AN0798: Analytic 0798
Cause→effect chain: (1) Browser/Office/reader process logs crash/segfault or abnormal sandbox message, (2) new executable/script/write occurs in $HOME (Downloads, ~/.cache, /tmp), (3) unexpected child like curl/wget/bash/python opens network connections soon after.
Analyst context for executives and security teams
Analytic 0798 is a Linux-focused detection concept for a suspicious sequence: a browser, office, or document-reader process crashes or reports sandbox/segfault behavior, then a new executable/script/write appears in user-writable locations such as $HOME, Downloads, ~/.cache, or /tmp, followed soon after by unexpected child processes like curl, wget, bash, or python making network connections. For leaders, the value is not the individual crash or file write; it is whether the SOC can correlate endpoint, file, process, and network evidence quickly enough to identify a potentially compromised user workstation before follow-on activity expands.
Executive priority
Prioritize this analytic as a validation of Linux endpoint visibility and incident triage readiness. It helps answer whether security teams can connect application instability, user-directory file creation, child process execution, and outbound network activity into one investigation story. This matters for business continuity and compliance evidence because isolated logs may look benign, while the chained pattern can justify containment, user impact assessment, and escalation decisions. Because ATT&CK provides no tactic or relationship context for this object, treat it as a detection engineering use case rather than proof of a specific intrusion objective.
Technical view
Validate whether Linux telemetry can represent the full cause-to-effect chain in the official description: crash, segfault, or abnormal sandbox messages from browser/Office/reader processes; creation or modification of executables or scripts in user-writable paths including $HOME, Downloads, ~/.cache, and /tmp; process lineage showing unexpected children such as curl, wget, bash, or python; and outbound network connections shortly after the file write or child process start. Detection engineering should focus on time-window correlation and parent-child context rather than alerting on any single event. Since no official detection logic is provided, local baselining is required to define expected browser helper behavior, updater activity, scripting use, and developer workflows.
Likely telemetry
- Linux process creation and parent-child process lineage
- Application crash, segfault, or sandbox-related logs for browsers, office applications, and document readers
- File creation and modification events in $HOME, Downloads, ~/.cache, and /tmp
- Executable or script metadata where available, such as path, permissions, interpreter, and owner
- Outbound network connection telemetry tied to process identity
Detection direction
- Build correlation around the ordered chain described by ATT&CK instead of treating crash logs, file writes, or curl/wget execution as standalone high-confidence signals.
- Tune by application and user role: developers, administrators, and automation-heavy users may legitimately run bash, python, curl, or wget from user-writable directories.
- Confirm that process lineage survives across shells, interpreters, and short-lived processes; this is often the deciding factor for whether the analytic is actionable.
- Review blind spots around unmanaged Linux desktops, sparse crash logging, missing file telemetry in /tmp or user cache paths, and network logs that cannot be joined back to process identity.
- Use local allowlists carefully for known updaters, browser helpers, package managers, and enterprise software agents without suppressing the full crash-to-write-to-network sequence.
Mitigation priorities
- First, ensure Linux endpoints that run browsers, office tools, or document readers are covered by endpoint logging capable of process, file, crash, and network correlation.
- Second, reduce unnecessary execution from user-writable directories where operationally feasible and monitor exceptions.
- Third, harden and patch exposed client applications through vulnerability and configuration management, especially browsers and document-handling software on Linux systems.
- Fourth, document incident response playbooks for when this chain appears, including user notification, process containment, file preservation, and outbound destination review.
- Fifth, use the analytic as compliance and readiness evidence only after validating that required telemetry is collected, retained, and correlated in the local environment.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique description. Its useful defensive meaning comes from correlating a sequence of Linux endpoint events. There are no supplied relationships, aliases, labels, tactics, or official detection implementation, so the take intentionally avoids attribution, impact claims, or specific attacker objectives.
The source fields specify Linux as the platform and provide only a descriptive cause-effect chain. No detection rule, data source list, tactic mapping, related techniques, threat groups, software, campaigns, or mitigations were supplied. Local environment evidence is required to determine coverage, false positives, severity, and response thresholds.
Analytic 0798
Cause→effect chain: (1) Browser/Office/reader process logs crash/segfault or abnormal sandbox message, (2) new executable/script/write occurs in $HOME (Downloads, ~/.cache, /tmp), (3) unexpected child like curl/wget/bash/python opens network connections soon after.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2312bed64c5a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0798Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.