AN0765: Analytic 0765
Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot
Analyst context for executives and security teams
AN0765 is a Linux detection analytic focused on a persistence-style signal: changes to systemd service files or /etc/init.d scripts followed by unusual process behavior during boot. For leaders, the value is not simply file-change alerting; it is validating whether the organization can connect startup configuration changes to what actually runs when systems restart. That matters for business continuity because unauthorized boot-time execution can survive reboots and may be missed if teams only monitor interactive user activity.
Executive priority
Prioritize this analytic where Linux systems support critical business services, regulated workloads, or operational infrastructure. The executive question is whether security teams can prove they monitor both startup configuration changes and boot-time execution behavior, and whether that evidence is usable during incident response or audit review. This is a practical control-validation item for SOC readiness, Linux hardening, change-management assurance, and resilience planning.
Technical view
For SOC and detection engineering teams, validate that Linux telemetry can capture creation or modification of systemd unit files and /etc/init.d scripts, then correlate those changes with process execution during boot. Because the supplied ATT&CK object does not specify tactics or a full detection procedure, teams should treat AN0765 as an analytic pattern rather than a complete rule. Key validation points include coverage of relevant startup file paths, timestamps that allow correlation across file and process events, host reboot context, and a baseline of expected boot-time processes for each Linux server role.
Likely telemetry
- Linux file creation and modification events for systemd service files
- Linux file creation and modification events for /etc/init.d scripts
- Process execution telemetry during system boot
- Host boot or restart events for correlation timing
- File metadata such as path, owner, permissions, and modification time
Detection direction
- Confirm that file integrity, endpoint, audit, or operating-system telemetry covers systemd service locations and /etc/init.d on Linux hosts in scope.
- Correlate startup file creation or modification with processes that run during the next boot window rather than alerting on either signal alone.
- Build or validate baselines for normal boot-time process behavior by server role to reduce false positives from patching, package installation, configuration management, and legitimate service deployment.
- Tune for change-management context: expected administrative changes should be explainable by approved maintenance, automation, or software updates.
- Review blind spots such as Linux hosts without endpoint telemetry, short log retention, missing boot-event data, or environments where service files are changed by automation without sufficient attribution.
Mitigation priorities
- Ensure Linux startup configuration changes are governed by change management and administrative access controls.
- Limit write access to systemd service paths and /etc/init.d scripts to authorized administrators and trusted automation.
- Use configuration management or file integrity monitoring to detect unauthorized startup file changes.
- Maintain sufficient endpoint and system log retention to support correlation between file changes and later boot-time process execution.
- Periodically test detection logic by validating that approved service changes and subsequent boot execution are visible to the SOC.
Analyst notes and limits
This object is a detection analytic, not a technique, and no relationship context was supplied. The official description supports a Linux-focused correlation between startup file changes and outlier boot-time process behavior. Since tactics and official detection details are not provided, local implementation should be driven by the organization’s Linux logging architecture, normal service deployment processes, and host criticality.
The supplied ATT&CK fields do not include tactics, related techniques, data sources, detection pseudocode, mitigations, or relationships. This take therefore avoids claims about attacker attribution, active exploitation, impact, or guaranteed detection coverage. Local telemetry availability and environment-specific baselining are required to determine effectiveness.
Analytic 0765
Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e95d73ecd930… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0765Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.