Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0821: Analytic 0821

User or desktop application writes a new file to ~/Downloads, /tmp, or mounted removable media followed by execve of a risky interpreter/loader (bash, sh, python, perl, php, node, curl|wget piping to sh, ld.so, rdesktop, xdg-open - with unusual args). Uses auditd PATH+SYSCALL (open/creat/write/rename) with execve event linking.

EnterpriseAN0821AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0821 is a Linux detection analytic for a high-risk pattern: a user or desktop application writes a new file into common landing zones such as ~/Downloads, /tmp, or mounted removable media, and that activity is followed by execution through an interpreter or loader such as bash, sh, python, perl, php, node, ld.so, rdesktop, xdg-open, or shell execution via curl/wget piping. For leaders, the value is not the path alone; it is the linkage between file creation and subsequent execution, which helps distinguish ordinary downloads from activity that may require SOC or incident response review.

Executive priority

Prioritize this analytic where Linux desktops, engineering workstations, administrative jump systems, or other Linux user environments are material to operations. It supports business decisions around endpoint telemetry readiness, removable media governance, and incident triage because it tests whether the organization can connect file-write evidence to process execution evidence. The main executive question is: can the SOC prove when newly introduced content from user-writable locations becomes executable activity, and can responders reconstruct that chain quickly enough to support containment decisions?

Technical view

Validate auditd-based visibility on Linux for PATH and SYSCALL records covering open, creat, write, and rename activity, then correlate those events with execve activity for the same user/session/process lineage where possible. Scope the analytic to writes into ~/Downloads, /tmp, and mounted removable media followed by execution of the interpreters/loaders named in the ATT&CK description, especially when unusual arguments are present. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-level analytic rather than a technique-specific conclusion.

Likely telemetry

  • Linux auditd PATH records for file paths in ~/Downloads, /tmp, and mounted removable media
  • Linux auditd SYSCALL records for open, creat, write, and rename operations
  • execve process execution events with command-line arguments
  • User, session, process, and timestamp fields needed to link file-write activity to later execution
  • Mount/removable media path context where available

Detection direction

  • Confirm auditd collection is enabled and retained for both file-write events and execve events; either data source alone is insufficient for the analytic as described.
  • Test correlation logic that links a new or modified file in the specified user-writable locations to a later risky interpreter or loader execution.
  • Tune for expected administrative, development, package-management, or automation workflows that legitimately execute scripts from /tmp or Downloads.
  • Pay attention to argument patterns for curl or wget piping to sh and unusual arguments to interpreters/loaders, while avoiding a rule that alerts on every interpreter launch.
  • Validate coverage for mounted removable media paths, which are often less consistently normalized than standard filesystem paths.

Mitigation priorities

  • First, ensure Linux audit and process telemetry collection is consistently configured for systems in scope.
  • Next, define acceptable-use and control expectations for executing scripts from Downloads, /tmp, and removable media, especially on privileged or operationally sensitive Linux systems.
  • Apply least-privilege and execution-control practices where feasible to reduce unnecessary script or loader execution from user-writable locations.
  • Strengthen removable media handling and monitoring where such media is allowed.
  • Use incident response playbooks that preserve file metadata, command line, user context, and auditd event chains when this analytic fires.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. The supplied description is specific about Linux, auditd PATH+SYSCALL records, file-write operations, execve linking, and the risky interpreter/loader set. No tactics, related techniques, groups, campaigns, mitigations, or official detection text were supplied, so conclusions should remain behavior-focused and locally validated.

The ATT&CK object provides no official detection field beyond the description, no relationship context, and no non-Linux platform coverage. This take does not establish active exploitation, attribution, business impact, or guaranteed detection. Local auditd configuration, command-line logging quality, path normalization, and correlation capability will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0821

User or desktop application writes a new file to ~/Downloads, /tmp, or mounted removable media followed by execve of a risky interpreter/loader (bash, sh, python, perl, php, node, curl|wget piping to sh, ld.so, rdesktop, xdg-open - with unusual args). Uses auditd PATH+SYSCALL (open/creat/write/rename) with execve event linking.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b48674152ff5564b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b48674152ff5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0821
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use