Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0062: Analytic 0062

Adversary executes systemctl or service stop targeting high-value services (e.g., mysql, sshd), possibly followed by rm or shred against data stores. Behavioral chain: sudo/su usage + stop command + /var/log/messages or syslog entries + file access/delete.

EnterpriseAN0062AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about recognizing a Linux service-disruption pattern: privileged users or processes stopping important services such as database or SSH services, with possible follow-on deletion or shredding of data. For leaders, the significance is operational resilience: if critical Linux services can be stopped and data stores removed without rapid alerting, an incident can become a business outage before responders have enough evidence to act.

Executive priority

Prioritize this as a resilience and incident-readiness control check for Linux systems that host business-critical services. Executives and risk owners should ask whether the organization can prove who stopped high-value services, when it happened, whether privileged access was involved, and whether file deletion activity followed. This supports outage triage, privileged-access governance, audit evidence, and recovery decision-making, especially for systems running critical databases, remote access services, or other essential workloads.

Technical view

Validate monitoring for Linux hosts where systemctl or service stop commands target high-value services such as mysql or sshd. The supplied analytic highlights a behavioral chain: sudo or su usage, a service stop command, related /var/log/messages or syslog entries, and file access or deletion activity such as rm or shred against data stores. SOC and IR teams should correlate privileged command execution, service state changes, authentication or privilege elevation context, system logs, and file deletion evidence on the same host and within a relevant time window.

Likely telemetry

  • Linux process execution telemetry for systemctl, service, sudo, su, rm, and shred
  • Command-line arguments showing service stop actions and targeted service names
  • Syslog and /var/log/messages entries for service stop or service state changes
  • Privilege elevation and authentication logs associated with sudo or su usage
  • File access, deletion, or secure deletion telemetry for sensitive data paths or data stores

Detection direction

  • Confirm that Linux endpoint or log telemetry captures command-line arguments, not only process names; without arguments, service-stop intent and target service may be unclear.
  • Tune detections around high-value services rather than every service restart or stop event to reduce administrative false positives.
  • Correlate service stop events with recent sudo or su activity and subsequent file access, rm, or shred activity to distinguish routine administration from higher-risk behavior.
  • Use syslog or /var/log/messages as corroborating evidence, but validate log retention and forwarding because local logs may be incomplete after disruptive activity.
  • Establish allowlisted maintenance windows, approved administrators, and known automation accounts to support triage without suppressing unusual privileged activity.

Mitigation priorities

  • Identify Linux hosts running high-value services and ensure they are covered by centralized logging and endpoint telemetry.
  • Restrict and review privileged access paths for stopping critical services, including sudo and su usage where applicable.
  • Define operational baselines for legitimate service stop activity, maintenance windows, and automation accounts.
  • Protect and centralize system logs so responders can still reconstruct service stop and file deletion activity during an incident.
  • Review backup, recovery, and change-control readiness for systems where service disruption and data deletion would affect business continuity.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. The official description provides a useful behavioral chain for Linux service disruption and possible data deletion, but tactics, relationships, and formal detection logic are not supplied. Treat this as a validation pattern for telemetry and correlation coverage rather than a complete detection rule.

The supplied ATT&CK fields do not include an official detection section, related techniques, adversary relationships, impact claims, or non-Linux platforms. Local asset criticality, service names, administrative practices, and log coverage are required to determine priority and tune detections.

Official MITRE ATT&CK definition

Analytic 0062

Adversary executes systemctl or service stop targeting high-value services (e.g., mysql, sshd), possibly followed by rm or shred against data stores. Behavioral chain: sudo/su usage + stop command + /var/log/messages or syslog entries + file access/delete.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5d08d25cffbd3e44...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5d08d25cffbd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0062
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use