AN0195: Analytic 0195
Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp.
Analyst context for executives and security teams
This analytic matters because it focuses on a practical data-staging pattern on Linux systems: remote inbound file movement using SCP, rsync, or NFS, followed by aggregation into staging locations such as /mnt/staging or /var/tmp. For security leaders, the value is not just detecting a tool name; it is validating whether the organization can see remote file collection activity before it becomes an incident-response, data-governance, or operational resilience problem.
Executive priority
Prioritize this where Linux servers hold sensitive, regulated, operational, or business-critical data. Leaders should ask whether SOC and incident response teams can prove visibility into inbound file transfer activity, mounted remote file systems, and unusual staging-directory growth. This analytic can support evidence for control assurance and incident readiness, but the supplied ATT&CK object does not provide a tactic, relationship context, or complete detection logic, so local validation is required before treating it as coverage.
Technical view
For Linux environments, validate telemetry that can show inbound SCP, rsync, or NFS mount activity from remote systems and subsequent file aggregation into paths such as /mnt/staging or /var/tmp. Detection engineering should correlate network or authentication evidence with process, mount, and filesystem activity. Because no official detection logic is provided, teams should define local baselines for legitimate administration, backup, synchronization, and shared-storage workflows to reduce false positives.
Likely telemetry
- Linux process execution telemetry for scp, rsync, mount, and related file-copy or filesystem commands
- Authentication and remote access logs associated with inbound file transfer sessions
- NFS mount activity and filesystem mount records
- Filesystem telemetry showing file creation, movement, or volume growth under staging paths such as /mnt/staging and /var/tmp
- Network connection metadata for remote systems interacting with Linux hosts over file transfer or file sharing services
Detection direction
- Confirm whether Linux endpoint, host audit, and network telemetry can connect remote inbound transfer activity to local file aggregation behavior.
- Tune detections around known administrative, backup, deployment, and synchronization jobs that legitimately use SCP, rsync, NFS, /mnt/staging, or /var/tmp.
- Look for sequencing: remote transfer or mount activity followed by concentrated file creation or collection in staging directories.
- Validate blind spots such as unmanaged Linux servers, short log retention, missing command-line capture, limited NFS visibility, and lack of filesystem event monitoring.
- Because ATT&CK provides no official detection logic for this analytic, document the local analytic implementation, data dependencies, and test results as coverage evidence.
Mitigation priorities
- Inventory Linux systems where inbound SCP, rsync, or NFS access is allowed and confirm the business need.
- Restrict inbound file transfer and NFS access to authorized users, systems, and administrative workflows.
- Apply least privilege to staging directories and monitor writable temporary or staging paths used for aggregation.
- Review retention and alerting for Linux authentication, process, mount, network, and filesystem logs so incident responders can reconstruct activity.
- Use detection validation or purple-team-style testing in a controlled manner to confirm the analytic fires on approved benign simulations without relying on assumptions.
Analyst notes and limits
This is a detection analytic object, not a technique description. The most useful defensive interpretation is coverage validation: can the organization observe inbound remote file movement and staging behavior on Linux hosts? The absence of relationships means there is no supplied ATT&CK context tying this analytic to specific techniques, groups, campaigns, or software.
The supplied object has no tactic, no official detection text, and no relationship context. Claims about attacker intent, exploitation, impact, attribution, or guaranteed detection are not supported. Local environment data is required to determine whether SCP, rsync, NFS, /mnt/staging, or /var/tmp activity is suspicious or normal.
Analytic 0195
Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 23d990405c4d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0195Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.