AN0356: Analytic 0356
Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.
Analyst context for executives and security teams
This analytic describes a Linux-focused behavior where an adversary places renamed or oddly named binaries in uncommon writable locations such as /tmp or /dev/shm, then executes them or registers them in cron shortly afterward. For leaders, the value is not the filename itself; it is whether the organization can reliably connect file creation, suspicious naming, execution, and persistence activity in short time windows on Linux systems.
Executive priority
Prioritize this as a Linux monitoring and response-readiness validation item. It matters for operational resilience because temporary and shared-memory directories are common blind spots, and cron-based follow-on activity can turn a dropped file into recurring execution. Security leaders should ask whether Linux endpoint telemetry is collected consistently, whether SOC rules correlate file-drop and execution events, and whether incident responders can quickly determine which hosts created, executed, or scheduled the suspicious binary.
Technical view
Validate coverage for Linux file creation in uncommon directories, especially /tmp and /dev/shm, with attention to renamed binaries and filenames using unusual characters such as trailing spaces or Unicode right-to-left override. Correlate file-drop events with near-term process execution and cronjob registration. Because ATT&CK does not provide an official detection body or tactic mapping for this analytic, teams should treat it as a detection-engineering pattern to test against local Linux telemetry rather than a complete rule specification.
Likely telemetry
- Linux file creation and modification events for /tmp, /dev/shm, and other uncommon execution locations
- Process execution telemetry showing command path, parent process, user, and timestamps
- Cron configuration changes or cronjob registration events
- Filename metadata capable of preserving special characters, trailing spaces, and Unicode characters
- Host identity, user identity, and timestamp data to correlate file drop to execution or scheduling
Detection direction
- Build or validate correlation logic that links suspicious file placement to execution or cron registration shortly afterward.
- Confirm telemetry preserves exact filenames; normalization may hide trailing spaces, Unicode RLO, or other special-character tricks.
- Tune for legitimate administrative, installer, container, and application behaviors that may write or execute from temporary directories.
- Prioritize alerts where the same user, parent process, or host performs file drop and follow-on execution in a short sequence.
- Account for the source limitation: no official detection logic, data source list, or related techniques were supplied with this ATT&CK analytic.
Mitigation priorities
- Reduce unnecessary execution from temporary or shared-memory directories where operationally feasible.
- Harden and monitor cron configuration paths and permissions on Linux systems.
- Improve Linux endpoint logging coverage before relying on this analytic for SOC detection.
- Establish IR procedures for collecting the dropped file, process lineage, cron entries, and affected user context.
- Use findings from validation to prioritize control gaps in Linux hardening, managed detection onboarding, and compliance evidence for endpoint monitoring.
Analyst notes and limits
This is most useful as a practical detection validation scenario: can the SOC see an unusual Linux binary appear in an uncommon directory and then connect it to execution or scheduled persistence? The absence of relationship context means no specific ATT&CK technique, campaign, software, or actor association should be inferred.
The supplied ATT&CK object is a detection analytic only. Tactics are not specified, official detection text is not provided, and no relationships were supplied. Local environment baselining is required to distinguish suspicious behavior from legitimate Linux administration or application activity.
Analytic 0356
Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5694bf27ea31… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0356Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.