AN0532: Analytic 0532
Repeated or automated access to user document directories or clipboard using shell scripts or utilities like xclip/pbpaste. Detectable via auditd syscall logs or osquery file events.
Analyst context for executives and security teams
This analytic is about spotting repeated or automated access to Linux user document directories or clipboard contents, especially when driven by shell scripts or clipboard utilities such as xclip or pbpaste. For leaders, the practical value is validating whether the organization can see suspicious collection-like behavior around user data stores before it becomes an incident-response guessing game.
Executive priority
Prioritize this as a visibility and readiness check for Linux environments that store business documents, administrator work products, developer material, or other sensitive user data. The decision question is whether SOC and incident-response teams have enough endpoint telemetry to distinguish normal user activity from scripted, repeated access to documents or clipboard data. This can support control prioritization, audit evidence for monitoring coverage, and faster incident scoping when user data access is in question.
Technical view
For Linux systems, validate collection and alerting around repeated file access to user document directories and clipboard access patterns involving shell scripts or utilities such as xclip or pbpaste. The supplied ATT&CK object identifies auditd syscall logs and osquery file events as relevant evidence sources. Because no ATT&CK tactic, technique relationship, or official detection logic is supplied, teams should treat this as a detection design prompt rather than a complete rule. Tune around local baselines for legitimate shell automation, desktop clipboard workflows, backup/indexing tools, and developer scripts.
Likely telemetry
- Linux auditd syscall logs showing file access activity in user document directories
- osquery file events for user document paths
- Process execution telemetry for shell scripts and clipboard utilities such as xclip or pbpaste
- Command-line context where available for utilities accessing clipboard or user document locations
- User, host, timestamp, and parent-process context to separate interactive use from automated access
Detection direction
- Confirm whether auditd and/or osquery coverage exists on relevant Linux endpoints and whether it includes user document directory access events.
- Look for repeated or automated access patterns rather than one-off file opens, since the analytic description emphasizes repetition or automation.
- Correlate file-access events with process execution for shell scripts and clipboard utilities to reduce ambiguity.
- Establish local baselines for legitimate document indexing, backup jobs, developer tooling, and normal clipboard use to manage false positives.
- Review blind spots where Linux desktop endpoints, engineering workstations, or servers with user home directories are not enrolled in endpoint logging.
Mitigation priorities
- First, inventory Linux systems where sensitive user documents or clipboard workflows are business-relevant.
- Ensure endpoint logging policy captures the auditd syscall or osquery file-event evidence needed for this analytic.
- Limit unnecessary script access to sensitive user directories through least privilege and file permission hygiene where operationally feasible.
- Document approved automation, backup, and indexing processes so SOC teams can tune detections without suppressing meaningful anomalies.
- Use incident-response playbooks to define how analysts should scope user, host, process, and file-access evidence when this behavior is observed.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. Its strongest operational value is as a coverage validation item: can the organization observe scripted or repeated access to Linux user documents and clipboard data, and can analysts separate expected automation from suspicious behavior?
The supplied ATT&CK fields do not include a tactic, related techniques, relationships, or official detection logic. No claims can be made about active exploitation, adversary attribution, impact, or coverage beyond Linux and the telemetry named in the official description. Local environment baselines are required before operational alerting decisions can be made.
Analytic 0532
Repeated or automated access to user document directories or clipboard using shell scripts or utilities like xclip/pbpaste. Detectable via auditd syscall logs or osquery file events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f651e0ac3135… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0532Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.