AN0179: Analytic 0179
Behavioral chain: (1) browser/office/GUI mail client opens a URL, (2) outbound connection to untrusted domain, (3) a new file is saved in $HOME/Downloads, /tmp, or cache immediately after.
Analyst context for executives and security teams
This analytic describes a Linux user-driven download pattern: a browser, office app, or GUI mail client opens a URL, connects to an untrusted domain, and a new file appears in a user download, temporary, or cache location soon after. For leaders, the value is not that every download is malicious, but that this chain is a practical place to validate whether the organization can connect user activity, network destination risk, and endpoint file creation quickly enough to support triage and containment.
Executive priority
Prioritize this as a control-validation use case for Linux desktop or workstation environments where users access web, email, or office content. It helps answer whether SOC and incident response teams can prove what user-facing application initiated a suspicious download, where the file landed, and whether the destination was trusted. This supports incident decision-making, audit evidence for endpoint and network monitoring, and budget prioritization for telemetry gaps across endpoint, DNS/proxy, and file activity logging.
Technical view
For SOC and detection engineering teams, validate correlation across three events on Linux: a GUI application opening a URL, an outbound connection to an untrusted domain, and near-immediate file creation under $HOME/Downloads, /tmp, or browser/application cache paths. Because the official detection field is not provided and no tactic or relationship context is supplied, this should be treated as a detection-engineering pattern to test and tune rather than a complete rule. Key engineering questions include how to define 'untrusted domain,' how tight the time window should be, and whether file creation can be reliably attributed to the initiating process and user session.
Likely telemetry
- Linux process execution or application activity showing browser, office, or GUI mail client URL handling
- Network connection, DNS, proxy, or web gateway logs showing outbound connections and destination domains
- Endpoint file creation telemetry for $HOME/Downloads, /tmp, and application or browser cache directories
- User/session context linking the GUI application, network activity, and file write to the same host and account
- Domain reputation, allowlist, or trust classification data used to distinguish trusted from untrusted destinations
Detection direction
- Validate that Linux endpoint telemetry can correlate process/application activity, network destination, and file creation within a short time window.
- Tune the definition of 'untrusted domain' using local allowlists, reputation sources, and business-approved SaaS or update destinations to reduce false positives.
- Expect benign noise from normal browser downloads, email attachments, office document workflows, software updates, and cached web content; prioritize unusual domains, uncommon applications, unexpected file types, or sensitive users.
- Confirm whether file creation in cache directories is visible; many environments collect downloads but miss browser or application cache writes.
- Test whether telemetry preserves parent/child process, user, and host context well enough for incident responders to reconstruct the chain.
Mitigation priorities
- First, ensure Linux endpoints that use browsers, office tools, or GUI mail clients have sufficient endpoint, network, and file activity logging enabled.
- Maintain domain allowlists and trust classifications so detections can distinguish routine business destinations from destinations needing review.
- Apply least-privilege and endpoint hardening practices so downloaded files have limited ability to execute or modify sensitive locations.
- Use web, DNS, or proxy controls where available to restrict or inspect access to untrusted domains.
- Document this analytic as a SOC validation scenario so incident responders can consistently answer who initiated the download, from where, what file was saved, and whether follow-up containment is required.
Analyst notes and limits
This object is a detection analytic, not a technique, and no ATT&CK tactic, official detection text, or relationship context was supplied. The useful defensive takeaway is the behavioral chain itself and the telemetry correlation it requires on Linux systems.
The supplied data does not include detection logic, thresholds, related techniques, mitigations, data components, threat groups, malware, or evidence of active exploitation. Local environment evidence is required to define trusted versus untrusted domains, tune timing windows, and assess actual monitoring coverage.
Analytic 0179
Behavioral chain: (1) browser/office/GUI mail client opens a URL, (2) outbound connection to untrusted domain, (3) a new file is saved in $HOME/Downloads, /tmp, or cache immediately after.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | af0a3d00cbae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0179Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.