Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0335: Analytic 0335

Password changes or account deletions via 'passwd', 'userdel', or 'chage' preceded by interactive shell or remote command execution from non-privileged accounts.

EnterpriseAN0335AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant because Linux account changes can directly affect access continuity and incident response: password changes or account deletions using `passwd`, `userdel`, or `chage` may be legitimate administration, but they become higher-risk when they follow an interactive shell or remote command execution from a non-privileged account. For leaders, the value is confirming whether the organization can distinguish approved Linux account maintenance from suspicious account manipulation that could disrupt operations or complicate containment.

Executive priority

Prioritize this as a Linux identity and operational resilience validation item. Security leaders should ask whether non-privileged users can initiate paths that lead to password changes or account deletion, whether those actions are logged with enough context to support an investigation, and whether SOC or IR teams can quickly determine if the activity was approved administration. This can also support audit evidence around privileged access governance and account lifecycle controls.

Technical view

For SOC, detection engineering, and IR teams, validate visibility into Linux process execution where `passwd`, `userdel`, or `chage` are launched after an interactive shell or remote command execution associated with a non-privileged account. Because no official detection logic is supplied, teams should treat AN0335 as an analytic concept: correlate command execution, user context, session type, parent process lineage, and account-management events. Tactics are not specified in the supplied object, so local triage should avoid assuming intent and should focus on whether the actor, session, and resulting account change were authorized.

Likely telemetry

  • Linux process execution telemetry including command name, arguments where available, parent process, timestamp, user ID, and effective user ID
  • Authentication and session records showing interactive shell activity, remote logons, or remote command execution
  • Account management logs or audit records for password changes, account deletion, or password aging changes involving `passwd`, `userdel`, or `chage`
  • Privilege context such as non-privileged versus elevated execution state, where collected
  • Host audit logs that can link session origin, user identity, and subsequent account-modification commands

Detection direction

  • Build or validate correlation between a non-privileged account’s interactive shell or remote command execution and later execution of `passwd`, `userdel`, or `chage`.
  • Tune for legitimate administrative workflows, automation, and approved helpdesk or system administration activity to reduce false positives.
  • Confirm whether telemetry captures effective user context; without it, commands run through elevation mechanisms may be difficult to interpret.
  • Review blind spots where Linux hosts lack process command logging, session attribution, or account-management audit records.
  • Use the analytic as a triage trigger rather than a standalone conclusion, since the supplied ATT&CK object provides no official detection logic and no relationship context.

Mitigation priorities

  • Enforce least privilege for Linux account-management functions and limit who can change passwords, delete accounts, or modify password aging settings.
  • Require approved administrative paths and change records for account lifecycle actions on Linux systems.
  • Ensure logging is enabled for process execution, authentication/session activity, and account-management changes on in-scope Linux hosts.
  • Regularly review non-privileged accounts that can reach administrative functions through shell or remote execution paths.
  • Test incident response procedures for quickly validating whether a Linux account change was authorized and whether business-critical access was affected.
Analyst notes and limits

AN0335 is a detection analytic in the enterprise ATT&CK domain for Linux. The supplied object describes suspicious sequencing around `passwd`, `userdel`, or `chage`, but provides no official detection body, no tactics, and no relationships. The strongest defensive use is as a coverage validation prompt for Linux identity, host telemetry, and SOC correlation logic.

This take is limited to the supplied STIX fields and external reference. It does not establish adversary attribution, active exploitation, impact, or guaranteed detection. Local baselines, administrative procedures, and telemetry availability are required to determine whether matching activity is suspicious.

Official MITRE ATT&CK definition

Analytic 0335

Password changes or account deletions via 'passwd', 'userdel', or 'chage' preceded by interactive shell or remote command execution from non-privileged accounts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9bacab703d93ca08...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9bacab703d93…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0335
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use