AN1453: Analytic 1453
Execution of system enumeration commands such as `uname`, `df`, `uptime`, `hostname`, `lscpu`, and `cat /etc/os-release` through local terminal or scripts.
Analyst context for executives and security teams
This analytic points to Linux hosts running basic system-enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release from a terminal or script. For leaders, the value is not that these commands are inherently malicious; it is that they often reveal when an interactive user, automation, or script is collecting host context. That can matter during incident triage because early enumeration may help distinguish routine administration from suspicious hands-on-keyboard activity.
Executive priority
Treat this as a coverage-validation item for Linux monitoring rather than a standalone high-severity alert. Security leaders should ask whether SOC and incident response teams can see command execution on critical Linux systems, separate approved administration from unusual activity, and preserve enough evidence to support investigations and compliance inquiries. Priority should be higher for sensitive servers, privileged access paths, and environments where Linux visibility is inconsistent.
Technical view
The supplied ATT&CK object is a detection analytic for Linux command execution involving common system discovery commands. Because no official detection logic, tactics, or relationships are provided, teams should validate the underlying telemetry first: process execution records, command-line arguments, parent process context, user identity, session source, script interpreter activity, and host role. Detection should focus on context and combinations, not the presence of these commands alone, because they are common in legitimate administration and automation.
Likely telemetry
- Linux process execution events with command-line arguments
- Parent/child process relationships for shells, terminals, and script interpreters
- User, UID, privilege, and login/session context
- Host identity, asset criticality, and server role metadata
- Script execution records where available
Detection direction
- Confirm Linux endpoint telemetry captures the named commands and their arguments, not only process names.
- Tune detections around unusual users, unexpected hosts, uncommon parent processes, privileged sessions, or bursts of multiple enumeration commands.
- Baseline legitimate administrative scripts, monitoring agents, configuration management jobs, and troubleshooting workflows to reduce false positives.
- Correlate enumeration with nearby authentication, remote access, shell, or script execution events for investigative value.
- Document blind spots where command-line logging, process ancestry, or terminal/session attribution is unavailable.
Mitigation priorities
- Prioritize reliable Linux process and command-line logging on critical systems.
- Restrict and monitor privileged access paths used for interactive administration.
- Maintain approved administrative baselines so routine inventory and health-check activity can be distinguished from unusual enumeration.
- Use least privilege and account governance to reduce unnecessary interactive access to sensitive Linux hosts.
- Ensure incident response playbooks preserve process, user, session, and host-context evidence when enumeration activity is observed.
Analyst notes and limits
This object is best used as a telemetry and detection-engineering checkpoint. The commands listed are normal Linux utilities, so high-fidelity use depends on local baselines, asset criticality, user context, and correlation with surrounding activity.
The official object provides a description but no detection logic, tactic mapping, relationships, aliases, or external context beyond the MITRE reference. No active exploitation, attribution, impact, or guaranteed coverage should be inferred from this object alone.
Analytic 1453
Execution of system enumeration commands such as `uname`, `df`, `uptime`, `hostname`, `lscpu`, and `cat /etc/os-release` through local terminal or scripts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ef14eb1721f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1453Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.