AN1065: Analytic 1065
Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.
Analyst context for executives and security teams
This analytic is about spotting Linux command or script activity where common utilities such as gzip, base64, tar, or openssl are used to package, encode, compress, or encrypt files after signs of file staging or system enumeration. For leaders, the value is not the tools themselves—these are normal admin utilities—but whether the organization can distinguish routine operations from preparation to move, hide, or protect staged data during an incident.
Executive priority
Prioritize this as a validation item for Linux monitoring maturity and incident response readiness. Because the named utilities are legitimate and widely used, leadership should ask whether SOC teams have enough command, script, file-staging, and enumeration context to make confident decisions without excessive false positives. This can support control prioritization around endpoint telemetry, Linux logging, and evidence quality for investigations and compliance reporting.
Technical view
For Linux environments, validate whether detections can correlate use of gzip, base64, tar, or openssl in commands or scripts with preceding file staging or system enumeration. The supplied ATT&CK object does not provide a full detection rule or tactic mapping, so teams should treat AN1065 as analytic intent rather than deployable logic. SOC and IR teams should test whether available telemetry captures process execution, command-line arguments, script content or invocation, file creation/modification, and contextual activity that indicates staging or enumeration before encoding, compression, archiving, or encryption behavior.
Likely telemetry
- Linux process execution events
- Command-line arguments for gzip, base64, tar, and openssl
- Shell and script execution records
- File creation, modification, and archive/compressed file activity
- Evidence of file staging before utility execution
Detection direction
- Correlate utility execution with prior file staging or system enumeration rather than alerting on the tools alone.
- Tune for administrative and backup workflows that legitimately use gzip, tar, base64, or openssl.
- Validate visibility into command-line arguments and parent/child process relationships on Linux hosts.
- Review whether script-based execution is visible, since the analytic explicitly includes scripts or commands.
- Use local baselines to separate routine compression, encoding, or encryption jobs from unusual user, path, host, or timing patterns.
Mitigation priorities
- Ensure Linux endpoint and audit logging capture process, command-line, script, and relevant file activity needed to support this analytic.
- Baseline approved administrative, backup, packaging, and encryption workflows that use the named utilities.
- Harden access to sensitive directories and staged data locations according to least privilege.
- Prepare incident response playbooks to preserve command history, process telemetry, and staged file evidence when this behavior is observed.
- Use the analytic as a coverage assessment item rather than a standalone control, because the official object does not include a complete detection implementation.
Analyst notes and limits
AN1065 is a detection analytic, not a technique description. The object is limited to Linux and describes analytic intent: detecting gzip, base64, tar, or openssl use in scripts or commands after file staging or system enumeration. No ATT&CK tactics, relationships, aliases, labels, or official detection logic were supplied.
The supplied fields do not support claims about active exploitation, adversary attribution, impact, non-Linux platforms, or guaranteed detection. Local telemetry, baselines, and investigation context are required to determine whether observed activity is benign administration or security-relevant behavior.
Analytic 1065
Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c985a29d40e1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1065Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.