AN1367: Analytic 1367
Sequence of RAT agent execution, systemd persistence, and long-lived external egress; optional interactive shells spawned from the agent.
Analyst context for executives and security teams
This analytic matters because it ties together several signals that, in combination, can indicate a Linux host has moved from initial agent execution into persistence and sustained command-and-control style connectivity. For leaders, the value is not any single event, but whether the security program can correlate process execution, systemd persistence changes, and long-lived outbound network activity quickly enough to support containment decisions.
Executive priority
Prioritize this as a Linux resilience and incident-response readiness check. Executives and risk owners should ask whether critical Linux servers have sufficient endpoint, service-management, and network telemetry to prove or disprove this sequence during an investigation. The business issue is continuity: a persistent remote access tool with sustained external egress can undermine recovery confidence if teams cannot identify the service entry, owning process, and outbound destination history.
Technical view
For SOC, detection engineering, and IR teams, validate correlation across Linux process execution, systemd unit creation or modification, service enablement/start activity, and long-lived outbound connections. Because ATT&CK provides no official detection logic and no relationship context for this analytic, local implementation should focus on sequencing: suspicious agent-like execution followed by systemd persistence and sustained external egress, with optional interactive shell processes spawned by the agent. Tune around legitimate remote administration, monitoring agents, backup tools, and long-running service connections.
Likely telemetry
- Linux process execution telemetry, including parent-child process relationships
- systemd unit file creation, modification, enablement, and service start/restart events
- Outbound network connection metadata, especially long-lived external sessions
- Command shell execution telemetry where available
- Host identity, asset criticality, and service ownership context for Linux systems
Detection direction
- Confirm whether telemetry can correlate host process activity with systemd persistence events and outbound network sessions on the same Linux asset.
- Look for sequences rather than isolated indicators: agent execution, persistence through systemd, then durable external egress.
- Review child processes from the suspected agent for interactive shell activity, while accounting for legitimate administrative tooling.
- Baseline approved long-running Linux services and external destinations to reduce false positives.
- Document blind spots where endpoint logging, systemd audit visibility, or network session duration data is missing.
Mitigation priorities
- Establish authoritative inventory and ownership for Linux systemd services on critical systems.
- Restrict and monitor permissions required to create or modify persistent services.
- Apply least privilege and controlled administration for Linux servers, especially where service management rights are broadly available.
- Use egress governance to limit unnecessary external connectivity from servers and to make long-lived sessions reviewable.
- Prepare IR procedures to collect service definitions, process trees, and network connection history from affected Linux hosts.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique description. Its useful defensive value is the correlation pattern: RAT agent execution, systemd persistence, long-lived external egress, and possible shell spawning. Because no official detection text or relationships were supplied, implementation must be based on local Linux logging, endpoint coverage, and network visibility.
No tactics, relationships, aliases, labels, or official detection logic were provided. This take does not assert active exploitation, attribution, prevalence, impact, or guaranteed detectability. Coverage depends on the organization’s Linux telemetry, retention, and ability to correlate host and network evidence.
Analytic 1367
Sequence of RAT agent execution, systemd persistence, and long-lived external egress; optional interactive shells spawned from the agent.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5587172f1fca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1367Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.