Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0725: Analytic 0725

Detects aggregation of files from different directories into /tmp, /mnt, or user-specified directories with archiving tools like tar or gzip.

EnterpriseAN0725AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0725 is a Linux detection analytic focused on a common pre-exfiltration pattern: files from multiple directories being gathered into staging locations such as /tmp, /mnt, or other user-specified directories and compressed with tools like tar or gzip. For leaders, the value is not the archive tool itself, which is often legitimate, but whether the organization can recognize suspicious bulk collection before data leaves the environment.

Executive priority

Prioritize this analytic as a data-loss and incident-readiness control for Linux systems that hold sensitive, regulated, operational, or business-critical data. Executives should ask whether SOC and IR teams can distinguish normal backup, deployment, and administrative compression activity from unusual file aggregation into temporary or mounted paths. This also supports compliance evidence by showing that monitoring exists for potential data staging behavior, though ATT&CK does not provide a full detection specification for this object.

Technical view

Validate Linux visibility for archive creation and command execution involving tar, gzip, and similar utilities, especially when inputs span multiple source directories and outputs land in /tmp, /mnt, or user-chosen staging paths. Because ATT&CK lists no tactic and provides no official detection logic, teams should treat AN0725 as an analytic concept to operationalize with local baselines, asset criticality, user context, and known administrative workflows. Triage should focus on whether the process aggregated broad or sensitive directory sets, whether the actor or account normally performs such activity, and whether the destination path is unusual for that host.

Likely telemetry

  • Linux process execution events, including process name, parent process, user, timestamp, and command-line arguments
  • File creation or modification events for archive outputs in /tmp, /mnt, and user-specified directories
  • File access or read activity across multiple source directories when available
  • Endpoint detection, Linux audit, or system monitoring data capable of linking archive tools to source and destination paths
  • Asset and user context to separate expected backup, deployment, maintenance, or administrative activity from unusual staging

Detection direction

  • Confirm that command-line collection captures arguments for tar, gzip, and related archive activity; process name alone is likely too noisy.
  • Baseline legitimate compression jobs, backup scripts, package operations, and administrator workflows to reduce false positives.
  • Alert with higher priority when archive output is written to temporary or mounted paths and source paths span multiple unrelated directories.
  • Correlate archive creation with account context, host role, data sensitivity, and subsequent file movement where local telemetry allows.
  • Document blind spots where Linux audit, EDR, or file event coverage does not record source paths, destination archive paths, or command-line arguments.

Mitigation priorities

  • Improve Linux endpoint and audit logging first so the behavior can be observed consistently.
  • Maintain inventories of sensitive Linux hosts and expected backup or archive workflows to support tuning and triage.
  • Restrict unnecessary write access to shared, mounted, or temporary staging locations where operationally feasible.
  • Review privileged and service account usage on Linux systems that can access broad file sets.
  • Prepare IR playbooks for suspected data staging, including preservation of process, file, user, and host context before cleanup.
Analyst notes and limits

This object is a detection analytic, not a technique, and no ATT&CK relationships or official detection logic were supplied. The most defensible use is to convert the description into local detection requirements and validation tests for Linux file aggregation and archiving behavior. The analytic should be tuned against known administrative and backup activity rather than treated as inherently malicious.

The supplied ATT&CK fields provide only the platform, description, external reference, and versioning metadata. Tactics are not specified, official detection is not provided, and no relationship context is available. Any assessment of coverage, severity, or maliciousness requires local telemetry, baselines, and asset context.

Official MITRE ATT&CK definition

Analytic 0725

Detects aggregation of files from different directories into /tmp, /mnt, or user-specified directories with archiving tools like tar or gzip.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
45d955d1e15e154a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 45d955d1e15e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0725
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use