AN0412: Analytic 0412
Massive recursive deletions or overwrites via `rm -rf`, `shred`, `dd`, or wiper binaries. May include unlink syscalls, deletion of known config/data paths, or sequential overwrite patterns.
Analyst context for executives and security teams
AN0412 is a Linux-focused detection analytic for destructive file activity: large-scale recursive deletion or overwriting using common utilities or wiper-like binaries. For leaders, the practical issue is operational resilience: if this behavior is not quickly detected and contained, recovery may depend on backup integrity, system rebuild speed, and incident response readiness rather than prevention alone.
Executive priority
Prioritize this analytic where Linux systems support critical services, sensitive data stores, build infrastructure, or operational workloads. The business question is whether the organization can see and respond to mass deletion or overwrite activity before it becomes a continuity event. This supports decisions about endpoint telemetry investment, backup and recovery validation, privileged access control, and evidence for resilience-oriented compliance requirements.
Technical view
SOC and IR teams should validate Linux visibility for high-volume file deletion, unlink activity, recursive removal patterns, suspicious overwrite behavior, and execution of utilities or binaries associated with destructive file operations. Because ATT&CK provides no official detection logic for this analytic, teams should build local baselines for legitimate administrative cleanup, maintenance jobs, log rotation, and data lifecycle processes, then tune for unusual scale, paths, user context, timing, and host criticality.
Likely telemetry
- Linux process execution telemetry, including command-line arguments where collected
- File deletion and file modification events from endpoint or audit sources
- Linux syscall-level evidence such as unlink-related activity where available
- File integrity or EDR telemetry showing rapid changes across many files or directories
- Authentication and user/session context for the account initiating the activity
Detection direction
- Validate that Linux endpoint telemetry captures process execution and file activity at sufficient fidelity for recursive deletion and overwrite patterns.
- Alert on unusual volume, speed, or breadth of file deletion or overwriting, especially against known configuration, application, or data paths.
- Correlate destructive file activity with user privilege, interactive versus automated execution, host role, and recent authentication context.
- Tune carefully for legitimate administrative activity such as cleanup scripts, package maintenance, temporary directory purges, log rotation, and approved data retention jobs.
- Where syscall telemetry is available, evaluate unlink-related activity as a supporting signal rather than a standalone conclusion.
Mitigation priorities
- Confirm backup coverage, restore testing, and recovery time expectations for Linux systems that store or process business-critical data.
- Restrict and monitor privileged access capable of deleting or overwriting large portions of the filesystem.
- Limit execution of unapproved binaries and scripts where operationally feasible, especially on critical Linux servers.
- Harden change-management and administrative job controls so legitimate bulk deletion activity is documented and distinguishable from suspicious behavior.
- Ensure incident response playbooks include rapid isolation, preservation of evidence, and backup integrity checks for suspected destructive file activity.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. The supplied fields identify Linux as the platform and describe destructive deletion or overwrite behavior, but provide no tactic mapping, official detection text, mitigations, or relationships. Treat AN0412 as a prompt to validate telemetry and response readiness around destructive Linux file operations.
Assessment is limited to the supplied official STIX fields, external reference, and absence of relationships. No claims are made about active exploitation, specific adversaries, impact likelihood, or existing detection coverage. Local asset criticality, telemetry depth, administrative workflows, and backup architecture are required to determine actual risk and tuning priorities.
Analytic 0412
Massive recursive deletions or overwrites via `rm -rf`, `shred`, `dd`, or wiper binaries. May include unlink syscalls, deletion of known config/data paths, or sequential overwrite patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ab649df467de… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0412Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.