AN0600: Analytic 0600
Detection of shell scripts, ELF binaries, or archives containing embedded secondary payloads, self-extracting components, or unusual compression behavior during runtime.
Analyst context for executives and security teams
This analytic is about finding Linux files or runtime activity where a script, ELF binary, or archive carries an embedded secondary payload or self-extracting component. For leaders, the practical value is that these patterns can hide follow-on tooling inside something that may initially look like a normal installer, script, or compressed file. The business question is whether Linux server, workload, and endpoint monitoring can expose suspicious unpacking or unusual compression behavior before it becomes an incident-response blind spot.
Executive priority
Prioritize this where Linux systems support critical business services, cloud workloads, build environments, or administrative operations. The control decision is less about one specific threat and more about whether the organization has evidence to distinguish legitimate packaging and deployment activity from unexpected self-extraction or embedded payload behavior. This can support SOC readiness, incident triage, compliance evidence for monitoring coverage, and resilience planning for Linux-heavy environments.
Technical view
Validate Linux telemetry that can show shell scripts, ELF binaries, or archives producing secondary files, invoking unpacking behavior, or exhibiting unusual runtime compression/decompression activity. Because the ATT&CK object provides no tactic, relationship context, or official detection logic, teams should avoid assuming a fixed kill-chain stage and instead test coverage against local software-installation, deployment, backup, and packaging workflows. Detection engineering should focus on behavioral baselining and correlation rather than file type alone.
Likely telemetry
- Linux process execution events, including parent-child process relationships
- Command-line arguments for shell, archive, compression, and extraction utilities
- File creation and modification events for temporary directories, staging paths, and execution locations
- Metadata for ELF binaries, shell scripts, and archive files observed on Linux systems
- Runtime indicators of unpacking, self-extraction, or creation of secondary executable content
Detection direction
- Confirm that Linux monitoring captures both process behavior and file-system effects; either source alone may miss embedded payload or self-extraction patterns.
- Baseline legitimate deployment, installer, package-management, backup, and archive workflows to reduce false positives.
- Look for correlations where a script, ELF binary, or archive creates or executes secondary payload content during runtime.
- Treat unusual compression or extraction behavior as triage context, not proof of malicious activity, because the supplied ATT&CK object does not define a specific detection rule.
- Review coverage in cloud Linux workloads, build servers, and administrative jump hosts if they are in scope, since local telemetry gaps may materially affect detection value.
Mitigation priorities
- Inventory critical Linux systems and confirm which have endpoint or workload telemetry sufficient for process and file-event correlation.
- Standardize approved software deployment and archive-handling paths so deviations are easier to investigate.
- Limit unnecessary execution from temporary, user-writable, or staging directories where operationally feasible.
- Use allowlisting, script controls, or execution policy controls where appropriate for high-value Linux systems.
- Document monitoring coverage and known blind spots for incident response and audit readiness.
Analyst notes and limits
AN0600 is a detection analytic, not a technique. The supplied ATT&CK fields identify Linux as the platform and describe detection of embedded secondary payloads, self-extracting components, or unusual compression behavior during runtime. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take is framed as validation guidance rather than a prescriptive rule.
The source object is sparse: no official detection content, no related techniques or groups, and no tactic mapping were provided. Local environment evidence is required to determine normal compression, packaging, installation, and deployment behavior, as well as whether existing telemetry can support reliable detection.
Analytic 0600
Detection of shell scripts, ELF binaries, or archives containing embedded secondary payloads, self-extracting components, or unusual compression behavior during runtime.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c8a47b1b019a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0600Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.