AN0873: Analytic 0873
Detection of browser-based downloads from HTML sources that trigger file creation in temp or user directories followed by execution of new files within short timeframes and suspicious parent-child lineage.
Analyst context for executives and security teams
This analytic matters because it focuses on a common endpoint risk pattern: a file downloaded through a browser from HTML content, written into a temporary or user directory, and executed shortly afterward. For leaders, the value is not in the browser detail alone; it is in validating whether Linux endpoint monitoring can connect download, file creation, and execution events quickly enough to support containment decisions.
Executive priority
Prioritize this as a Linux endpoint visibility and response-readiness check. Security leaders should ask whether SOC and incident response teams can prove they collect the evidence needed to reconstruct browser-driven file execution, especially in user-writable locations. This can support control prioritization for endpoint logging, managed detection scope, and audit evidence around suspicious file execution monitoring.
Technical view
For SOC, detection engineering, and IR teams, validate correlation across Linux browser activity, file creation in temp or user directories, process execution of newly created files, timing between creation and execution, and parent-child process lineage. Because no official detection logic is provided, teams should treat AN0873 as a detection objective rather than a ready rule. Tune around legitimate software installers, browser helper processes, package managers, and user workflows that may create and execute files shortly after download.
Likely telemetry
- Linux process creation events with command line, executable path, parent process, user, and timestamps
- File creation or modification events in temporary directories and user-writable directories
- Browser process activity and parent-child process relationships
- File path, file hash, ownership, permissions, and execution timestamp metadata
- Endpoint detection and response or audit logs capable of correlating file write and execution within short time windows
Detection direction
- Confirm telemetry can link a browser-originated download or HTML source interaction to subsequent file creation and execution.
- Build or validate correlation logic for newly created files executed shortly after appearing in temp or user directories.
- Include parent-child lineage checks so execution spawned directly or indirectly from browser-related processes is distinguishable from routine system activity.
- Tune false positives for legitimate downloads, installers, development workflows, update mechanisms, and user-run scripts.
- Document coverage gaps where Linux endpoints lack file creation auditing, process lineage, or reliable timestamp correlation.
Mitigation priorities
- Ensure Linux endpoint logging and EDR/audit coverage captures process creation, file creation, and parent-child lineage for user workstations and relevant servers.
- Reduce unnecessary execution from user-writable and temporary locations where business operations allow.
- Apply least-privilege and endpoint hardening practices to limit what downloaded files can execute under user contexts.
- Establish IR playbooks for triaging newly downloaded files that execute shortly after creation, including file collection, hash review, user interview, and containment criteria.
- Use detection validation exercises to confirm alerts are actionable and not dependent on unsupported browser or filesystem telemetry.
Analyst notes and limits
AN0873 is a detection analytic for Linux describing a behavior pattern rather than a complete rule. The ATT&CK object supplies a practical detection concept but no tactics, relationships, or official detection implementation. Glexia would use it to drive validation of Linux endpoint telemetry, correlation quality, and SOC triage procedures around browser-driven file execution.
The supplied ATT&CK fields do not include detection logic, related techniques, adversary use, impact claims, or relationship context. Any assessment of risk, prevalence, or coverage requires local telemetry, endpoint architecture, browser usage patterns, and existing control evidence.
Analytic 0873
Detection of browser-based downloads from HTML sources that trigger file creation in temp or user directories followed by execution of new files within short timeframes and suspicious parent-child lineage.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7412a4eb33f8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0873Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.