AN0230: Analytic 0230
Adversary leverages root or sudo access to alter system banners, web content directories (e.g., /var/www/html), or login configurations (/etc/issue). File creation or overwrites may coincide with suspicious script execution or cron job activity.
Analyst context for executives and security teams
This analytic describes a Linux-focused behavior where an adversary with root or sudo-level access changes visible system or web-facing content, such as login banners, /etc/issue, or web directories like /var/www/html. For leaders, the decision value is that these changes often indicate the environment has already lost privileged control of a host, even if the visible result looks like simple defacement or banner tampering.
Executive priority
Treat this as a privileged-access integrity signal. The key business question is whether Linux servers that support public web content, internal applications, or administrative access have monitoring that can prove who changed critical files, when, and from which process or account. This matters for incident scoping, audit evidence, operational resilience, and determining whether the event is isolated misconfiguration, authorized administration, or a sign of broader compromise.
Technical view
SOC and IR teams should validate coverage for Linux file creation, overwrite, and permission-relevant changes in sensitive paths such as /var/www/html and /etc/issue, especially when paired with root or sudo activity, suspicious script execution, or cron job changes. Because ATT&CK provides no official detection logic for this analytic, teams should build local detection around file integrity monitoring, process execution context, user privilege context, and scheduled task telemetry. Triage should distinguish expected administrative content updates from unexpected changes by privileged shells, scripts, automation accounts, or cron-driven processes.
Likely telemetry
- Linux file integrity or audit events for creation, overwrite, and modification of sensitive files and web content directories
- Process execution telemetry showing the parent and child processes responsible for file changes
- Authentication and privilege escalation logs showing root or sudo use
- Cron or scheduled task activity around the time of file modification
- Web server content deployment or configuration change records, where available
Detection direction
- Baseline legitimate Linux administration and web content deployment workflows to reduce false positives from normal maintenance.
- Correlate sensitive file modifications with root/sudo use, script execution, and cron activity rather than alerting on file changes alone.
- Prioritize unexpected writes to login banner/configuration files and web content directories from interactive shells, temporary paths, or nonstandard automation accounts.
- Validate whether telemetry captures both the file path changed and the process/user responsible; path-only alerts may be insufficient for incident response.
- Check for blind spots on Linux servers without auditd, EDR, file integrity monitoring, centralized sudo logs, or cron logging.
Mitigation priorities
- Limit root and sudo access to users and automation that require it, and review privileged access regularly.
- Protect sensitive system configuration and web content paths with least-privilege permissions and controlled deployment processes.
- Enable file integrity monitoring or equivalent audit controls for critical Linux configuration files and web directories.
- Centralize Linux authentication, sudo, process, and scheduled task logs so responders can reconstruct privileged changes.
- Document authorized banner, login configuration, and web content change procedures to support audit review and faster triage.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux and contains a behavior description but no official detection text, tactics, labels, aliases, or relationship context. The strongest use is as a validation prompt for privileged Linux file-change monitoring and IR scoping readiness.
No ATT&CK relationships, tactic mapping, procedures, or formal detection logic were supplied. Local environment context is required to determine which paths are business-critical, which changes are authorized, and what telemetry is actually available.
Analytic 0230
Adversary leverages root or sudo access to alter system banners, web content directories (e.g., /var/www/html), or login configurations (/etc/issue). File creation or overwrites may coincide with suspicious script execution or cron job activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2239ff6debbf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0230Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.