AN0041: Analytic 0041
Detects script or user activity copying files to a central temp or /mnt directory followed by archive/compression utilities.
Analyst context for executives and security teams
This analytic is relevant because copying many files into a shared temporary or /mnt location and then compressing them can be a sign that data is being staged for later movement or collection. For leaders, the value is not that this single pattern proves compromise, but that it highlights whether Linux file activity and archive utility usage are visible enough for the SOC to investigate suspicious staging behavior before it becomes a larger incident.
Executive priority
Prioritize this as a visibility and response-readiness check for Linux environments that host sensitive data, operational tooling, or shared storage. Security leaders should ask whether teams can prove they collect Linux process and file activity, identify unusual staging into temp or /mnt paths, and triage compression activity quickly enough to support incident decisions, audit evidence, and business continuity needs.
Technical view
For SOC and detection engineering teams, validate whether telemetry can correlate two behaviors on Linux: file copies into central temporary or /mnt directories, followed by archive or compression utility execution. Because no official detection logic is provided, teams should define local baselines for normal administrative, backup, deployment, and data processing workflows before treating this as high confidence. The analytic should be tuned around path context, user context, process lineage, file volume, timing, and whether the compression activity is expected for that host role.
Likely telemetry
- Linux process execution telemetry showing copy commands and archive/compression utilities
- Command-line arguments for file copy and compression activity
- File creation or modification events in temporary directories and /mnt paths
- User, service account, and host identity associated with the activity
- Timestamps sufficient to correlate copying followed by compression
Detection direction
- Confirm that Linux endpoint or audit telemetry captures both process execution and relevant file activity; process-only visibility may miss the staging portion.
- Correlate copy activity into central temp or /mnt locations with subsequent archive/compression utility execution within a meaningful time window.
- Tune for expected backup jobs, package builds, deployments, log rotation, application batch processing, and administrator maintenance to reduce false positives.
- Increase priority when the activity involves unusual users, uncommon hosts, sensitive directories, large file counts, abnormal working hours, or previously unseen command patterns.
- Document blind spots where /mnt usage is common, where file events are not collected, or where command-line arguments are truncated or unavailable.
Mitigation priorities
- Establish least-privilege access to sensitive Linux file paths so users and services cannot unnecessarily stage broad data sets.
- Harden and monitor temporary and mounted storage locations that are commonly used for transient file aggregation.
- Maintain approved administrative and backup workflows so detection teams can distinguish expected compression from suspicious staging.
- Ensure Linux logging, endpoint telemetry, and retention are sufficient to support investigation of copy-and-compress sequences.
- Prepare IR playbooks for validating staged archives, identifying source files, preserving evidence, and determining whether additional containment is required.
Analyst notes and limits
This object is a MITRE ATT&CK detection analytic, not a technique. It specifies Linux as the platform and describes a behavior pattern: copying files to a central temp or /mnt directory followed by archive/compression utilities. No tactics, relationships, or official detection logic were supplied, so this take focuses on defensive validation rather than mapping to a broader ATT&CK chain.
The supplied ATT&CK fields do not include detection pseudocode, data source mappings, related techniques, adversary use, or mitigation references. Local environment knowledge is required to determine which temp or /mnt activity is normal, which compression tools are expected, and what alert severity is appropriate.
Analytic 0041
Detects script or user activity copying files to a central temp or /mnt directory followed by archive/compression utilities.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fcfc1ee43886… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0041Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.