Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0950: Analytic 0950

Detects modification of system or application binaries by monitoring /usr/bin, /bin, and other privileged directories. Correlates file integrity monitoring (FIM) events with unexpected process executions or service restarts.

EnterpriseAN0950AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about detecting suspicious changes to privileged Linux system or application binaries, such as files under /usr/bin, /bin, and similar directories. For business leaders, the value is not just file-change alerting; it is confidence that critical Linux servers have integrity monitoring capable of identifying unauthorized binary replacement and correlating it with execution or service restart activity that could affect system trust and operational resilience.

Executive priority

Prioritize this where Linux systems support critical applications, regulated workloads, identity infrastructure, or operational services. Leaders should ask whether privileged binary directories are monitored, whether alerts are triaged with enough context to distinguish approved patching from unexpected modification, and whether incident responders can quickly determine which systems executed a changed binary. This supports resilience, audit evidence, and incident decision-making, but it depends on local telemetry quality because ATT&CK provides no broader relationship context for this analytic.

Technical view

For SOC, detection engineering, and IR teams, validate Linux file integrity monitoring coverage for /usr/bin, /bin, and other privileged directories. The analytic specifically calls for correlating FIM events with unexpected process executions or service restarts, so testing should confirm that file modification events, process execution records, and service lifecycle events can be joined by host, path, timestamp, user, and process context. Because no ATT&CK tactic or related technique is supplied, implement this as a high-value host-integrity detection pattern rather than assuming a specific intrusion stage.

Likely telemetry

  • Linux file integrity monitoring events for /usr/bin, /bin, and other privileged directories
  • File creation, modification, permission, ownership, and hash-change records
  • Process execution telemetry showing binary path, command line, parent process, user, and timestamp
  • Service restart or service state-change logs
  • Package manager, patching, and administrative change records for false-positive reduction

Detection direction

  • Confirm FIM scope includes privileged binary directories and that monitoring detects content, ownership, permission, and hash changes where available.
  • Correlate binary modification with subsequent or nearby process execution from the same path and with service restarts on the same host.
  • Tune expected activity from package updates, configuration management, approved maintenance windows, and known administrative workflows to reduce false positives.
  • Prioritize alerts on critical Linux assets, uncommon modifying processes, unexpected users, or modifications outside approved change windows.
  • Check blind spots such as unmanaged Linux hosts, containers or ephemeral systems without persistent FIM, missing process telemetry, and logs that cannot be joined across time or host identity.

Mitigation priorities

  • Establish authoritative baselines for privileged Linux binary directories and maintain change records for approved updates.
  • Deploy and validate file integrity monitoring on in-scope Linux systems, especially critical servers.
  • Collect process execution and service restart telemetry so FIM events can be investigated in context.
  • Integrate package management and change-management data into triage workflows.
  • Harden administrative access and limit who or what can modify privileged directories, using existing Linux access-control practices appropriate to the environment.
Analyst notes and limits

This is a detection analytic, not a technique description. The supplied ATT&CK fields support Linux-only coverage and focus on monitoring privileged binary directories with correlation to process execution or service restarts. No relationships, tactics, aliases, or detailed official detection logic were supplied, so local engineering must define thresholds, allowlists, and escalation criteria.

The object does not provide a tactic, related ATT&CK techniques, analytic logic, data source mappings, severity, adversary usage, or relationship context. This take should therefore be treated as defensive guidance for validating Linux host-integrity telemetry, not evidence of specific attacker behavior or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0950

Detects modification of system or application binaries by monitoring /usr/bin, /bin, and other privileged directories. Correlates file integrity monitoring (FIM) events with unexpected process executions or service restarts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fbdfc569d6f40d89...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fbdfc569d6f4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0950
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use