Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0325: Analytic 0325

Creation or modification of `systemd` service units or cron jobs using deceptive naming and untrusted command paths, often followed by lateral network activity or privilege escalation.

EnterpriseAN0325AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about suspicious Linux persistence or scheduled execution: new or changed systemd service units or cron jobs that use deceptive names and untrusted command paths, especially when followed by lateral network activity or privilege escalation. For leaders, the practical issue is whether Linux servers have enough change visibility to distinguish approved administration from potentially malicious persistence that could support a broader incident.

Executive priority

Prioritize this where Linux systems support critical applications, privileged administration, or regulated workloads. The business decision value is validating whether SOC and incident response teams can prove when service or cron changes occurred, who made them, what executable path they reference, and whether related network or privilege activity followed. This supports resilience, audit evidence, and faster incident scoping, but the object does not provide a specific detection rule or ATT&CK technique mapping.

Technical view

Validate monitoring for Linux creation and modification of systemd unit files and cron jobs. Review whether detections account for deceptive naming, execution from untrusted or unusual paths, and temporal correlation with lateral network activity or privilege escalation. Because no official detection logic or relationships are supplied, teams should tune locally against known-good administration patterns, approved service locations, sanctioned automation, and expected privileged maintenance activity.

Likely telemetry

  • Linux file creation and modification events for systemd service unit locations
  • Cron job creation and modification records, including user and system cron locations
  • Process execution telemetry showing command paths launched by systemd or cron
  • Authentication and privilege escalation logs relevant to Linux hosts
  • Network connection telemetry from Linux hosts, especially lateral internal connections after service or cron changes

Detection direction

  • Confirm visibility into both systemd service units and cron jobs on Linux, including file path, command path, user context, timestamp, and host identity.
  • Baseline approved service names, cron entries, administrative scripts, and automation paths to reduce false positives from legitimate operations.
  • Flag deceptive or lookalike service and job names only when supported by path, parent process, account, timing, or follow-on activity; naming alone can be noisy.
  • Correlate suspicious service or cron changes with subsequent lateral network activity or privilege escalation as described in the analytic.
  • Identify blind spots where endpoint telemetry, file integrity monitoring, or centralized Linux logging is absent or not retained long enough for incident response.

Mitigation priorities

  • Establish approved locations and ownership for systemd units, cron jobs, and scripts executed by them.
  • Restrict write access to service and cron configuration paths to authorized administrators and managed automation.
  • Use change control or configuration management to maintain expected Linux service and scheduled task state.
  • Review privileges for accounts able to create services, edit cron jobs, or place executables in trusted paths.
  • Ensure incident response playbooks include triage of recent systemd and cron changes, referenced command paths, related authentication events, and follow-on network activity.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, AN0325, for Linux. It describes creation or modification of systemd service units or cron jobs using deceptive naming and untrusted command paths, often followed by lateral network activity or privilege escalation. No official detection query, tactic, technique relationship, or mitigation relationship was supplied, so this take focuses on defensive validation and telemetry requirements rather than a specific rule implementation.

Tactics are not specified, official detection is not provided, and no relationship context is supplied. Any assessment of exposure, active exploitation, actor behavior, or detection coverage requires local Linux asset inventory, logging configuration, baseline administration patterns, and incident evidence.

Official MITRE ATT&CK definition

Analytic 0325

Creation or modification of `systemd` service units or cron jobs using deceptive naming and untrusted command paths, often followed by lateral network activity or privilege escalation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f018f54b2867bd80...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f018f54b2867…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0325
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use