AN0092: Analytic 0092
Creation of files or directories with a leading '.' in privileged directories (/etc, /var, /usr/bin). Defender view: monitoring auditd logs for file creations where name begins with '.' and correlated with unusual user/process context.
Analyst context for executives and security teams
This analytic matters because hidden Linux files or directories created in privileged locations such as /etc, /var, or /usr/bin can indicate activity that is easy for administrators and responders to overlook. For leaders, the decision value is whether Linux audit logging and SOC workflows can distinguish legitimate hidden configuration artifacts from unusual file creation tied to suspicious users or processes in sensitive paths.
Executive priority
Prioritize validation where Linux systems support critical business services, regulated workloads, or operational continuity. The key management question is not simply whether auditd is enabled, but whether the organization can produce usable evidence of privileged-directory file creation, correlate it to user and process context, and act quickly during an investigation. This supports incident response readiness, compliance evidence, and control assurance for high-value Linux estates.
Technical view
AN0092 is a Linux detection analytic focused on creation of files or directories whose names begin with '.' in privileged directories including /etc, /var, and /usr/bin. SOC and detection teams should validate auditd coverage for file creation events in those paths and ensure events include filename, path, user, process, parent process where available, host, and timestamp. Because no ATT&CK tactic is specified and no relationship context is supplied, this should be treated as a behavior-level analytic that requires local baselining and correlation with unusual user or process context.
Likely telemetry
- Linux auditd file creation events
- File path and filename metadata for /etc, /var, and /usr/bin
- User and privilege context associated with file creation
- Process and parent process context where collected
- Host identity and timestamps for investigation scoping
Detection direction
- Confirm auditd rules or equivalent Linux telemetry capture file or directory creation in the privileged paths named by the analytic.
- Filter for newly created names beginning with '.' while preserving enough context to review legitimate hidden files and directories.
- Correlate alerts with unusual user, service account, process, or parent-process context rather than treating every dot-prefixed file as malicious.
- Baseline expected administrative and package-management activity to reduce false positives.
- Document blind spots where Linux servers do not forward auditd logs, omit process context, or do not monitor all specified directories.
Mitigation priorities
- Start by inventorying Linux systems where privileged-directory monitoring is required for business-critical or compliance-relevant workloads.
- Enable and verify auditd or equivalent file creation telemetry for the specified privileged directories.
- Harden access controls and administrative change processes for /etc, /var, and /usr/bin according to local policy.
- Ensure incident response playbooks include triage of hidden files in privileged paths with user and process correlation.
- Use periodic detection testing to confirm that the SOC receives and can investigate the expected telemetry.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and it has no supplied tactic or relationship context. The strongest use is as a validation checklist for Linux file-creation monitoring in sensitive directories. Local baselines are essential because dot-prefixed files can be legitimate on Linux systems.
Official detection content is not provided beyond the description, and no relationships, aliases, labels, or tactic mappings were supplied. This take does not infer attribution, active exploitation, impact, or coverage beyond Linux and the named privileged directories.
Analytic 0092
Creation of files or directories with a leading '.' in privileged directories (/etc, /var, /usr/bin). Defender view: monitoring auditd logs for file creations where name begins with '.' and correlated with unusual user/process context.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 466d64fd15bc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0092Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.