AN1459: Analytic 1459

Detects adversarial archiving activity through invocation of utilities like tar, gzip, bzip2, or openssl used in non-administrative or unusual contexts. Correlates command execution patterns with file creation of compressed/encrypted outputs in staging directories (e.g., /tmp, /var/tmp).

EnterpriseAN1459AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because Linux archiving and encryption utilities can turn scattered files into portable staging artifacts before movement or exfiltration. For leaders, the decision value is whether the organization can distinguish normal administrative compression from unusual archive creation in temporary directories such as /tmp and /var/tmp.

Executive priority

Prioritize this as a validation point for Linux SOC visibility and incident response readiness, especially on servers where sensitive data may be staged. The business question is not whether tar, gzip, bzip2, or openssl are present—they commonly are—but whether teams can prove they collect enough process and file telemetry to identify unusual, non-administrative archive or encrypted-output creation.

Technical view

For Linux environments, validate detections that correlate command execution of tar, gzip, bzip2, or openssl with creation of compressed or encrypted outputs in staging paths such as /tmp and /var/tmp. Because no ATT&CK tactic or detailed detection logic is supplied, treat this as a detection engineering prompt rather than a complete rule. Baseline expected administrative, backup, packaging, and application behaviors before escalating alerts.

Likely telemetry

Linux process execution events with command line arguments
Parent/child process context for archive or encryption utilities
File creation events for compressed or encrypted outputs
File path telemetry for staging locations such as /tmp and /var/tmp
User/account context distinguishing administrative from unusual execution contexts

Detection direction

Correlate archive/encryption utility execution with near-time creation of compressed or encrypted files in temporary directories.
Tune for local administrative jobs, backup workflows, package/build processes, and application-generated archives to reduce false positives.
Review executions by unexpected users, service accounts, shells, or processes that do not normally perform archiving.
Validate that telemetry includes command line, output path, user, parent process, and host role; without these fields, this analytic will be difficult to operationalize.
Use this analytic as part of broader staging/exfiltration triage, but do not infer exfiltration from archive creation alone.

Mitigation priorities

Establish approved administrative and backup archiving patterns for Linux systems so deviations can be assessed quickly.
Restrict unnecessary write access to shared or temporary staging locations where feasible.
Harden and monitor service accounts to reduce misuse of non-interactive or application contexts for archive creation.
Ensure incident response playbooks include rapid review of archive contents, ownership, timestamps, and related process history when suspicious staging is detected.
Maintain Linux endpoint logging coverage sufficient to support process and file correlation.

Analyst notes and limits

The supplied object is a MITRE detection analytic for Linux focused on adversarial-looking archive or encrypted-output creation using common utilities in unusual contexts. There are no supplied relationships, tactics, mitigations, or formal detection logic, so local baselining and telemetry validation are essential.

Official detection content is not provided, and no relationship context is supplied. This take does not claim active exploitation, attribution, impact, or guaranteed detection coverage. Applicability is limited to the supplied Linux platform field and the utilities and staging paths named in the object.

Official MITRE ATT&CK definition

Analytic 1459

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: e62e08ea95c7d72a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`e62e08ea95c7…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1459
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use