Check whether current detections depend on process names alone; that is a blind spot when utilities are renamed.
Mitigation priorities
- Harden Linux endpoint logging first so investigations can recover executable path, command line, user, and parent process context.
- Limit write and execute permissions in directories where ordinary users or applications should not stage renamed utilities.
- Use least privilege and administrative access controls to reduce who can place or execute binaries in sensitive locations.
- Establish approved software and utility execution expectations for servers with critical business roles.
- Feed validated suspicious patterns into managed detection, SOC triage playbooks, and incident response evidence checklists.
Analyst notes and limits
This is a detection analytic object, not a technique object, and the supplied fields do not include tactics, relationships, or official detection logic. The strongest defensible interpretation is a Linux-focused masquerading-style detection validation for renamed common utilities executing from unusual paths.
No relationship context, tactic mapping, procedure examples, or official detection implementation was supplied. This take cannot assess prevalence, attacker attribution, impact, or existing detection coverage. Local Linux build standards, administrator workflows, and telemetry quality are required to determine what is truly atypical.
Analytic 0014
Execution of renamed common utilities (e.g., `bash`, `nc`, `python`, `sh`) from atypical directories or with names intended to deceive defenders or EDRs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 15d6c5199a78… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.