AN0166: Analytic 0166
Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.
Analyst context for executives and security teams
This analytic is useful because it focuses on a common Linux pattern: command-line transfer tools such as curl, wget, or scp reach out to external domains and are followed by creation of executable files on disk. For leaders, the practical question is whether the organization can see and investigate this sequence quickly enough to distinguish legitimate software administration from suspicious file staging.
Executive priority
Prioritize this as a validation item for Linux monitoring and incident response readiness. It can support decisions about endpoint telemetry coverage, egress visibility, administrator activity baselining, and audit evidence showing that externally retrieved executables are monitored. Because ATT&CK provides no tactic, relationship context, or official detection logic for this analytic, it should be treated as a coverage test rather than a complete risk conclusion.
Technical view
SOC and detection teams should validate whether Linux hosts generate usable evidence for: shell execution of curl, wget, or scp; outbound connections to external domains; and subsequent creation of executable files. Detection engineering should focus on correlation across process, network, and file events, with tuning for expected package management, deployment automation, backups, and administrator workflows. IR teams should ensure alerts preserve command line, user, host, destination, file path, file permissions, and timing context.
Likely telemetry
- Linux process execution events with command-line arguments
- Outbound network connection or DNS telemetry showing external domains
- File creation events on Linux filesystems
- File permission or metadata changes indicating executable files
- User, host, and parent-process context for shell activity
Detection direction
- Correlate shell-based transfer tools with outbound external connections and near-term executable file creation on the same Linux host.
- Baseline legitimate administrative and automation use of curl, wget, and scp to reduce false positives.
- Validate visibility gaps for unmanaged Linux servers, ephemeral workloads, containers, and systems without endpoint logging.
- Review whether detections capture the sequence, not just individual tool execution, because the analytic’s value depends on behavior correlation.
- Because no official detection logic is supplied, test locally with approved benign scenarios and tune against normal software deployment activity.
Mitigation priorities
- Ensure Linux endpoint logging and network/DNS visibility are enabled where business-critical systems run.
- Limit and monitor direct outbound access from servers where feasible, especially to unapproved external domains.
- Use change management and allowlisting practices for expected software retrieval and executable deployment workflows.
- Harden administrative access and service accounts so shell-based downloads are attributable to known users or automation.
- Document monitoring coverage and response procedures as evidence for security governance and compliance readiness.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique description. Its decision value is in validating whether defenders can connect three evidence classes: shell transfer tool usage, external connectivity, and executable creation on Linux.
Official detection content, tactics, labels, aliases, and relationship context were not supplied. This take cannot infer adversary intent, prevalence, impact, attribution, or guaranteed detection coverage. Local environment baselines are required to separate normal administration from suspicious behavior.
Analytic 0166
Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bc5ea4922a58… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0166Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.