Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0631: Analytic 0631

Detects when a script or binary is named with misleading or benign-looking extensions (.jpg, .doc) and is then executed via command line or a scheduled task. Includes ELF header mismatches and content-type inconsistencies on disk.

EnterpriseAN0631AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it looks for Linux executables or scripts disguised with harmless-looking file extensions such as .jpg or .doc and then run from the command line or by a scheduled task. For leaders, the practical issue is not the filename itself; it is whether the organization can spot execution that conflicts with what the file appears to be. That gap can affect incident triage, malware containment, and confidence in endpoint monitoring.

Executive priority

Prioritize this as a validation point for Linux endpoint visibility and SOC readiness. Security leaders should ask whether Linux systems collect enough file, process, command-line, and scheduling evidence to prove that disguised executable content would be noticed. This is also useful for compliance and audit conversations because it tests whether controls can detect suspicious execution behavior rather than relying only on file names or extensions.

Technical view

AN0631 applies to Linux and is focused on detecting scripts or binaries with misleading benign-looking extensions that are executed via command line or scheduled task. The supplied ATT&CK object specifically mentions ELF header mismatches and content-type inconsistencies on disk. SOC and detection engineering teams should validate correlation between file metadata or content inspection, process execution telemetry, command-line arguments, and scheduled task execution records. Because no ATT&CK detection logic is provided, local implementation should be tested against approved administrative scripts, packaged applications, and automation jobs to manage false positives.

Likely telemetry

  • Linux process execution events including executable path, command line, parent process, user, and timestamp
  • File metadata and file path information, including extension and permissions
  • File content or header inspection results, especially ELF header identification versus apparent extension
  • Scheduled task or job execution records where available
  • Endpoint security or EDR alerts that identify content-type mismatch or suspicious execution from misleading filenames

Detection direction

  • Validate that Linux command-line execution telemetry is collected and retained for systems in scope.
  • Compare executable content indicators, such as ELF headers, against filenames and extensions that imply non-executable content.
  • Include scheduled task execution paths because the analytic explicitly covers command-line and scheduled task execution.
  • Tune for legitimate software, build pipelines, scripts, and automation that may use unusual filenames or extensions.
  • Watch for blind spots on unmanaged Linux servers, short-lived workloads, containers, or systems without file-content inspection.

Mitigation priorities

  • Improve Linux endpoint logging coverage before relying on this analytic for operational detection.
  • Restrict unnecessary execution from user-writable or temporary locations where feasible using standard hardening controls.
  • Review scheduled task governance so authorized jobs are documented and unexpected executable paths are investigated.
  • Use file integrity, application control, or content inspection capabilities where appropriate to identify executable content that conflicts with apparent file type.
  • Ensure incident response playbooks include collection of the file, command line, parent process, user context, and scheduled task source when this behavior is observed.
Analyst notes and limits

The object is a MITRE ATT&CK detection analytic, AN0631, for enterprise Linux environments. The tactics field is not specified and no relationship context was supplied, so this take should be used as guidance for detection validation rather than as a claim about a specific technique, campaign, or actor.

Official detection content is not provided, and no relationships were supplied. The assessment is limited to the official description, platform, external reference, and object metadata. Local telemetry, endpoint coverage, and allowlisted administrative behavior are required to determine practical detection quality.

Official MITRE ATT&CK definition

Analytic 0631

Detects when a script or binary is named with misleading or benign-looking extensions (.jpg, .doc) and is then executed via command line or a scheduled task. Includes ELF header mismatches and content-type inconsistencies on disk.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0c8b1538be06b83f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0c8b1538be06…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0631
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use