Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1214: Analytic 1214

Detects custom archive routines by correlating script execution (Python, Perl, Bash) with creation of high-entropy files in temporary or user directories. Flags processes performing unusual bitwise operations or writing files without standard compression headers.

EnterpriseAN1214AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1214 is a Linux detection analytic focused on suspicious custom archiving behavior: scripts such as Python, Perl, or Bash creating high-entropy files in temporary or user directories, especially when files lack normal compression headers. For leaders, the value is not that this single analytic proves compromise, but that it tests whether the organization can see unusual file packaging activity that may matter during incident triage and data-risk assessment.

Executive priority

Prioritize this analytic as a coverage validation item for Linux estates where user directories, temporary paths, and script-based automation are common. It can support incident response readiness by helping teams identify unusual file creation patterns that standard file-extension or known-tool detections may miss. Executives should ask whether SOC teams collect enough endpoint and file telemetry to investigate this behavior, how false positives from legitimate automation are handled, and whether Linux monitoring is included in compliance and resilience evidence rather than treated as a blind spot.

Technical view

For SOC and detection engineering teams, validate correlation between Linux script execution and creation of high-entropy files in temporary or user directories. Review whether detections can identify files written without standard compression headers and whether process behavior, including unusual bitwise operations, is observable in available telemetry. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-focused analytic rather than a complete attack narrative.

Likely telemetry

  • Linux process execution telemetry for Python, Perl, Bash, and child processes
  • File creation and file write events in temporary directories and user directories
  • File metadata including path, owner, size, timestamps, and extension
  • Content-derived indicators where permitted, such as entropy and presence or absence of standard compression headers
  • Command-line and script execution context where collected

Detection direction

  • Confirm that Linux endpoint telemetry can correlate script execution with subsequent file creation in the same process tree or user session.
  • Tune entropy-based logic carefully, since legitimate encrypted, compressed, cached, or application-generated files may also appear high entropy.
  • Validate coverage for temporary and user directories, which are often under-monitored compared with system paths.
  • Test whether detection logic distinguishes standard compression formats from files lacking expected compression headers.
  • Include allowlisting or suppression for known administrative, backup, build, packaging, or data-processing scripts after verification.

Mitigation priorities

  • Improve Linux endpoint logging before relying on this analytic for response decisions.
  • Baseline legitimate script-driven archive, backup, packaging, and automation workflows in user and temporary paths.
  • Restrict unnecessary script execution and write permissions where business operations allow.
  • Apply least privilege to users and service accounts that can generate or stage files in monitored directories.
  • Ensure incident response playbooks include collection of process trees, script content where appropriate, and suspicious generated files for analysis.
Analyst notes and limits

The supplied object is a detection analytic, not a technique or campaign description. Its decision value is strongest as a control-validation and triage aid for Linux environments where custom scripts may create archive-like or high-entropy files. Local baselines are essential because legitimate engineering, backup, encryption, and application workflows can resemble the described behavior.

No official detection text, tactics, technique relationships, procedure examples, groups, software, or mitigations were supplied. This take therefore avoids attribution, active exploitation claims, platform expansion beyond Linux, and assertions that the analytic detects a specific ATT&CK technique or outcome.

Official MITRE ATT&CK definition

Analytic 1214

Detects custom archive routines by correlating script execution (Python, Perl, Bash) with creation of high-entropy files in temporary or user directories. Flags processes performing unusual bitwise operations or writing files without standard compression headers.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9257384d4959c943...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9257384d4959…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1214
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use