AN0896: Analytic 0896

Processes like git, curl, or python scripts executing commands that package files (tar, gzip) followed by HTTPS uploads to code repository endpoints. Defender view: detect unusual git push activity or scripted HTTPS requests outside normal developer work hours.

EnterpriseAN0896AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about spotting Linux processes such as git, curl, or scripts that package files and then upload them over HTTPS to code repository endpoints. For leaders, the practical value is validating whether the organization can distinguish normal developer publishing activity from unusual scripted movement of packaged data, especially outside expected work patterns.

Executive priority

Prioritize this as a data movement and operational oversight question for Linux development or automation environments. The business decision is not just whether logs exist, but whether security, engineering, and incident response teams can explain what normal repository upload activity looks like, who is authorized to perform it, and what evidence would support an investigation or audit if unusual uploads occur.

Technical view

SOC and detection teams should validate monitoring for Linux process execution involving git, curl, python or similar scripts, file packaging utilities such as tar or gzip, and subsequent HTTPS connections to code repository endpoints. Because ATT&CK does not provide a separate detection field or tactic mapping for this analytic, implementation should be based on the official behavior description: unusual git push activity or scripted HTTPS requests outside normal developer work hours. Tuning should account for legitimate CI/CD jobs, developer workflows, release automation, backups, and scheduled packaging tasks.

Likely telemetry

Linux process execution telemetry showing command names, command-line arguments, parent-child process relationships, user context, and timestamps
File activity or command evidence for archive/package creation using tools such as tar or gzip
Network telemetry for outbound HTTPS connections, including destination hostnames or endpoints associated with code repositories
Authentication or repository activity logs showing git push or upload events where available
Scheduling or automation context for CI/CD jobs, cron tasks, or scripted developer workflows

Detection direction

Baseline normal developer and automation activity by user, host, repository destination, time of day, and expected tooling before alerting on deviations.
Correlate packaging commands followed by HTTPS uploads rather than treating either action alone as inherently suspicious.
Tune for known CI/CD, release, backup, and maintenance activity to reduce false positives.
Review activity outside normal developer work hours as suggested by the official description, but avoid relying on time-of-day alone because distributed teams and automation can create legitimate exceptions.
Confirm visibility on Linux endpoints and outbound HTTPS metadata; encrypted transport may limit content inspection, so endpoint and repository logs may be decisive.

Mitigation priorities

Define and document approved repository upload paths, authorized users, and expected automation accounts for Linux development environments.
Ensure Linux endpoint logging and network metadata collection can support investigation of packaging followed by upload behavior.
Use access governance around code repositories and automation credentials so repository upload capability is limited to legitimate roles and services.
Coordinate with engineering teams to inventory normal git push, scripted HTTPS upload, and packaging workflows for reliable detection tuning.
Retain relevant endpoint, network, and repository logs long enough to support incident response and compliance evidence needs.

Analyst notes and limits

This object is a detection analytic, not a technique record. The supplied ATT&CK fields identify Linux as the platform and describe behavior involving packaging files and HTTPS uploads to code repository endpoints. No relationship context, tactic mapping, aliases, or separate official detection text was supplied, so the take is focused on validation and telemetry rather than asserting a specific adversary objective.

Coverage and risk depend on the local environment: whether Linux development systems are monitored, whether repository activity logs are available, how CI/CD and developer workflows operate, and whether outbound HTTPS destinations can be resolved to meaningful endpoints. The supplied object does not support claims about active exploitation, attribution, impact, or guaranteed detection.

Official MITRE ATT&CK definition

Analytic 0896

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 63c23e5cfd1e582e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`63c23e5cfd1e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0896
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use