AN0096: Analytic 0096
Detects execution of common process enumeration utilities (e.g., ps, top, htop) or access to /proc with suspicious ancestry. Correlates command usage with interactive shell context and user role.
Analyst context for executives and security teams
This analytic matters because Linux process enumeration can be an early signal that someone is looking around a host to understand running services, users, or security tooling. For leaders, the decision value is not the commands themselves—ps, top, htop, and /proc access are common administrative activity—but whether the organization can distinguish expected operations from suspicious use based on parent process, interactive shell context, and user role.
Executive priority
Prioritize this as a Linux visibility and SOC triage validation item. It helps answer whether security teams have enough endpoint evidence to investigate suspicious hands-on-keyboard activity without over-alerting on normal administration. The business question is: can we prove who ran process-discovery commands, from what session or parent process, and whether that behavior fits the user’s role?
Technical view
For Linux systems, validate collection and correlation around execution of common process enumeration utilities such as ps, top, and htop, plus access to /proc, with attention to suspicious ancestry. Because no ATT&CK tactic or detailed detection logic is supplied, teams should avoid treating command execution alone as malicious. The practical analytic should enrich process events with parent/child process lineage, interactive shell context, account identity, privilege level, host role, and expected administrative patterns.
Likely telemetry
- Linux process execution events, including command name and command line where available
- Parent and child process lineage for shell and terminal sessions
- User/account context and role or privilege information
- Interactive shell/session indicators
- File or process access telemetry involving /proc, where collected
Detection direction
- Tune detections to focus on suspicious ancestry and unusual user context rather than the presence of ps, top, htop, or /proc access alone.
- Baseline legitimate Linux administration activity to reduce false positives from operators, monitoring tools, and troubleshooting workflows.
- Validate whether telemetry preserves parent process and interactive shell context; without this, the analytic will have limited decision value.
- Correlate command execution with user role and host purpose so alerts identify activity that is unusual for the account or system.
- Document gaps caused by the absence of official detection logic and the lack of supplied ATT&CK relationship context.
Mitigation priorities
- Ensure Linux endpoint logging captures process execution, ancestry, and user/session context at sufficient fidelity for investigation.
- Apply least-privilege and role-based access practices so process-enumeration activity can be assessed against expected duties.
- Maintain asset and account context to support alert triage and compliance evidence around administrative activity.
- Use SOC tuning and incident response playbooks that distinguish benign administration from suspicious interactive discovery behavior.
- Review coverage periodically because this object provides only a high-level analytic description, not a complete detection implementation.
Analyst notes and limits
The supplied object is a detection analytic for Linux only. It describes detecting common process enumeration utilities or /proc access with suspicious ancestry, correlated with interactive shell context and user role. No tactic, relationship context, or official detection content was provided, so this take emphasizes validation of telemetry, context, and tuning rather than a specific rule.
This assessment is limited to the official STIX fields, external reference, and the absence of supplied relationships. It does not establish malicious intent, active exploitation, attribution, impact, or guaranteed detection coverage. Local environment baselines and logging capabilities are required to determine usefulness.
Analytic 0096
Detects execution of common process enumeration utilities (e.g., ps, top, htop) or access to /proc with suspicious ancestry. Correlates command usage with interactive shell context and user role.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0a6e4e237bdf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0096Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.