AN0556: Analytic 0556
Detect suspicious file creation, modification, or deletion in stored data directories (e.g., `/var/lib/mysql/`, `/var/log/`, mail spools). Identify shell commands interacting directly with structured data files instead of legitimate database utilities.
Analyst context for executives and security teams
This analytic matters because important business data on Linux systems is often stored in predictable directories such as database storage paths, logs, and mail spools. Direct shell-level creation, modification, or deletion in those locations can indicate activity that bypasses normal application or database controls, making it relevant to data integrity, incident response scoping, and audit evidence.
Executive priority
Leaders should treat this as a control-validation question: do critical Linux data stores have enough file activity and command telemetry to prove whether changes were made through approved services or by direct shell access? The business value is strongest for systems where stored data supports operations, legal evidence, audit trails, or customer communications. Prioritize coverage for high-value Linux hosts before broad tuning, because the ATT&CK object provides no tactic mapping, relationship context, or ready-made detection logic.
Technical view
For SOC and detection teams, validate monitoring of suspicious file creation, modification, or deletion in stored data directories such as /var/lib/mysql/, /var/log/, and mail spools. Also look for shell commands interacting directly with structured data files where legitimate database or application utilities would normally be expected. Because no official detection logic is supplied, teams should build baselines around normal administrative maintenance, database operations, log rotation, backup activity, and mail handling before alerting broadly.
Likely telemetry
- Linux file creation, modification, and deletion events for sensitive data directories
- Process execution telemetry for shell commands and command-line arguments
- User, privilege, and session context for processes touching stored data files
- Host inventory and role context to identify database, logging, and mail systems
- Change-management or maintenance-window records to distinguish authorized activity
Detection direction
- Start with high-value Linux hosts and directories explicitly relevant to stored business data, including database paths, log directories, and mail spools.
- Correlate file activity with the responsible process and user rather than alerting on file changes alone.
- Tune for known benign sources such as database engines, log rotation, backup jobs, package updates, and approved maintenance scripts.
- Review shell-driven access to structured data files as higher priority when it bypasses expected database utilities or service accounts.
- Document blind spots where endpoint telemetry, file integrity monitoring, command-line logging, or privileged session context is missing.
Mitigation priorities
- Define ownership and expected access patterns for critical Linux stored-data directories.
- Restrict direct shell access to sensitive data paths to approved administrators, service accounts, and maintenance processes.
- Use least privilege and change-control practices for database, logging, and mail storage locations.
- Ensure file integrity monitoring or equivalent endpoint logging is enabled where business impact justifies it.
- Retain sufficient telemetry to support incident response reconstruction and compliance evidence.
Analyst notes and limits
AN0556 is a detection analytic, not a technique object. The supplied ATT&CK fields identify Linux as the platform and describe suspicious file activity in stored data directories plus direct shell interaction with structured data files. No tactics, related techniques, adversary relationships, or official detection implementation are provided, so local environment context is essential for prioritization and tuning.
This take is based only on the supplied STIX fields, external reference, and absence of relationship context. It should not be read as evidence of active exploitation, attribution, impact, or guaranteed detection coverage. Specific queries, thresholds, and control requirements must be derived from local Linux logging, application architecture, and data criticality.
Analytic 0556
Detect suspicious file creation, modification, or deletion in stored data directories (e.g., `/var/lib/mysql/`, `/var/log/`, mail spools). Identify shell commands interacting directly with structured data files instead of legitimate database utilities.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dc1e1a44b704… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0556Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.