AN0328: Analytic 0328

Links inbound network access to SSHD/SMB/NFS/Databases or custom daemons with subsequent daemon crash/restart, core dump, or spawning of shells/reverse shells from the service context, indicating remote exploitation.

EnterpriseAN0328AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about recognizing when a Linux-facing service may have been remotely exploited: inbound access to services such as SSHD, SMB, NFS, databases, or custom daemons is followed by a crash, restart, core dump, or shell/reverse-shell process running in that service context. For leaders, the value is not just detecting a single attack pattern; it is validating whether the organization can connect network exposure, service health, and process execution evidence quickly enough to make incident decisions before a compromised server becomes a broader business continuity issue.

Executive priority

Prioritize this as a resilience and incident-readiness check for Linux systems that expose remote services. Security leaders should ask whether SOC and IR teams can correlate inbound service access with daemon instability and suspicious child processes, and whether logging, retention, and ownership are strong enough to support containment decisions and compliance evidence. This is especially relevant where Linux servers support critical applications, file services, databases, or custom business services.

Technical view

For Linux environments, validate correlation across three evidence areas: inbound network connections to exposed daemons, service crash/restart or core dump events, and process lineage showing shells or reverse shells spawned from the daemon context. Because the ATT&CK object provides no tactic mapping and no detailed detection logic, teams should treat this as a detection design pattern rather than a ready-to-run rule. Tune around expected administrative workflows, legitimate service restarts, maintenance windows, and known automation so that alerts focus on unusual combinations of remote access plus service instability plus suspicious child processes.

Likely telemetry

Linux process creation and parent-child process lineage
Network connection logs showing inbound access to SSHD, SMB, NFS, databases, or custom daemons
Service manager logs for daemon crash, restart, or abnormal termination events
Core dump or crash reporting artifacts
Authentication and session logs where available for exposed services

Detection direction

Confirm that telemetry can link an inbound connection to the affected service and then to subsequent daemon behavior on the same host and time window.
Validate alerts for shells or reverse shells spawned from service contexts rather than from normal interactive user sessions.
Tune out expected restarts, patching activity, service supervision behavior, and administrative troubleshooting to reduce false positives.
Pay attention to custom daemons, which often have weaker logging and less mature detection content than standard services.
Because no official detection logic is supplied, require local testing with representative Linux services and logging configurations before relying on coverage claims.

Mitigation priorities

Inventory Linux systems exposing SSHD, SMB, NFS, databases, or custom daemons and identify which are business-critical.
Ensure host logging captures process lineage, service lifecycle events, crash/core dump evidence, and relevant network connection context.
Reduce unnecessary inbound exposure and enforce access controls around administrative and data services.
Establish IR procedures for triaging service crashes followed by suspicious child processes, including containment and evidence preservation.
Use vulnerability and patch management to prioritize exposed Linux services and custom daemons where remote exploitation would have high operational impact.

Analyst notes and limits

This object is a detection analytic, not a technique description. Its main decision value is the correlation pattern: remote access to a Linux service followed by crash/restart/core dump behavior or suspicious shell execution from that service context. The supplied ATT&CK fields do not provide relationships, tactics, or a formal detection query, so implementation depends heavily on local telemetry quality and service architecture.

Only the official STIX fields, external reference, and supplied description were used. No relationship context, ATT&CK tactics, or official detection text were provided. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0328

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 92caff4fb7c9ab5d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`92caff4fb7c9…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0328
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use