AN0537: Analytic 0537
Abnormal use of `lsblk`, `fdisk -l`, `lshw -class disk`, or `parted` by non-admin users or within non-interactive shells suggests suspicious disk enumeration activity.
Analyst context for executives and security teams
This analytic highlights suspicious Linux disk-enumeration behavior: non-admin users or non-interactive shells running tools such as `lsblk`, `fdisk -l`, `lshw -class disk`, or `parted`. For leaders, the value is not the commands themselves, which can be legitimate, but whether the organization can distinguish routine administration from unexpected discovery activity on Linux systems.
Executive priority
Prioritize this as a validation point for Linux monitoring, privileged access governance, and incident triage readiness. If SOC teams cannot see who ran disk-enumeration commands, from what parent process, and whether the session was interactive, they may miss early signs of suspicious host discovery or waste time investigating normal admin activity. This is most useful as supporting evidence in a broader investigation rather than a standalone business-impact indicator.
Technical view
Validate Linux process-execution visibility for the named utilities and capture enough context to evaluate abnormality: user privilege level, command line, parent process, shell type, TTY/session information, and whether execution came from a non-interactive context. Because no ATT&CK tactic or relationship context is supplied, tune detections around the official analytic condition rather than assuming a specific intrusion stage.
Likely telemetry
- Linux process creation events with full command line
- User identity and privilege context, including admin or sudo group membership
- Parent process and shell/session metadata
- Interactive versus non-interactive execution indicators, such as TTY/session context where available
- Host inventory or role context to distinguish servers where disk administration is expected
Detection direction
- Alert on the specified disk-enumeration commands when executed by non-admin users or from non-interactive shells.
- Baseline legitimate administrative use on Linux servers to reduce false positives from storage maintenance, troubleshooting, and inventory scripts.
- Correlate with surrounding activity, such as unusual parent processes, unexpected service accounts, remote execution context, or other discovery behavior, before escalating severity.
- Check for blind spots where Linux command-line logging is incomplete, truncated, disabled, or not forwarded from critical servers.
- Because official detection logic is not provided, treat this as a detection-design requirement rather than a ready-to-deploy rule.
Mitigation priorities
- Ensure Linux administrative privileges are limited to approved users and service accounts.
- Review where non-admin users can execute disk-inventory utilities and whether that is operationally necessary.
- Strengthen logging for Linux process execution and shell/session context before relying on this analytic for SOC coverage.
- Document approved storage-administration workflows so SOC and IR teams can separate normal operations from suspicious enumeration.
- Use findings from this analytic to improve incident response playbooks for Linux host discovery and privilege-context review.
Analyst notes and limits
The object is a detection analytic for Linux only. It identifies abnormal use of common disk-enumeration commands by non-admin users or within non-interactive shells. No ATT&CK tactic, technique relationship, group/software relationship, or official detection implementation was supplied, so interpretation should remain conservative and environment-specific.
The source provides a concise analytic description but no formal detection query, no tactic mapping, and no relationship context. Local baselines, asset roles, identity data, and Linux telemetry quality are required to determine whether observed activity is suspicious.
Analytic 0537
Abnormal use of `lsblk`, `fdisk -l`, `lshw -class disk`, or `parted` by non-admin users or within non-interactive shells suggests suspicious disk enumeration activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f89acdb2623f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0537Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.