AN0914: Analytic 0914
Detects ELF binaries written to disk that demonstrate anomalous file size or entropy, quickly followed by execution or memory region writes into remote processes (e.g., using ptrace).
Analyst context for executives and security teams
AN0914 is a Linux-focused detection analytic for suspicious ELF files: binaries written to disk with unusual size or entropy that are then quickly executed or associated with remote process memory writes such as ptrace-style activity. For leaders, the value is validating whether Linux server monitoring can connect file creation, binary characteristics, execution timing, and process memory activity into one investigation trail.
Executive priority
Prioritize this analytic where Linux systems support critical services or sensitive workloads. It helps test whether the organization can detect potentially suspicious new binaries before an incident becomes a broader response problem. The key business question is not simply whether Linux logs exist, but whether SOC and IR teams can correlate file, execution, and process-interaction evidence quickly enough to support containment decisions and audit-ready incident records.
Technical view
Validate collection and correlation on Linux for ELF file writes, file metadata such as size, entropy or other anomaly indicators, subsequent process execution, and remote process memory writes or ptrace-like behavior. Because ATT&CK provides no tactic mapping, no relationships, and no separate official detection logic for this analytic, teams should treat it as a behavioral correlation pattern rather than a complete rule. Tune around legitimate software deployment, package installation, debugging, and security tooling activity that may create or execute new ELF binaries or interact with other processes.
Likely telemetry
- Linux file creation/write events for ELF binaries
- File metadata including path, size, timestamps, and hash where available
- File entropy or binary anomaly scoring if supported by tooling
- Process execution events with parent/child relationships and command context
- Process access or memory-write telemetry, including ptrace-like activity where available
Detection direction
- Confirm telemetry can link an ELF write to rapid subsequent execution on the same host.
- Validate whether the environment can measure or approximate anomalous file size or entropy for newly written binaries.
- Correlate suspicious ELF creation with remote process memory writes rather than alerting on one weak signal alone.
- Tune known-good activity such as package managers, CI/CD agents, debuggers, performance profilers, EDR tools, and administrative scripts.
- Assess blind spots on Linux servers without endpoint telemetry, with limited audit policy, or where process access events are not collected.
Mitigation priorities
- Improve Linux endpoint visibility before relying on this analytic for operational decisions.
- Restrict unnecessary debugging or process tracing capabilities according to role and workload requirements.
- Strengthen software deployment governance so expected ELF creation and execution paths are known and auditable.
- Maintain allowlists or baselines for approved packages, build systems, and administrative tooling to reduce false positives.
- Ensure incident response procedures cover rapid triage of newly written binaries, associated users, parent processes, and affected hosts.
Analyst notes and limits
This object is a detection analytic, not a technique, and the supplied ATT&CK fields do not include tactics, relationships, aliases, or a standalone detection section. The description supports a Linux behavioral correlation focused on anomalous ELF files, execution, and remote process memory writes.
Assessment depends heavily on local telemetry quality and baseline knowledge. The supplied object does not identify adversary groups, active exploitation, affected products, severity, or guaranteed detection outcomes.
Analytic 0914
Detects ELF binaries written to disk that demonstrate anomalous file size or entropy, quickly followed by execution or memory region writes into remote processes (e.g., using ptrace).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0a558938438a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0914Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.