Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1463: Analytic 1463

Execution of user-downloaded or created scripts with hidden extensions due to RTLO character insertion in filename, often present in desktop environments or phishing campaigns.

EnterpriseAN1463AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic highlights a Linux-focused deception pattern where a script’s true extension may be hidden by right-to-left override (RTLO) characters in the filename. For leaders, the practical issue is not the filename trick itself, but whether users, desktop workflows, email/download controls, and SOC visibility can distinguish a harmless-looking downloaded file from an executable script before or during execution.

Executive priority

Prioritize this as a user-execution and phishing-adjacent resilience question for Linux desktop environments. Security leaders should ask whether controls and monitoring cover downloaded or user-created scripts, Unicode filename abuse, and execution from user-writable locations. The decision value is in validating endpoint telemetry, user awareness, file-handling policy, and incident response evidence rather than assuming file extensions are reliable indicators of risk.

Technical view

ATT&CK provides a Linux platform scope and describes execution of user-downloaded or created scripts with hidden extensions caused by RTLO character insertion. No official detection logic or tactic mapping is supplied, so SOC teams should validate whether Linux endpoint logging can preserve and search full Unicode filenames, file paths, interpreter execution, and parent-child process context for scripts launched from desktop, download, temporary, or other user-writable directories.

Likely telemetry

  • Linux process execution telemetry, including command line, parent process, user, working directory, and interpreter name
  • File creation and modification events for user-writable locations such as Downloads, Desktop, temporary directories, and home directories
  • Filename metadata that preserves Unicode control characters, including RTLO, without normalization loss
  • Email, browser, or download telemetry showing file arrival or user interaction where available
  • Endpoint alert and audit logs showing script execution permissions or interpreter invocation

Detection direction

  • Validate that telemetry pipelines retain Unicode control characters in filenames rather than stripping, normalizing, or rendering them invisibly.
  • Look for script interpreter execution from user-writable directories where the displayed filename may differ from the underlying filename or extension.
  • Tune detections to reduce noise from legitimate localized filenames or development activity by using context such as file origin, directory, parent process, and user role.
  • Confirm whether Linux desktop systems are in monitoring scope; server-only endpoint coverage may miss this behavior.
  • Because ATT&CK provides no official detection content for AN1463, treat any rule development as locally validated engineering work rather than ATT&CK-provided coverage.

Mitigation priorities

  • Reduce reliance on visible file extensions by enforcing safer handling of downloaded files and scripts in Linux desktop workflows.
  • Limit unnecessary script execution from user-writable directories where operationally feasible.
  • Ensure endpoint controls and audit policies capture interpreter execution and file-origin context.
  • Train users and help desk teams that filenames can be visually deceptive, especially where Unicode control characters are involved.
  • Include Unicode filename preservation and review steps in incident response collection procedures.
Analyst notes and limits

AN1463 is a detection analytic object for enterprise ATT&CK release 19.1. The supplied object is specific to Linux and describes RTLO-based hidden script extensions in user-downloaded or created files, often in desktop environments or phishing campaigns. No relationships, tactic mapping, aliases, or official detection text were supplied, so this take focuses on validation questions and telemetry requirements rather than a specific detection rule.

This assessment is constrained to the supplied ATT&CK fields and external reference. It does not establish active exploitation, actor attribution, impact, prevalence, or guaranteed detectability. Local environment evidence is required to determine whether Linux desktop systems, Unicode filename handling, download sources, and script execution telemetry are adequately covered.

Official MITRE ATT&CK definition

Analytic 1463

Execution of user-downloaded or created scripts with hidden extensions due to RTLO character insertion in filename, often present in desktop environments or phishing campaigns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e2edef7549d31266...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e2edef7549d3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1463
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use