AN1576: Analytic 1576

Detects creation or modification of `systemd` service units, addition of cron jobs that invoke binaries on boot, or suspicious writes to `/etc/init.d/`. Monitors `chmod +x` and `systemctl` execution paths, especially from non-root parent processes.

EnterpriseAN1576AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

Analytic 1576 is a Linux-focused detection analytic for changes to boot/startup mechanisms such as systemd service units, cron jobs that run binaries at boot, and writes under /etc/init.d/. Its business value is in validating whether the organization can notice unauthorized changes that may survive reboots and affect operational resilience.

Executive priority

Prioritize this where Linux systems support critical services, regulated workloads, or incident recovery objectives. Leaders should ask whether startup configuration changes are centrally logged, reviewed, and tied to change-control evidence, because missed unauthorized boot-time execution can complicate containment and recovery.

Technical view

SOC and detection teams should validate visibility into Linux file creation/modification for systemd unit locations, cron configuration, and /etc/init.d/, plus process execution for chmod +x and systemctl. The supplied analytic specifically highlights attention to these execution paths when launched from non-root parent processes, so detections should preserve parent/child process context and user context.

Likely telemetry

Linux file creation and modification events for systemd service unit paths
Cron job creation or modification events, especially entries invoking binaries on boot
Writes to /etc/init.d/
Process execution telemetry for chmod +x
Process execution telemetry for systemctl

Detection direction

Confirm telemetry coverage on Linux hosts; this analytic does not apply to other platforms in the supplied object.
Tune for unauthorized or unusual creation/modification of service units, cron boot entries, and /etc/init.d/ writes rather than expected administrative maintenance.
Correlate file changes with chmod +x and systemctl execution to separate routine package/service administration from suspicious startup persistence patterns.
Pay special attention to non-root parent processes as noted in the official description, while validating local false positives from automation, configuration management, and deployment tooling.
Ensure detections retain enough context for IR: actor user, parent process, command line, file path, timestamp, and host role.

Mitigation priorities

Establish change control and review for Linux startup mechanisms: systemd units, cron entries, and init scripts.
Restrict write access to startup configuration paths to authorized administrative workflows.
Use centralized logging or file-integrity monitoring so changes survive local log tampering or host loss.
Baseline legitimate service-management activity from package managers, administrators, and automation tools to improve alert quality.
Include these artifacts in incident response collection and recovery validation after Linux host compromise.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique or procedure, and no relationship context was provided. The strongest use is as a coverage-validation checklist for Linux startup-change monitoring and triage context.

Official detection logic, tactic mapping, relationships, and detailed data source mappings were not supplied. Local path conventions, systemd locations, cron usage, administrative tooling, and logging configuration must be validated in the environment before assessing coverage or alert fidelity.

Official MITRE ATT&CK definition

Analytic 1576

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 32630e04ae5e1f03...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`32630e04ae5e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1576
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use