Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1217: Analytic 1217

Detects binary movement or copying between untrusted and trusted paths (e.g., /tmp/ → /usr/bin/ or /etc/init.d/) that may indicate persistence attempts or cleanup of origin traces.

EnterpriseAN1217AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is relevant because movement of a Linux binary from a less-trusted location such as /tmp into a trusted execution or startup path such as /usr/bin or /etc/init.d can be a practical warning sign of persistence preparation or removal of origin traces. For leaders, the value is not the specific path example alone; it is whether the organization can prove it sees suspicious file movement into sensitive Linux locations before it becomes an operational resilience or incident-response problem.

Executive priority

Prioritize this as a Linux server and endpoint visibility question: do critical systems produce enough file activity evidence to show when executables are introduced into trusted directories from temporary or user-writable locations? This supports incident decision-making, audit evidence for change control, and control prioritization around hardening of sensitive paths. Because ATT&CK provides no relationship context, tactic, or implementation detail for this analytic, treat it as a validation prompt rather than proof of coverage.

Technical view

For SOC, detection engineering, and IR teams, validate whether Linux telemetry can identify binary copy or move activity from untrusted paths into trusted paths, especially examples supplied by ATT&CK such as /tmp to /usr/bin or /etc/init.d. Review whether events include source path, destination path, file type or executable metadata, actor process, user, timestamp, and host identity. Since official detection logic is not provided, teams should develop local criteria and tune against legitimate software installation, package management, administrative scripts, and deployment tooling.

Likely telemetry

  • Linux file creation, rename, move, and copy activity involving source and destination paths
  • Process execution telemetry showing utilities or scripts performing file copy or move operations
  • File metadata for newly placed binaries, including permissions, owner, hashes, and timestamps where available
  • Host identity, user identity, and parent process context for the file operation
  • Change-control or software deployment records to distinguish authorized administrative activity

Detection direction

  • Validate monitoring for writes into trusted Linux paths such as /usr/bin and /etc/init.d when the source is a temporary or otherwise less-trusted location such as /tmp.
  • Tune detections to reduce noise from package managers, configuration management, deployment pipelines, and approved administrative maintenance.
  • Prioritize alerts where file movement is followed by permission changes, service/init integration, or execution from the destination path, while avoiding claims of persistence without corroborating evidence.
  • Check blind spots on servers without endpoint telemetry, containers or ephemeral systems with limited logging, and environments where file path context is not retained.
  • Because no ATT&CK detection text or relationships were supplied, document local detection assumptions and required telemetry dependencies.

Mitigation priorities

  • Restrict write permissions to trusted executable and startup directories to authorized administrative paths and accounts.
  • Harden temporary and user-writable directories where appropriate, including controls that reduce execution or staging risk.
  • Maintain change-control evidence for legitimate software installation and administrative file movement into trusted paths.
  • Ensure Linux logging or endpoint controls capture file operations on sensitive directories before relying on this analytic for SOC coverage.
  • Use incident response procedures to investigate unauthorized binary placement, including source path, responsible user or process, and whether the file was executed or configured for startup.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic AN1217. The object is a detection analytic for Linux and describes detecting binary movement or copying between untrusted and trusted paths that may indicate persistence attempts or cleanup of origin traces. No ATT&CK relationships, tactic mapping, aliases, labels, or official detection logic were supplied.

Coverage cannot be assumed from this object alone. The official detection field is not provided, tactics are not specified, and there is no relationship context tying this analytic to specific techniques, software, or groups. Local telemetry, path conventions, administrative workflows, and change-management practices are required to determine detection quality and priority.

Official MITRE ATT&CK definition

Analytic 1217

Detects binary movement or copying between untrusted and trusted paths (e.g., /tmp/ → /usr/bin/ or /etc/init.d/) that may indicate persistence attempts or cleanup of origin traces.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b18142881a8f8693...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b18142881a8f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1217
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use