AN1247: Analytic 1247
Detection monitors extended attribute manipulation (xattr) to strip quarantine or trust metadata, anomalous installation of root certificates in /etc/ssl or /usr/local/share/ca-certificates, and unauthorized modification of system trust stores. Correlates with unexpected process execution involving package managers or custom certificate utilities.
Analyst context for executives and security teams
AN1247 focuses on Linux trust-control changes: extended attribute manipulation that may remove quarantine or trust metadata, installation of root certificates under common system certificate paths, and modification of system trust stores. For leaders, the practical issue is not the certificate file alone; it is whether the organization can prove when Linux systems begin trusting new software or certificate authorities outside approved change processes.
Executive priority
Prioritize this analytic where Linux systems support sensitive operations, software distribution, administrative tooling, or regulated workloads. Unauthorized trust-store changes can undermine identity, TLS inspection assumptions, software validation, and incident confidence. Executives should ask whether certificate and trust-store changes are governed, logged, reviewed, and recoverable as part of compliance evidence and incident response readiness.
Technical view
For SOC and detection teams, validate visibility into Linux extended attribute changes, certificate-store file activity in /etc/ssl and /usr/local/share/ca-certificates, and process execution involving package managers or custom certificate utilities. Because the supplied ATT&CK object has no tactic mapping, no relationships, and no separate detection logic, treat this as a detection requirement to engineer and test locally rather than a complete rule.
Likely telemetry
- Linux file modification events for /etc/ssl and /usr/local/share/ca-certificates
- Linux process execution telemetry for package managers and certificate-management utilities
- Extended attribute change telemetry where available
- File ownership, permission, timestamp, and hash changes for trust-store content
- Change-management or administrative approval records for certificate installation
Detection direction
- Baseline legitimate certificate and trust-store update activity on Linux systems before alerting broadly.
- Correlate certificate-store writes with the initiating process, user, parent process, and approved maintenance window.
- Tune for expected package manager activity to reduce false positives while preserving alerts for custom or unexpected certificate utilities.
- Validate whether endpoint or audit tooling captures extended attribute manipulation; this may be a blind spot if only standard file writes are logged.
- Escalate unauthorized trust-store modification as an investigation pivot, especially when paired with unexpected process execution.
Mitigation priorities
- Define an approved process for Linux root certificate installation and trust-store modification.
- Restrict write access to system certificate paths to authorized administrators and managed automation.
- Use configuration management or file integrity monitoring to detect and restore unauthorized trust-store changes.
- Require change tickets or equivalent audit evidence for certificate additions and removals.
- Include trust-store review in Linux incident response and hardening procedures.
Analyst notes and limits
This object is a detection analytic for Linux and describes behavior around xattr manipulation, root certificate installation, and trust-store modification. The most valuable local work is confirming whether telemetry can tie these changes to users, processes, and approved administrative activity.
No official detection logic, tactic mapping, aliases, labels, or relationship context was supplied. This take does not infer active exploitation, attribution, impact, or coverage beyond the provided ATT&CK fields.
Analytic 1247
Detection monitors extended attribute manipulation (xattr) to strip quarantine or trust metadata, anomalous installation of root certificates in /etc/ssl or /usr/local/share/ca-certificates, and unauthorized modification of system trust stores. Correlates with unexpected process execution involving package managers or custom certificate utilities.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 35b987d025ba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1247Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.