Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1299: Analytic 1299

Detects script or binary modification within shared NFS/SMB directories followed by process execution from those paths.

EnterpriseAN1299AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about a high-value shared-storage scenario: a script or binary is changed in a shared NFS/SMB directory and then executed from that same shared path on Linux. For leaders, the practical concern is that shared file locations can become a distribution point for unauthorized code across systems, making containment and root-cause analysis harder if file integrity, execution, and share access telemetry are incomplete.

Executive priority

Prioritize this as a control-validation and incident-readiness question for environments that use Linux systems with NFS or SMB shares. Executives should ask whether shared directories that host operational scripts, tools, or binaries have clear ownership, change control, access governance, and audit evidence. The business risk is not established by this ATT&CK object alone, but the behavior is material because shared storage can blur accountability: one modification may affect many systems, and responders need evidence to determine who changed a file, where it executed, and which hosts may be in scope.

Technical view

SOC and detection teams should validate whether they can correlate file modification events in shared NFS/SMB paths with subsequent process execution from those same paths on Linux. Because the official detection field is not provided and no tactic or relationship context is supplied, teams should treat AN1299 as a detection concept rather than a complete rule. Key engineering work is defining the monitored shared paths, identifying expected administrative or automation-driven changes, and correlating file write/rename/permission-change activity with process execution command lines, executable paths, user context, host context, and timestamps.

Likely telemetry

  • Linux process execution telemetry including executable path, command line, user, parent process, host, and timestamp
  • File modification telemetry for shared NFS/SMB-mounted directories, including writes, renames, permission changes, and ownership changes where available
  • NFS/SMB server or share access logs that identify clients, users, paths, and write activity
  • Endpoint audit or file integrity monitoring data for directories used to store shared scripts or binaries
  • Authentication and authorization logs that can help identify the account responsible for modifying shared content

Detection direction

  • Correlate modification of scripts or binaries in known shared NFS/SMB directories with later execution from those same paths.
  • Tune allowlists carefully for legitimate software deployment, build pipelines, administrative scripts, and configuration management activity that commonly write and execute from shared locations.
  • Validate path normalization for mounted shares, because the same network share may appear under different local mount points across Linux hosts.
  • Confirm whether telemetry shows both sides of the behavior: the file change and the execution. Missing either side creates a major blind spot.
  • Use user, host, parent process, and timing context to separate expected operational activity from unusual shared-path execution.

Mitigation priorities

  • Inventory Linux systems that mount NFS/SMB shares and identify directories that contain executable scripts or binaries.
  • Restrict write access to shared executable locations using least privilege and clear ownership.
  • Separate writable collaboration shares from locations used to execute operational code where feasible.
  • Apply change control, file integrity monitoring, or approval workflows to shared directories that host production scripts or tools.
  • Review mount and execution policies for shared paths, including whether execution from broadly writable shares is necessary.
Analyst notes and limits

AN1299 is a MITRE detection analytic for Linux environments that looks for script or binary modification within shared NFS/SMB directories followed by execution from those paths. Its value is strongest where shared storage is used for administration, automation, operations, or software distribution. Glexia teams should use it to drive telemetry validation, shared-directory governance, and IR scoping readiness rather than treating it as a complete detection rule.

The supplied ATT&CK object does not include an official detection implementation, tactics, labels, aliases, relationships, or linked techniques. This take therefore does not infer adversary intent, impact, prevalence, attribution, or guaranteed detection coverage. Local environment details are required to define relevant shared paths, expected administrative behavior, and acceptable execution patterns.

Official MITRE ATT&CK definition

Analytic 1299

Detects script or binary modification within shared NFS/SMB directories followed by process execution from those paths.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ec5b65a5a1e24964...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ec5b65a5a1e2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1299
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use