AN0227: Analytic 0227
Execution of trusted system binaries (e.g., `split`, `tee`, `bash`, `env`) used in uncommon sequences or chained behaviors to execute malicious payloads or perform actions inconsistent with normal system or script behavior.
Analyst context for executives and security teams
This analytic matters because it focuses on a common Linux defense challenge: trusted system binaries can be used in unusual chains that look legitimate at first glance. For leaders, the risk is not the presence of tools like split, tee, bash, or env by themselves, but whether the organization can distinguish normal administration and scripting from behavior that may indicate malicious payload execution or abnormal automation.
Executive priority
Prioritize this as a Linux monitoring and response-readiness question rather than a single signature. Security leaders should ask whether SOC and IR teams have enough process, command-line, and script-execution evidence to reconstruct unusual chained activity involving trusted binaries. The business value is stronger incident decision-making, better audit evidence for Linux control coverage, and reduced blind spots around legitimate tools being used in unexpected ways.
Technical view
For Linux environments, validate visibility into executions of trusted system binaries, especially when they appear in uncommon sequences or chained behaviors inconsistent with known scripts, jobs, or administrative workflows. Because ATT&CK provides no official detection logic or relationships for this analytic, teams should baseline expected use of split, tee, bash, env, and similar binaries, then tune for unusual parent-child process chains, command-line patterns, working directories, and execution contexts. Triage should focus on whether the chain aligns with approved automation, package management, administrative activity, or scheduled jobs.
Likely telemetry
- Linux process creation events with parent-child relationships
- Command-line arguments for executed binaries
- Script execution logs or shell history where centrally collected
- User, service account, and privilege context for process execution
- Working directory, file path, and executable path metadata
Detection direction
- Confirm that Linux endpoint telemetry captures process chains and command-line arguments; without these, this analytic has limited value.
- Baseline common administrative and automation patterns before alerting on trusted binaries to reduce false positives.
- Look for unusual chaining of trusted binaries rather than isolated execution of split, tee, bash, or env.
- Tune detections against known scripts, cron jobs, deployment tooling, and system maintenance workflows.
- During triage, compare the observed sequence to expected user role, host purpose, working directory, and recent file activity.
Mitigation priorities
- Improve Linux endpoint logging coverage for process execution, command lines, and parent-child relationships.
- Maintain an inventory of approved administrative scripts, scheduled jobs, and automation workflows that commonly use trusted binaries.
- Apply least-privilege controls to service accounts and administrative users that execute scripts or automation.
- Use change management to distinguish approved script changes from unexpected command chains.
- Ensure incident response playbooks include review of trusted-binary execution chains and related file activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux behavior involving trusted system binaries used in uncommon sequences or chained behaviors. No tactic, official detection logic, or relationship context was supplied, so this take emphasizes validation, baselining, and telemetry readiness rather than a specific rule or threat scenario.
This assessment is limited to the supplied STIX fields and external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local baselines are required to determine what is uncommon or inconsistent in a specific Linux environment.
Analytic 0227
Execution of trusted system binaries (e.g., `split`, `tee`, `bash`, `env`) used in uncommon sequences or chained behaviors to execute malicious payloads or perform actions inconsistent with normal system or script behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 096b51547c24… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0227Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.