AN0049: Analytic 0049
Adversary runs discovery commands such as `ps aux`, `systemctl status`, or `cat /etc/init.d/` to enumerate security software or services. Often occurs alongside privilege escalation or bash script execution.
Analyst context for executives and security teams
This analytic is about Linux activity where an adversary checks running processes or service status to identify security software or services. For leaders, the practical issue is not the commands themselves—administrators also use them—but the timing and context: this kind of discovery can help an intruder understand what defenses are present before escalating privileges, running scripts, or attempting to avoid monitoring.
Executive priority
Treat this as a coverage-validation item for Linux monitoring and incident triage. Security leaders should ask whether SOC and IR teams can see command execution and service enumeration on important Linux systems, especially servers supporting critical business operations. The priority is to distinguish normal administration from suspicious discovery by correlating these commands with unusual users, privilege changes, new shell activity, or script execution.
Technical view
On Linux, validate visibility into process and command-line execution involving examples such as `ps aux`, `systemctl status`, and attempts to inspect `/etc/init.d/`. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, detection engineering should focus on contextual correlation rather than simple command matching. Useful pivots include the executing user, parent process, interactive shell or script context, host role, recent authentication, and nearby privilege escalation indicators where available.
Likely telemetry
- Linux process creation events with command-line arguments
- Shell history or terminal session telemetry where collected
- Service manager activity, including systemctl invocations
- File or directory access telemetry for service initialization paths such as /etc/init.d/
- User, session, and authentication context for the executing account
Detection direction
- Baseline expected administrative use of process and service discovery commands on Linux servers to reduce false positives.
- Prioritize alerts when discovery commands are run by unusual users, service accounts, newly authenticated sessions, or from unexpected parent processes such as scripts or shells.
- Correlate with nearby bash script execution or privilege escalation activity, as the official description notes this behavior often occurs alongside those contexts.
- Avoid treating single uses of `ps` or `systemctl` as inherently malicious; tune for sequence, host criticality, account context, and deviation from normal operations.
- Confirm whether command-line arguments are captured; without them, coverage may miss the distinction between routine use and security-service enumeration.
Mitigation priorities
- Ensure Linux audit, EDR, or equivalent endpoint logging captures process execution and command-line details on important systems.
- Define and document normal administrative patterns for service and process enumeration so SOC teams can separate expected operations from suspicious discovery.
- Harden privileged access and monitor privilege escalation paths, since this discovery may appear near escalation activity.
- Review service account usage and interactive shell access on Linux hosts to limit opportunities for unauthorized discovery.
- Use this analytic as evidence in detection coverage reviews rather than as a standalone control, because no official detection logic is supplied.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and includes no relationships, no tactic mapping, and no official detection content. The strongest use is as a prompt to validate Linux command-execution visibility and contextual alerting for security software or service enumeration.
The object only supports Linux-specific conclusions and provides example commands rather than complete detection criteria. Local environment baselines, host roles, logging configuration, and administrative workflows are required to determine whether observed activity is suspicious.
Analytic 0049
Adversary runs discovery commands such as `ps aux`, `systemctl status`, or `cat /etc/init.d/` to enumerate security software or services. Often occurs alongside privilege escalation or bash script execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9a89c135244a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0049Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.