AN1062: Analytic 1062
Abnormal loading of kernel modules, direct tampering with /dev, /proc, or LD_PRELOAD behaviors hiding processes or files.
Analyst context for executives and security teams
This analytic is about spotting Linux stealth behaviors that can make processes or files disappear from normal administrative and security views. For leaders, the issue is not just malware detection; it is whether incident responders and SOC tools can still trust what the operating system reports when kernel modules, /dev, /proc, or LD_PRELOAD behavior has been tampered with.
Executive priority
Prioritize this as a resilience and assurance question for Linux estates that support critical applications or security monitoring. If attackers or unauthorized software can hide activity at the kernel, device, process, or library-preload layer, investigations may be delayed and audit evidence may be incomplete. Executives should ask whether high-value Linux systems have telemetry that can reveal abnormal kernel module loading and user-space preload manipulation, and whether IR teams have a fallback method to validate host integrity when local views may be unreliable.
Technical view
For SOC, detection engineering, and IR teams, this object supports a Linux-focused analytic for abnormal kernel module loading and tampering indicators involving /dev, /proc, and LD_PRELOAD-style hiding of processes or files. Because ATT&CK provides no official detection logic or relationships for this analytic, teams should treat it as a validation requirement: confirm that Linux audit, EDR, system logs, file integrity monitoring, and process/module inventory can expose changes to kernel module state, preload configuration, and discrepancies between expected and observed process or file visibility.
Likely telemetry
- Linux kernel module load, unload, and inventory events
- Linux audit or equivalent host activity logs for privileged changes
- File integrity or configuration monitoring for LD_PRELOAD-related locations and preload configuration
- Process execution and environment telemetry showing suspicious preload usage
- Host telemetry around /dev and /proc access or manipulation where available
Detection direction
- Baseline expected kernel modules on important Linux systems and alert on abnormal module loads or unexpected module state changes.
- Validate monitoring for LD_PRELOAD behavior, including preload configuration changes and unusual process execution contexts using preload mechanisms.
- Look for visibility discrepancies, such as processes or files present through one collection method but absent from another, because the described behavior is explicitly about hiding processes or files.
- Tune detections carefully for legitimate administration, troubleshooting, performance, security, or vendor drivers that may load kernel modules or use preload behavior.
- Account for a major blind spot: if telemetry depends only on potentially tampered local OS views, stealth behavior may reduce confidence in detection and investigation results.
Mitigation priorities
- Reduce unnecessary privileged access on Linux systems, especially permissions that allow kernel module loading or modification of preload configuration.
- Maintain approved baselines for kernel modules and critical Linux configuration so deviations can be reviewed quickly.
- Use integrity monitoring and change control around sensitive Linux paths and configuration relevant to module loading, /dev, /proc visibility, and LD_PRELOAD behavior.
- Where supported by the environment, harden Linux hosts to limit unauthorized module loading and protect system integrity.
- Ensure incident response procedures include out-of-band or trusted validation methods when host-level process or file listings may be unreliable.
Analyst notes and limits
This is a detection analytic object, not a technique object, and the supplied ATT&CK fields do not specify tactics, relationships, procedures, or an official detection rule. The strongest decision value is to use it as a coverage test for Linux host integrity monitoring and stealth-behavior detection rather than as a claim of existing detection effectiveness.
The object is sparse: Linux is the only supplied platform, tactics are not specified, official detection is not provided, and no relationship context is supplied. Local baselines, telemetry quality, and host hardening design are required to determine practical coverage.
Analytic 1062
Abnormal loading of kernel modules, direct tampering with /dev, /proc, or LD_PRELOAD behaviors hiding processes or files.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 263308eedce6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1062Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.