AN0560: Analytic 0560
Execution of `ifconfig`, `ip a`, or access to `/proc/net/` indicating collection of local interface and route configuration.
Analyst context for executives and security teams
This analytic matters because Linux hosts often expose local network interface and routing details through common commands such as `ifconfig` and `ip a`, or through `/proc/net/`. That activity can be benign administration, but it can also be a useful early indicator that a process or user is mapping the host’s network position before making further decisions. For leaders, the value is not that this event is automatically malicious; it is that SOC and IR teams should know whether they can see this class of local network-configuration discovery on critical Linux systems.
Executive priority
Prioritize this as a coverage-validation item for Linux server, cloud workload, and appliance-like environments where local network context is important to incident scoping. It supports resilience and incident decision-making by helping responders determine whether an account, process, or workload inspected host networking before other suspicious activity. Because the ATT&CK object provides no tactic mapping, relationships, or detection logic, this should not be treated as a standalone high-severity alert without local context.
Technical view
Validate whether Linux telemetry captures process execution for `ifconfig` and `ip a`, and file or process access involving `/proc/net/` where available. Detection engineering should correlate this activity with actor context such as unusual user accounts, unexpected parent processes, non-interactive shells, recently created processes, or activity on sensitive servers. Since no official detection logic is supplied, teams should build environment-specific baselines and avoid alerting on routine administrative, monitoring, inventory, or network troubleshooting workflows.
Likely telemetry
- Linux process execution telemetry showing command name, command line, user, parent process, host, and timestamp
- File access or process telemetry involving `/proc/net/` where collected
- Endpoint detection and response telemetry from Linux hosts
- Audit logs such as Linux audit framework data if configured to capture relevant process or file-access events
- Cloud workload or server telemetry for Linux instances where endpoint visibility is deployed
Detection direction
- Start with coverage testing: confirm that execution of `ifconfig` and `ip a` is visible on representative Linux systems.
- If monitoring `/proc/net/`, validate whether file-access telemetry is actually collected; many environments capture process execution but not granular reads of procfs paths.
- Tune out known administrative tools, monitoring agents, configuration management, and approved troubleshooting activity.
- Increase priority when the activity is associated with unusual users, unexpected parent processes, remote sessions, scripts, or other suspicious host activity.
- Do not rely on this analytic alone for incident declaration; use it as context in a broader Linux host investigation.
Mitigation priorities
- Ensure Linux endpoint logging or EDR coverage exists on systems where network-discovery visibility is important.
- Define acceptable administrative and monitoring sources that commonly inspect interface or route configuration.
- Harden privileged access and administrative workflows so unusual local discovery activity can be tied to accountable identities.
- Use least privilege and segmentation practices to reduce the value of host network reconnaissance if an account or process is compromised.
- Document telemetry coverage and tuning decisions as evidence for SOC readiness, incident response preparedness, and control validation.
Analyst notes and limits
The supplied object is a detection analytic for Linux activity involving `ifconfig`, `ip a`, or `/proc/net/` access. No ATT&CK tactic, related technique, relationship context, or official detection logic was provided. Treat the analytic as a visibility and correlation opportunity rather than a complete detection rule.
This take is limited to the official STIX fields and the single MITRE external reference supplied. It does not establish adversary use, active exploitation, severity, attribution, or guaranteed detection coverage. Local baselines, asset criticality, identity context, and available Linux telemetry are required to determine operational value.
Analytic 0560
Execution of `ifconfig`, `ip a`, or access to `/proc/net/` indicating collection of local interface and route configuration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | da8d437b81e3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0560Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.