Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1071: Analytic 1071

Adversaries using bash scripts or tools to recursively enumerate user home directories, config files, or SSH keys.

EnterpriseAN1071AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes Linux activity where bash scripts or tools recursively inspect user home directories, configuration files, or SSH key material. For leaders, the practical concern is not the script itself but what it can expose: credentials, access paths, and sensitive local configuration that may support follow-on compromise. Because MITRE provides no official detection logic for this analytic, organizations should treat it as a validation prompt for Linux endpoint visibility and credential-protection monitoring rather than as a ready-to-deploy rule.

Executive priority

Prioritize this where Linux systems host administrators, developers, service accounts, automation keys, or sensitive configuration. The decision value is determining whether the SOC can see suspicious recursive access to home directories and SSH-related files, whether incident responders can prove what was accessed, and whether identity and access controls reduce the damage if private keys or config secrets are discovered. This is also relevant to audit and compliance evidence around privileged access, key handling, and endpoint logging on Linux systems.

Technical view

For SOC, detection engineering, and IR teams, validate Linux telemetry that can show shell-driven or tool-driven recursive file enumeration in user home paths, especially access patterns involving configuration directories and SSH key locations. Since the ATT&CK object does not specify tactics, relationships, or a detection procedure, build local hypotheses around unusual process/file-access combinations, command interpreters such as bash, recursive traversal indicators, and access to files that normally have a narrow administrative or user-specific access pattern. Baseline legitimate administrative, backup, indexing, compliance-scanning, and developer tooling before alerting aggressively.

Likely telemetry

  • Linux process execution telemetry, including shell invocation and command-line arguments where available
  • File access or file audit events for user home directories, configuration files, and SSH-related paths
  • Endpoint detection and response events from Linux hosts
  • Authentication and account context tying file access to users, service accounts, or privileged sessions
  • Sudo or privilege escalation logs where enumeration occurs under elevated context

Detection direction

  • Confirm whether Linux hosts generate and retain process and file-access telemetry sufficient to reconstruct recursive enumeration activity.
  • Tune for unusual breadth or speed of reads/listing operations across multiple home directories or sensitive configuration locations, not just single-file access.
  • Prioritize access to SSH key material and configuration files when performed by unexpected users, service accounts, scripts, or parent processes.
  • Account for expected noise from backups, vulnerability scanners, configuration management, endpoint inventory, developer searches, and administrative maintenance.
  • Correlate file enumeration with authentication context, privilege changes, and subsequent access attempts where local telemetry permits.

Mitigation priorities

  • Reduce exposure of SSH keys and sensitive configuration through least privilege, correct file permissions, and disciplined key management on Linux systems.
  • Limit unnecessary access to other users’ home directories, especially from shared administrative or service accounts.
  • Harden and monitor privileged accounts used on Linux hosts, including sudo usage and automation accounts.
  • Maintain endpoint logging on Linux systems that supports incident reconstruction for process execution and sensitive file access.
  • Review operational tools such as backup, scanning, and configuration management so legitimate recursive access is identifiable and documented.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic AN1071. The official object identifies Linux as the platform and describes recursive enumeration of user home directories, config files, or SSH keys using bash scripts or tools. No tactics, relationships, aliases, labels, or official detection content were supplied, so recommendations are framed as defensive validation guidance rather than a specific ATT&CK detection implementation.

Coverage depends heavily on local Linux logging, EDR configuration, file audit scope, and knowledge of legitimate administrative tooling. The supplied ATT&CK fields do not establish adversary attribution, active exploitation, business impact, or guaranteed detectability.

Official MITRE ATT&CK definition

Analytic 1071

Adversaries using bash scripts or tools to recursively enumerate user home directories, config files, or SSH keys.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e1cb29020fd7d7f0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e1cb29020fd7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1071
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use