AN0775: Analytic 0775
Detection of writes to /boot or EFI directories outside of expected package manager updates. Monitoring kernel log and auditd events for attempts to overwrite bootloader binaries (e.g., grub, shim). Unexpected execution of efibootmgr or dd writing to /dev/sdX devices followed by boot parameter changes.
Analyst context for executives and security teams
AN0775 is a Linux-focused detection analytic for suspicious changes to boot-related locations such as /boot, EFI directories, bootloader binaries, or raw disk devices. Its business value is that boot-level modification can affect system integrity and recovery confidence: if attackers or unauthorized processes alter boot components, teams may not be able to trust what starts before normal security tooling loads.
Executive priority
Treat this as a resilience and assurance control, not just a SOC alert. Leaders should ask whether critical Linux systems have audit coverage for boot-path changes, whether legitimate package-manager maintenance is clearly distinguishable from unexpected modification, and whether incident responders have a process for validating bootloader and boot parameter integrity during containment and recovery.
Technical view
For Linux systems, validate monitoring for writes to /boot and EFI directories outside expected package manager activity, kernel log and auditd visibility for attempts to overwrite bootloader binaries such as grub or shim, and unexpected use of utilities such as efibootmgr or dd where disk devices or boot parameters are involved. Because no ATT&CK tactics or related objects were supplied, this should be implemented as a behavior-focused integrity analytic rather than mapped to a broader intrusion chain without local evidence.
Likely telemetry
- Linux auditd events covering writes to /boot, EFI paths, bootloader files, and raw block devices
- Kernel logs showing bootloader, disk, or EFI-related activity
- Process execution telemetry for package managers, efibootmgr, dd, and related command-line context
- File integrity or filesystem monitoring for /boot, EFI directories, grub, shim, and boot configuration files
- Change-management or package-update records to distinguish authorized maintenance from unexpected modification
Detection direction
- Baseline approved package-manager update behavior that legitimately writes to boot paths, then alert on writes outside that context.
- Correlate file writes, process execution, parent process, user, command line, and timing before escalating, since kernel updates and bootloader maintenance can be legitimate.
- Prioritize events where efibootmgr or dd execution is followed by boot parameter changes or writes to disk devices.
- Confirm auditd rules actually cover the relevant boot and EFI paths on each Linux distribution in scope; path differences are a likely blind spot.
- Tune for administrative maintenance windows and approved automation to reduce false positives without suppressing unexpected boot-path modification.
Mitigation priorities
- Establish strict change control for bootloader, EFI, and kernel update activity on critical Linux systems.
- Ensure auditd, kernel logging, and file integrity monitoring are enabled and retained for boot-related paths and raw device write activity.
- Limit privileged access capable of modifying boot configuration or writing to block devices.
- Include bootloader and boot-parameter validation in incident response and recovery checklists for affected Linux hosts.
- Maintain package-management records so defenders can separate authorized updates from suspicious writes.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and it contains no tactic mapping or relationship context. The most defensible use is to guide validation of Linux boot-integrity telemetry and alert logic around unexpected writes to /boot, EFI directories, bootloader binaries, and disk devices.
Official detection content is not provided, and no relationships, aliases, or tactics were supplied. Local distribution paths, package managers, logging configuration, and maintenance practices are required to turn this into reliable detection logic.
Analytic 0775
Detection of writes to /boot or EFI directories outside of expected package manager updates. Monitoring kernel log and auditd events for attempts to overwrite bootloader binaries (e.g., grub, shim). Unexpected execution of efibootmgr or dd writing to /dev/sdX devices followed by boot parameter changes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2ba289ee2702… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0775Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.