AN0920: Analytic 0920
Detects files or processes where execution results in frequent re-creation or modification of ELF binaries or interpreter scripts, often using chmod + execve with abnormal entropy.
Analyst context for executives and security teams
This analytic is relevant to Linux environments because it focuses on suspicious execution patterns where ELF binaries or interpreter scripts are repeatedly re-created or modified and then executed. For leaders, the practical issue is not the specific tool name, but whether the organization can see rapid file mutation plus execution on Linux systems, especially when permissions changes such as chmod and execution via execve occur with abnormal file entropy.
Executive priority
Prioritize this as a Linux visibility and response-readiness question. Security leaders should ask whether critical Linux servers, cloud workloads, and administrative systems generate enough process and file telemetry to prove or disprove this behavior during an incident. The value is in validating logging depth, SOC triage procedures, and evidence quality for audits or post-incident review, not in assuming this analytic alone provides full coverage.
Technical view
SOC and detection teams should validate whether Linux telemetry can correlate file creation or modification events with chmod activity and subsequent execve execution, especially for ELF binaries and interpreter scripts. Because no ATT&CK tactic, technique relationship, or formal detection logic is supplied, implementation should be treated as behavior-based detection engineering requiring local baselining for normal build, deployment, packaging, scripting, and administrative workflows.
Likely telemetry
- Linux process execution telemetry, including execve-style events
- File creation and file modification events for ELF binaries and interpreter scripts
- Permission-change activity such as chmod
- File metadata, including path, owner, permissions, hashes, and timestamps
- File entropy or content-analysis signals where available
Detection direction
- Validate that telemetry can join file modification, permission change, and execution events within a useful time window.
- Baseline expected Linux software deployment, CI/CD, package management, script generation, and administrative automation to reduce false positives.
- Tune for frequency and abnormality rather than a single chmod or execution event, since legitimate operations can modify permissions and run scripts.
- Where entropy is used, confirm how entropy is calculated and what local file types commonly produce high-entropy results.
- Prioritize alert context that includes parent process, user, path, file type, and whether the file was newly created or repeatedly modified before execution.
Mitigation priorities
- Ensure critical Linux assets have process execution and file activity logging sufficient for investigation.
- Harden administrative access and change-control paths so unexpected binary or script mutation is easier to identify.
- Use least privilege and controlled writable directories to limit where executable content can be created or modified.
- Apply file integrity monitoring or equivalent controls on sensitive paths where practical.
- Review operational processes such as deployments and automation so approved high-frequency file changes are distinguishable from suspicious behavior.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify Linux as the platform and describe a behavioral pattern involving frequent re-creation or modification of ELF binaries or interpreter scripts, chmod, execve, and abnormal entropy. No tactic, relationship context, or official detection implementation was supplied, so local engineering and baselining are required.
The object provides no formal detection logic, no related techniques or campaigns, no attribution, no active exploitation claim, and no non-Linux platform support. Any assessment of coverage, severity, or business exposure must be based on the organization’s own Linux asset criticality, logging architecture, and normal operational file-change patterns.
Analytic 0920
Detects files or processes where execution results in frequent re-creation or modification of ELF binaries or interpreter scripts, often using chmod + execve with abnormal entropy.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 825acd8382ae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0920Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.