AN1041: Analytic 1041
Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories.
Analyst context for executives and security teams
This analytic is about spotting suspicious Linux file enumeration, such as use of commands like ls, find, or locate by unusual users or scripts across broad directory trees or restricted locations. For leaders, the value is not the command names themselves; it is whether the organization can distinguish normal administration from activity that may indicate discovery of sensitive files, credentials, source code, operational data, or other high-value assets.
Executive priority
Prioritize this as a Linux visibility and incident-readiness question: do SOC and IR teams have enough endpoint and command execution evidence to explain who searched which directories, from what process or script, and whether restricted areas were accessed? This supports business continuity, compliance evidence, and containment decisions because file discovery can precede data access, privilege escalation, or broader hands-on-keyboard activity, but the ATT&CK object does not provide impact, attribution, or active exploitation claims.
Technical view
Validate coverage for Linux command execution involving file enumeration utilities and suspicious access patterns across broad file hierarchies or restricted directories. Because ATT&CK provides no official detection logic and no relationship context for this analytic, teams should define local baselines for legitimate administrators, service accounts, scheduled jobs, backup/indexing processes, and application scripts before treating enumeration as suspicious.
Likely telemetry
- Linux process creation and command-line arguments
- User identity associated with process execution
- Parent process, script, shell, or scheduler context
- Working directory and target path information when available
- Endpoint detection or audit logs showing access to restricted directories
Detection direction
- Tune for file enumeration commands such as ls, find, and locate when executed by suspicious users or scripts, especially across broad directory hierarchies or restricted paths.
- Compare activity against known administrative, backup, indexing, monitoring, and deployment workflows to reduce false positives.
- Prioritize enrichment with user role, host role, parent process, execution source, and directory sensitivity.
- Look for unusual breadth, repetition, timing, or execution by non-administrative accounts rather than alerting on command names alone.
- Document blind spots where command-line logging, script visibility, or restricted-directory access telemetry is incomplete on Linux systems.
Mitigation priorities
- Establish least-privilege access to sensitive Linux directories so enumeration by ordinary users has limited business impact.
- Maintain reliable Linux process and command-line logging for systems that host sensitive data or operational workloads.
- Define and review approved administrative scripts, scheduled jobs, and service account behaviors to support detection tuning.
- Use access control, account governance, and monitoring of restricted directories to strengthen investigative evidence.
- Test IR playbooks for quickly determining whether suspicious enumeration was benign administration, misconfigured automation, or part of a broader incident.
Analyst notes and limits
This Glexia take is based on a detection analytic, not a technique object. The object is limited to Linux and describes suspicious file enumeration commands or scripts accessing broad or restricted paths. No tactics, relationships, aliases, labels, or official detection logic were supplied, so local baseline and telemetry validation are essential.
The supplied ATT&CK fields do not identify associated techniques, threat groups, malware, campaigns, mitigations, data sources, or a concrete detection query. They also do not support claims about active exploitation, attribution, business impact, or guaranteed detection coverage.
Analytic 1041
Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ed765b164aad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1041Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.