Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0703: Analytic 0703

Detect alterations of transmitted data via monitoring syscalls (`send`, `recv`, `write`) or middleware interception. Identify mismatched file hashes when compared at origin vs. destination. Watch for anomalous activity from processes interacting with secure transmission services (e.g., OpenSSL, scp).

EnterpriseAN0703AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0703 is a Linux-focused detection analytic for spotting possible alteration of data while it is being transmitted. Its business value is integrity assurance: if files or messages can change between origin and destination, incident responders and leaders may be dealing with corrupted business records, unreliable transfer workflows, or tampering inside systems that handle secure transmission.

Executive priority

Prioritize this analytic where Linux systems move sensitive, regulated, operationally important, or recovery-critical data. Leaders should ask whether the organization can prove that transmitted files arrive unchanged, whether SOC teams have visibility into Linux process and syscall activity around transfer tools, and whether incident response playbooks include origin-versus-destination integrity checks. This is also useful evidence for compliance and resilience discussions where data integrity matters.

Technical view

Validate coverage on Linux hosts that participate in secure transfer or middleware workflows. The supplied analytic points to monitoring syscalls such as send, recv, and write; middleware interception; file-hash comparison between origin and destination; and anomalous processes interacting with secure transmission services or tools such as OpenSSL and scp. SOC teams should test whether telemetry links process identity, command context, file writes, network transmission activity, and hash results closely enough to distinguish expected transfer behavior from suspicious alteration.

Likely telemetry

  • Linux syscall telemetry for send, recv, and write activity
  • Process execution and parent-child process context on Linux systems
  • File hash values calculated at origin and destination
  • File write and modification events around transmitted content
  • Middleware or application-layer interception logs where available

Detection direction

  • Confirm that Linux telemetry is collected from systems that actually originate, relay, or receive important data transfers.
  • Tune for mismatched file hashes between origin and destination, while accounting for legitimate transformations such as compression, encryption wrapping, format conversion, or expected metadata changes.
  • Correlate syscall activity with process identity and transfer context; syscall volume alone may be noisy on busy servers.
  • Review anomalous process interactions with secure transmission tooling, especially unexpected binaries, unusual parent processes, or activity outside normal transfer workflows.
  • Identify blind spots where encrypted traffic, middleware layers, or limited endpoint telemetry prevent direct observation of content integrity changes.

Mitigation priorities

  • Start with integrity controls: define which transfer workflows require origin-and-destination hash validation or equivalent integrity checks.
  • Harden and monitor Linux systems that handle secure transmission workflows, especially those using OpenSSL, scp, or middleware components.
  • Limit who and what can modify transfer scripts, middleware, and services involved in data movement.
  • Ensure logging and retention are sufficient for incident responders to reconstruct process activity, file writes, and transfer outcomes.
  • Document normal transformation behavior so detection teams can separate legitimate data changes from potential tampering.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry, and no tactic or relationship context was supplied. Treat it as a coverage validation prompt for Linux data-transfer integrity rather than a complete threat scenario. Local architecture determines which transfer paths, middleware layers, and hash comparison methods are meaningful.

The official detection field is not provided, and there are no supplied relationships, mitigations, groups, software, campaigns, or procedure examples. The object supports Linux only. Any assessment of exposure, active exploitation, impact, or detection effectiveness requires local telemetry and environment evidence.

Official MITRE ATT&CK definition

Analytic 0703

Detect alterations of transmitted data via monitoring syscalls (`send`, `recv`, `write`) or middleware interception. Identify mismatched file hashes when compared at origin vs. destination. Watch for anomalous activity from processes interacting with secure transmission services (e.g., OpenSSL, scp).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fd5878d3efd91818...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fd5878d3efd9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0703
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use