Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0361: Analytic 0361

Suspicious invocation of GUI utilities or scripts with suppressed or redirected windowing options. Defender view: detection of X11 or Wayland calls to spawn windows that do not appear on active displays, or use of nohup/screen/tmux to mask interactive shells.

EnterpriseAN0361AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0361 highlights a Linux detection analytic for suspicious attempts to run GUI utilities or interactive sessions in ways that avoid normal user visibility, such as hidden X11/Wayland windows or shell sessions masked with nohup, screen, or tmux. For leaders, the value is not the specific command names alone; it is whether the organization can see Linux interactive activity that may bypass normal desktop visibility and operator awareness.

Executive priority

Prioritize this where Linux systems support critical operations, administrator workstations, engineering environments, or shared servers. The business question is whether SOC and incident response teams can distinguish legitimate background administration from suspicious hidden or redirected interactive activity. This matters for operational resilience, audit evidence, and IR readiness because a lack of Linux process/session telemetry can leave defenders unable to reconstruct who launched interactive tools, where display output was directed, or whether activity was intentionally concealed.

Technical view

Validate Linux coverage for process creation, parent-child process lineage, command-line arguments, user/session context, and relevant X11 or Wayland environment indicators. Detection engineering should focus on suspicious invocation patterns involving GUI utilities or scripts with suppressed or redirected windowing behavior, plus use of nohup, screen, or tmux in contexts that may mask interactive shells. Because ATT&CK does not supply a formal detection query, tactics, or related techniques for this analytic, local baselining is required to separate normal administration, automation, and remote support workflows from abnormal hidden-window or detached-session behavior.

Likely telemetry

  • Linux process creation events with full command-line arguments
  • Parent-child process relationships for shells, scripts, GUI utilities, nohup, screen, and tmux
  • User identity, login session, terminal, and remote access context
  • Environment variables and display/session indicators relevant to X11 or Wayland where available
  • Shell history or command auditing where collected and policy-appropriate

Detection direction

  • Confirm that Linux telemetry preserves complete command lines and process ancestry; truncated command lines will materially reduce analytic value.
  • Baseline legitimate use of nohup, screen, and tmux by administrators, automation, developers, and support teams before treating detached sessions as suspicious.
  • Review X11/Wayland-related process activity for windows or display targets that do not align with active user sessions or expected workflows.
  • Tune by asset role and user role; shared engineering hosts and admin jump systems may have higher legitimate detached-session usage than standard endpoints.
  • Correlate suspicious hidden or redirected GUI/session activity with authentication events, privilege changes, remote logins, and file/script execution.

Mitigation priorities

  • First, ensure Linux endpoints and servers have sufficient audit or endpoint telemetry for process execution, command-line capture, and user/session attribution.
  • Second, define acceptable administrative use of nohup, screen, tmux, remote GUI tooling, and display forwarding so detections can distinguish policy-compliant operations from suspicious concealment.
  • Third, restrict and monitor privileged interactive access on sensitive Linux systems using least privilege and accountable administrator workflows.
  • Fourth, include Linux hidden-session and detached-shell scenarios in incident response playbooks so responders know what evidence to collect before sessions terminate.
  • Fifth, use compliance and audit processes to verify that critical Linux systems generate retained evidence needed to investigate concealed interactive activity.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique. The supplied fields identify Linux as the platform and describe suspicious X11/Wayland window spawning or use of nohup/screen/tmux to mask interactive shells. No tactics, related techniques, groups, software, mitigations, or formal detection logic were supplied, so defensive use should be validated against local Linux administration patterns.

The official detection field is not provided, and no relationship context is supplied. This take does not assert active exploitation, attribution, impact, or coverage. Practical detection quality depends on local Linux telemetry depth, command-line retention, session metadata, and the organization’s legitimate use of detached sessions and GUI forwarding.

Official MITRE ATT&CK definition

Analytic 0361

Suspicious invocation of GUI utilities or scripts with suppressed or redirected windowing options. Defender view: detection of X11 or Wayland calls to spawn windows that do not appear on active displays, or use of nohup/screen/tmux to mask interactive shells.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cce68ba7667c024a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cce68ba7667c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0361
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use