AN1109: Analytic 1109
File creation of unauthorized script (e.g., .php, .sh) in /var/www/html followed by execution of unexpected system utilities (e.g., curl, bash, nc) by apache/nginx
Analyst context for executives and security teams
This analytic is about spotting a high-risk web server pattern: a new script appears in a web root such as /var/www/html, and the web server process later launches utilities like curl, bash, or nc. For leaders, the value is not the file extension itself; it is whether the organization can quickly prove that internet-facing Linux web servers are monitored for suspicious file writes and process activity that may indicate unauthorized code running under apache or nginx.
Executive priority
Prioritize this as a validation point for externally exposed Linux web infrastructure. It supports incident decision-making and audit evidence by testing whether teams can connect file creation in web content directories with unusual child processes from web server accounts. If that evidence is missing, response teams may not be able to determine when unauthorized server-side scripts appeared or what they executed.
Technical view
For SOC and IR teams, validate coverage on Linux hosts running apache or nginx with web roots such as /var/www/html. The analytic concept requires correlation between file creation of script-like files, for example .php or .sh, and later execution of unexpected system utilities such as curl, bash, or nc by apache/nginx processes. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection analytic pattern rather than a complete technique mapping.
Likely telemetry
- Linux file creation events for web directories such as /var/www/html
- Process creation telemetry with parent/child process relationships
- Command-line arguments for utilities executed by apache or nginx
- Web server process identity, user context, and executable path
- File metadata for newly created scripts, including path, extension, owner, and timestamp
Detection direction
- Confirm that file creation monitoring covers web roots on Linux web servers, not only endpoint process execution.
- Correlate new script files in /var/www/html with subsequent process execution by apache or nginx.
- Tune for expected administrative or deployment workflows so normal web publishing does not create excessive alerts.
- Review child processes of apache/nginx that invoke curl, bash, nc, or similar utilities, especially when close in time to new script creation.
- Account for blind spots where web servers lack endpoint telemetry, command-line logging, or file integrity monitoring.
Mitigation priorities
- Inventory Linux web servers and confirm which ones host content under paths such as /var/www/html.
- Restrict write access to web roots to approved deployment identities and processes.
- Harden web server service accounts so apache/nginx have only the privileges required for normal operation.
- Use change control or file integrity monitoring for script-capable web directories.
- Ensure incident responders have retained file, process, and command-line evidence needed to reconstruct suspicious web server activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN1109, for Linux. Its official description focuses on unauthorized script creation in /var/www/html followed by unexpected utility execution by apache/nginx. No tactic, technique relationship, detection text, or external relationship context was supplied, so the take is framed around defensive validation rather than attribution or threat behavior expansion.
This assessment is limited to the provided STIX fields and external reference. It does not establish active exploitation, actor usage, business impact, or complete detection logic. Local web server architecture, deployment tooling, logging configuration, and approved administrative workflows are required to determine severity and tuning.
Analytic 1109
File creation of unauthorized script (e.g., .php, .sh) in /var/www/html followed by execution of unexpected system utilities (e.g., curl, bash, nc) by apache/nginx
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 29e36746253e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1109Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.