Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0046: Analytic 0046

Detects adversary attempts to monopolize control of compromised systems by issuing service stop commands, unloading vulnerable modules, or forcefully killing competing processes. Defenders should monitor audit logs and syslog for administrative utilities (systemctl, service, kill) being invoked outside of normal change management.

EnterpriseAN0046AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic focuses on a Linux post-compromise behavior where an adversary tries to keep control of a system by stopping services, unloading modules, or killing processes that may interfere with their activity. For leaders, the value is not just detecting individual commands such as systemctl, service, or kill; it is validating whether administrative activity on critical Linux systems is governed by change management and visible enough for the SOC to distinguish approved maintenance from suspicious disruption.

Executive priority

Prioritize this where Linux systems support business-critical services, security tooling, or operational platforms. The key business question is whether the organization can prove that service stops, module unloading, and process termination are authorized, logged, reviewed, and rapidly investigated when they occur outside expected maintenance windows. This supports incident response readiness, operational resilience, and audit evidence around administrative control use.

Technical view

For SOC, detection engineering, and IR teams, validate visibility into Linux audit logs and syslog for administrative utilities referenced by the analytic: systemctl, service, and kill. Focus on invocations occurring outside normal change management, especially on sensitive servers or where the acting user, parent process, time window, or target process/service does not match expected administration patterns. Because no ATT&CK tactic or formal detection logic is supplied, implementation should be environment-specific and based on known-good administrative baselines.

Likely telemetry

  • Linux audit logs showing command execution and user context
  • Syslog entries related to service management or process termination
  • Process creation telemetry for systemctl, service, and kill where available
  • Change management records or maintenance-window data for correlation
  • Host identity, user identity, parent process, and target service/process context

Detection direction

  • Baseline legitimate service management and process termination activity on Linux systems before alerting broadly.
  • Correlate command execution with approved change windows to reduce false positives from routine administration.
  • Prioritize events involving critical services, security agents, monitoring components, or unexpected target processes where local policy identifies them as important.
  • Review parent process, user account, host role, and timing to distinguish scripted maintenance from anomalous hands-on activity.
  • Account for blind spots where audit logs, syslog, or process execution telemetry are not collected, not centralized, or lack command-line detail.

Mitigation priorities

  • Ensure Linux administrative actions are governed by change management and documented maintenance windows.
  • Centralize and retain audit logs and syslog from Linux systems that support critical operations.
  • Limit privileged administrative access to users and processes with a defined operational need.
  • Review whether monitoring and security services have appropriate resilience and alerting when stopped or disrupted.
  • Use incident response playbooks that treat unexpected service stops, module unloading, or process killing as events requiring host-context review rather than isolated command alerts.
Analyst notes and limits

The supplied object is a detection analytic for Linux with no tactic specified, no relationships supplied, and no separate official detection logic beyond the description. The strongest use is as a validation prompt: confirm that Linux administrative utility use is observable, baselined, and correlated with change management.

This take is limited to the official fields provided. It does not assert active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local baselines, host criticality, logging configuration, and change-management data are required to determine alert thresholds and response priority.

Official MITRE ATT&CK definition

Analytic 0046

Detects adversary attempts to monopolize control of compromised systems by issuing service stop commands, unloading vulnerable modules, or forcefully killing competing processes. Defenders should monitor audit logs and syslog for administrative utilities (systemctl, service, kill) being invoked outside of normal change management.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
df2f65ac707ee2a3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle df2f65ac707e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0046
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use