AN0934: Analytic 0934
Shell utilities or scripts deleting `/etc/systemd/system/rescue.target`, `/etc/fstab` backups, or `/boot/efi` partitions; chattr used to block snapshot auto-recovery
Analyst context for executives and security teams
This analytic points to a Linux resiliency-risk behavior: shell activity or scripts removing recovery-related system files, backups, EFI boot partitions, or using chattr to interfere with snapshot auto-recovery. For leaders, the significance is not just file deletion—it is the potential loss of recovery paths during an incident. If these events are not visible, an organization may discover too late that restore, boot recovery, or rollback assumptions were weakened.
Executive priority
Prioritize this as an operational resilience and incident readiness validation item for Linux environments. Executives and risk owners should ask whether recovery-critical Linux assets have monitored boot, recovery, and filesystem configuration paths; whether snapshot and backup recovery controls can be independently verified; and whether SOC and IR teams have evidence to distinguish authorized maintenance from actions that could impair recovery. This is especially relevant to continuity planning, audit evidence for backup/recovery controls, and incident decision-making during destructive or disruptive events.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into Linux shell utilities and scripts touching recovery-sensitive paths named in the ATT&CK analytic: /etc/systemd/system/rescue.target, /etc/fstab backup files, and /boot/efi partitions. Also validate monitoring for chattr usage where it may affect recovery behavior. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, local implementation should focus on high-signal changes to these paths and commands, correlated with user, process, host role, maintenance windows, and change-management context.
Likely telemetry
- Linux process execution telemetry for shell utilities and scripts
- Command-line arguments, including chattr usage
- File deletion or modification events for /etc/systemd/system/rescue.target
- File deletion or modification events involving /etc/fstab backups
- Filesystem or partition activity involving /boot/efi
Detection direction
- Confirm whether Linux endpoint, audit, or EDR telemetry records process execution and command-line details for shell utilities and scripts.
- Create or validate alerts for deletion or suspicious modification of recovery-sensitive files and paths identified by the analytic.
- Tune detections against legitimate system administration, OS upgrade, recovery testing, and maintenance activity to reduce false positives.
- Correlate chattr use with the affected file path, executing account, parent process, and whether the activity aligns with approved administrative work.
- Prioritize high-value Linux systems where loss of boot, rescue, backup, or snapshot recovery capability would materially affect business continuity.
Mitigation priorities
- Inventory Linux systems where the referenced recovery files, fstab backups, EFI partitions, or snapshot mechanisms are material to recovery.
- Ensure backup and recovery controls are protected, monitored, and periodically tested rather than assumed.
- Restrict privileged administrative access to recovery-critical paths and validate that changes require appropriate authorization.
- Protect and monitor filesystem attributes and configuration files that can affect recovery behavior.
- Use change control and maintenance windows to separate legitimate recovery or boot configuration work from suspicious activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux and describes a narrow set of recovery-impairing file and attribute changes. No relationships, tactic mapping, official detection logic, aliases, or additional platform scope were supplied. The strongest use is as a validation prompt for Linux recovery telemetry and operational resilience controls.
This take is limited to the official STIX fields, external reference, and the absence of relationship context. It does not establish adversary attribution, active exploitation, impact, prevalence, or guaranteed detection. Local file paths, backup tooling, snapshot design, and administrative workflows must be reviewed before implementing production alerts.
Analytic 0934
Shell utilities or scripts deleting `/etc/systemd/system/rescue.target`, `/etc/fstab` backups, or `/boot/efi` partitions; chattr used to block snapshot auto-recovery
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | db9c48fb0a2c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0934Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.