AN0241: Analytic 0241
Defender observes use of CLI tools (`find`, `grep`, `ls`, `dpkg`, `rpm`, `systemctl`, `ps aux`) to discover backup agents or config files (e.g., rsnapshot, duplicity, veeam). This often includes command lines that recursively search `/etc/`, `/opt/`, or `/var/` directories for keywords like `backup`, and parent-child relationships involving shell or Python scripts.
Analyst context for executives and security teams
This analytic matters because activity that searches Linux systems for backup agents or backup configuration can be an early warning that someone is mapping recovery capabilities. For executives and security leaders, the decision value is whether SOC and IR teams can see when backup-related tooling and configuration are being enumerated, especially under /etc/, /opt/, and /var/.
Executive priority
Prioritize validation where Linux systems support business-critical recovery operations. Leaders should ask whether backup infrastructure and protected workloads generate usable process command-line evidence, whether SOC playbooks treat backup discovery as a resilience concern, and whether incident responders can quickly determine if observed commands are administrative maintenance or suspicious reconnaissance.
Technical view
AN0241 is a Linux detection analytic focused on command-line use of tools such as find, grep, ls, dpkg, rpm, systemctl, and ps aux to discover backup agents or configuration files, including references such as rsnapshot, duplicity, and veeam. Detection engineering should validate visibility into full process command lines, recursive searches of /etc/, /opt/, and /var/ for backup-related keywords, and parent-child relationships involving shells or Python scripts. No ATT&CK tactic or relationship context was supplied, so teams should map this locally to their own detection strategy and incident triage model.
Likely telemetry
- Linux process creation events with full command-line arguments
- Parent-child process lineage for shells, Python scripts, and CLI utilities
- Package manager command execution involving dpkg or rpm
- Service enumeration activity involving systemctl
- Process listing activity involving ps aux
Detection direction
- Validate that Linux endpoint or host telemetry preserves full command-line arguments; truncated commands will reduce analytic value.
- Tune for combinations of recursive search utilities, backup-related keywords, and sensitive configuration paths rather than single benign commands in isolation.
- Review parent processes, especially shell or Python script parents, to separate expected administration from unusual scripted discovery.
- Baseline legitimate backup administration, software inventory, and compliance scanning to reduce false positives.
- Because no official detection logic is provided, convert the description into locally testable analytics and document coverage gaps.
Mitigation priorities
- Maintain an inventory of Linux systems running backup agents or storing backup configuration.
- Limit access to backup configuration files and agent management functions to appropriate administrative roles.
- Ensure backup-related hosts and workloads are included in endpoint logging and SOC monitoring scope.
- Create IR triage guidance for suspected backup discovery, including validation of user, parent process, command intent, and affected paths.
- Use this analytic as compliance and resilience evidence only after confirming local telemetry collection and alert review procedures.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and has no supplied relationship context. Its strongest value is as a coverage test for Linux command-line visibility around backup discovery behavior. The analytic should be reviewed with backup administrators to identify expected maintenance patterns before alerting broadly.
Official detection content is not provided, tactics are not specified, and no relationships are supplied. This take does not assert active exploitation, attribution, impact, or guaranteed detection. Local environment evidence is required to determine whether observed activity is malicious, administrative, or caused by routine inventory tooling.
Analytic 0241
Defender observes use of CLI tools (`find`, `grep`, `ls`, `dpkg`, `rpm`, `systemctl`, `ps aux`) to discover backup agents or config files (e.g., rsnapshot, duplicity, veeam). This often includes command lines that recursively search `/etc/`, `/opt/`, or `/var/` directories for keywords like `backup`, and parent-child relationships involving shell or Python scripts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4b13cff25044… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0241Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.