Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0928: Analytic 0928

Shell scripts or binaries implement custom mapping tables (tr/sed/awk/golang/rust/python encode loops), or emit long high-entropy tokens that fail Base64/Hex validation → correlated with egress showing asymmetric flow, protocol-mismatch payloads, or DNS/HTTP bodies containing low-diversity-but-long custom alphabets.

EnterpriseAN0928AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Linux scripts or binaries that appear to use custom encoding or obfuscation rather than standard Base64 or Hex, especially when that behavior lines up with suspicious outbound traffic. For security leaders, the practical value is identifying data movement or command-and-control patterns that may bypass simple signature checks because the encoding is nonstandard.

Executive priority

Prioritize this as a validation point for SOC and incident response readiness where Linux systems handle sensitive data, automation, or internet-facing workloads. The business question is not simply whether Base64 detection exists, but whether teams can recognize unusual high-entropy or custom-alphabet content and correlate it with egress anomalies. This supports better decisions around outbound monitoring, Linux endpoint visibility, and evidence quality during investigations.

Technical view

For Linux environments, validate whether detection pipelines can identify shell scripts or binaries using custom mapping tables or encode loops involving tools or languages such as tr, sed, awk, Go, Rust, or Python, as described by the ATT&CK analytic. Since no official detection logic is supplied, teams should treat this as a behavioral detection design requirement: correlate suspicious local encoding behavior with outbound indicators such as asymmetric flows, protocol-mismatch payloads, or DNS/HTTP bodies containing long low-diversity custom alphabets that fail Base64 or Hex validation.

Likely telemetry

  • Linux process execution telemetry, including command lines where available
  • Script execution and interpreter activity for shell, Python, and related tooling
  • Binary execution metadata on Linux hosts
  • Network egress flow records showing directionality and volume asymmetry
  • DNS query and response logs or payload metadata where collected

Detection direction

  • Confirm whether Linux endpoint and network telemetry can be correlated by host, user, process, and time window.
  • Test for blind spots where scripts run without command-line capture, where compiled binaries obscure encode loops, or where outbound payload inspection is limited.
  • Tune carefully for legitimate administrative scripts, data transformation jobs, compression/serialization workflows, and application-specific encodings that may resemble custom alphabets.
  • Focus on combinations of signals rather than a single high-entropy token: local encode-like behavior plus suspicious egress characteristics is more meaningful than either signal alone.
  • Because no ATT&CK relationship context or tactic is supplied, avoid assuming a specific attack phase; use the analytic as a cross-cutting detection validation for suspicious encoding and outbound transfer behavior.

Mitigation priorities

  • Ensure Linux endpoint visibility covers process execution, script interpreters, and relevant command-line or binary metadata.
  • Strengthen egress monitoring for DNS and HTTP, including flow asymmetry and protocol mismatch indicators where legally and operationally appropriate.
  • Maintain allowlists or baselines for known business processes that legitimately generate encoded or high-entropy outbound content.
  • Use network segmentation and outbound access controls to reduce unnecessary direct egress from Linux systems.
  • Document telemetry availability and analytic assumptions as compliance and incident-response evidence, especially where payload visibility is restricted.
Analyst notes and limits

The object is a MITRE ATT&CK detection analytic for enterprise Linux environments. Its description gives useful behavioral features, but no official detection implementation, tactics, or relationships are supplied. The strongest defensive use is as a coverage assessment: can the SOC connect suspicious local encoding behavior to unusual outbound traffic patterns?

This take is constrained to the supplied ATT&CK fields. There is no official detection text, no associated tactics, no related techniques or groups, and no evidence of active exploitation or attribution. Local baselines, logging depth, privacy constraints, and network inspection capabilities will determine practical detectability.

Official MITRE ATT&CK definition

Analytic 0928

Shell scripts or binaries implement custom mapping tables (tr/sed/awk/golang/rust/python encode loops), or emit long high-entropy tokens that fail Base64/Hex validation → correlated with egress showing asymmetric flow, protocol-mismatch payloads, or DNS/HTTP bodies containing low-diversity-but-long custom alphabets.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6f92f27d06d3b6d9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6f92f27d06d3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0928
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use