Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1529: Analytic 1529

Detects abnormal creation of binary files with significant size that are subsequently executed or accessed by non-standard users.

EnterpriseAN1529AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is valuable because unexpected large binary creation followed by execution or access by unusual users on Linux systems can be a strong signal that a host is being changed in a way normal administration processes do not explain. For leaders, the decision value is not the analytic name; it is whether the organization can prove it sees new executable content, knows which users should run it, and can quickly separate legitimate software deployment from suspicious activity.

Executive priority

Prioritize this as a Linux endpoint and server monitoring readiness question. It supports operational resilience and incident response by validating whether SOC teams can detect unusual executable file introduction and use, especially on systems that support critical applications. Executives should ask whether Linux file, process, and user telemetry is consistently collected, whether exceptions for approved software deployment are documented, and whether IR teams can rapidly identify the owner and business purpose of a newly created binary.

Technical view

AN1529 applies to Linux and focuses on abnormal creation of binary files of significant size that are later executed or accessed by non-standard users. Because no ATT&CK tactic or detailed detection logic is supplied, teams should treat this as a detection engineering pattern rather than a complete rule. Validate correlation across file creation events, file metadata such as size and path, process execution events, user identity, and local baseline of expected administrative or deployment activity. The key engineering question is whether the environment can distinguish approved package management, CI/CD, backup, monitoring, and administrator activity from unusual binary creation and access by users who do not normally interact with such files.

Likely telemetry

  • Linux file creation and modification events, including path, owner, permissions, size, and timestamp
  • Process execution telemetry showing command, executable path, parent process, user, and host
  • User and group context for local and domain-backed Linux accounts
  • File access telemetry where available, especially execution or read access by unusual users
  • Software deployment, package management, and administrative change records for allowlisting and triage context

Detection direction

  • Confirm that Linux endpoints and servers collect both file activity and process execution telemetry; either source alone may miss the full behavior described by the analytic.
  • Baseline normal binary creation locations, expected file sizes, service accounts, administrators, package managers, and deployment tools before alerting broadly.
  • Correlate newly created large binary files with subsequent execution or access by users that are unusual for the host, path, or application role.
  • Tune for common false positives such as patching, application releases, container or build activity, monitoring agents, and legitimate administrator maintenance.
  • Prioritize alerts on high-value servers, unusual paths, unexpected owners or permissions, and users without a clear operational reason to access the binary.

Mitigation priorities

  • Establish approved Linux software deployment and change-management paths so abnormal binary creation can be distinguished from authorized activity.
  • Restrict write and execute permissions in sensitive directories according to least privilege.
  • Ensure privileged and service accounts are reviewed so only expected users can create, access, or execute binaries on important systems.
  • Maintain endpoint logging and retention sufficient for IR teams to reconstruct file creation, access, and execution sequences.
  • Document approved exceptions for package managers, automation tools, and administrative workflows to reduce alert fatigue.
Analyst notes and limits

The object is a MITRE detection analytic, not a technique or campaign report. It provides a concise behavior description but no tactic mapping, relationship context, or official detection logic. Glexia’s interpretation therefore focuses on defensive validation: whether Linux file, process, and user telemetry can support the described correlation and whether operational baselines exist to make the alert actionable.

This take is limited to the supplied ATT&CK fields for AN1529. No active exploitation, adversary attribution, impact scenario, relationship context, or guaranteed detection capability is stated in the source data. Local environment baselines are required to define what counts as significant file size, abnormal creation, and non-standard users.

Official MITRE ATT&CK definition

Analytic 1529

Detects abnormal creation of binary files with significant size that are subsequently executed or accessed by non-standard users.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
db7deea9473bbc31...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle db7deea9473b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1529
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use