AN1081: Analytic 1081

Detects bash, sh, zsh, or BusyBox shell execution initiated via remote sessions, unauthorized users, or embedded within secondary script interpreters. Focus is on chained behavior: shell > suspicious commands > network discovery or persistence indicators.

EnterpriseAN1081AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1081 is a Linux-focused detection analytic for suspicious shell activity where bash, sh, zsh, or BusyBox shells are launched through remote sessions, unauthorized users, or secondary script interpreters, then followed by suspicious commands, network discovery, or persistence indicators. For leaders, the value is validating whether the organization can see and investigate interactive or chained shell behavior that may indicate hands-on-keyboard activity, script-driven intrusion activity, or misuse of remote access paths.

Executive priority

Prioritize this analytic where Linux systems support critical services, remote administration, or embedded/BusyBox-based environments. The business question is not simply whether shell execution is logged, but whether SOC and IR teams can connect remote session context, user legitimacy, child process chains, network discovery behavior, and persistence indicators quickly enough to support containment decisions and audit evidence.

Technical view

Validate Linux telemetry for process execution chains involving bash, sh, zsh, or BusyBox shells, especially when initiated from remote sessions, unexpected users, or secondary script interpreters. Because no ATT&CK tactics, relationships, or official detection logic are supplied, teams should treat AN1081 as a behavior-driven analytic concept: shell execution alone is noisy, while shell execution followed by suspicious commands, network discovery, or persistence-related indicators is the higher-value triage path.

Likely telemetry

Linux process creation events with parent/child process relationships
Command-line arguments for shell and script interpreter execution
Remote session evidence, such as SSH or other administrative session logs where available
User account and authentication context to distinguish expected administrators from unauthorized or unusual users
Network discovery command evidence from endpoint logs

Detection direction

Tune for chained behavior rather than standalone shell launches to reduce false positives from normal administration and automation.
Correlate shell execution with remote session origin, user identity, parent interpreter, command-line content, and subsequent discovery or persistence indicators.
Review allowlists for approved administrators, maintenance tools, and automation accounts, but avoid suppressing visibility into unusual command chains from those accounts.
Confirm coverage on Linux systems using BusyBox as well as standard bash, sh, or zsh environments, since embedded or minimal systems may log differently.
Use this analytic as a validation prompt for SOC workflows: can analysts reconstruct who started the shell, from where, under what parent process, and what commands followed?

Mitigation priorities

Strengthen identity and access controls for remote Linux administration, including least privilege and review of authorized users.
Restrict and monitor script interpreter usage where operationally feasible, especially on systems where secondary interpreters can launch shells.
Improve endpoint logging for Linux process execution, command lines, authentication, and persistence-relevant changes before relying on this analytic.
Establish baselines for legitimate administrative shell activity so suspicious chains can be prioritized without overwhelming analysts.
Ensure incident response playbooks include rapid validation of remote session origin, user legitimacy, process ancestry, and persistence checks.

Analyst notes and limits

The supplied object is a detection analytic, not a technique, and has no supplied tactic mapping or relationship context. Its strongest decision value is as a coverage test for Linux shell-chain visibility and triage, especially around remote access, unexpected users, script interpreters, discovery, and persistence indicators.

Official detection content is not provided, and no relationships are supplied. This take does not infer specific ATT&CK techniques, adversary attribution, active exploitation, or guaranteed detection coverage. Local logging quality, Linux distribution behavior, shell usage patterns, and administrative baselines are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 1081

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 2feadb60cbeb68f4...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`2feadb60cbeb…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1081
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use