Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0610: Analytic 0610

Adversary manipulation of shared library paths, environment variables, or replacement of service binaries. Defender observes suspicious modifications in /etc/ld.so.preload, service config changes, or file writes replacing existing executables.

EnterpriseAN0610AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about Linux persistence or execution risk created when an adversary changes how shared libraries are loaded, alters service configuration, or replaces service binaries. For leaders, the practical issue is not the specific file alone; it is whether the organization can prove that critical Linux services have not been silently redirected or replaced, especially on systems supporting business operations, cloud workloads, or regulated services.

Executive priority

Prioritize this where Linux servers support critical applications, privileged services, or operational dependencies. The decision value is to validate whether SOC and incident response teams can see high-risk changes to loader configuration, service definitions, and existing executables quickly enough to contain service compromise. This also supports audit and compliance evidence around change control, privileged activity monitoring, and integrity protection for production systems.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for suspicious modifications to /etc/ld.so.preload, service configuration changes, and file writes that replace existing executables on Linux. Because ATT&CK provides no official detection logic or tactic mapping for this analytic, teams should treat it as a validation target: confirm collection, establish known-good baselines for service files and binaries, and review whether alerts distinguish authorized maintenance from unexpected privileged changes.

Likely telemetry

  • Linux file modification events for /etc/ld.so.preload
  • File write or overwrite events involving existing service executables
  • Service configuration change records on Linux systems
  • Process and user context associated with file or service changes
  • Privileged account activity around system paths and service management

Detection direction

  • Validate that Linux endpoint or host telemetry records writes to /etc/ld.so.preload and changes to service configuration files.
  • Tune detections around replacement of existing executables rather than only creation of new files, since the analytic explicitly includes binary replacement.
  • Correlate file and service changes with user, process, host role, and approved maintenance windows to reduce false positives from patching or legitimate deployments.
  • Prioritize critical servers and privileged service accounts first, because local environment context is required to decide whether a change is suspicious.
  • Account for blind spots where host logging is incomplete, ephemeral systems are not monitored, or file integrity monitoring excludes system loader and service paths.

Mitigation priorities

  • Establish and enforce change control for Linux service configuration and system executable paths.
  • Use least privilege for accounts capable of modifying service files, loader configuration, or existing executables.
  • Maintain file integrity or configuration monitoring for critical Linux service paths and /etc/ld.so.preload.
  • Baseline expected service binaries and configurations for critical systems so incident responders can quickly identify unauthorized changes.
  • Ensure incident response playbooks include validation of loader configuration, service definitions, and executable integrity during Linux investigations.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. The supplied description focuses on defender-observable changes: shared library path manipulation, environment-variable-related manipulation, service configuration changes, /etc/ld.so.preload modification, and replacement of existing executables. No relationship context, tactics, or official detection logic were supplied, so the most useful action is coverage validation against Linux telemetry and local change-control data.

ATT&CK fields supplied for this object are sparse: platform is Linux, tactics are not specified, official detection is not provided, and no relationships are supplied. This take does not infer adversary groups, active exploitation, impact, or guaranteed detection. Local asset criticality, logging depth, file paths, service managers, and approved administrative workflows are required to operationalize it.

Official MITRE ATT&CK definition

Analytic 0610

Adversary manipulation of shared library paths, environment variables, or replacement of service binaries. Defender observes suspicious modifications in /etc/ld.so.preload, service config changes, or file writes replacing existing executables.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
99e2d42a1b622adf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 99e2d42a1b62…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0610
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use