Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2064: Analytic 2064

Detection identifies execution of scripts containing high concentrations of invisible Unicode characters followed by decoding or interpretation behaviors (e.g., base64 decode, eval) and subsequent process or network activity. Emphasis is placed on mismatch between file entropy/structure and execution output.

EnterpriseAN2064AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because scripts that hide logic with invisible Unicode characters can bypass casual review and create gaps between what a file appears to contain and what it does at runtime. For Linux environments, the business concern is not the Unicode characters alone, but the combination of suspicious script structure, decoding or interpretation behavior such as base64 decode or eval, and follow-on process or network activity that may indicate concealed execution.

Executive priority

Prioritize this as a validation point for SOC and incident response readiness where Linux servers, automation hosts, or developer-operated systems execute scripts. Leaders should ask whether the organization can prove it collects script content indicators, command execution evidence, process lineage, and network activity needed to investigate mismatches between script appearance and runtime behavior. This can support control prioritization, audit evidence for monitoring coverage, and faster incident decisions when suspicious scripts are found.

Technical view

For SOC, detection engineering, and IR teams, validate whether Linux telemetry can correlate three evidence areas: scripts with high concentrations of invisible Unicode characters, decoding or interpretation behaviors such as base64 decode or eval, and subsequent process or network activity. Because ATT&CK provides no concrete detection logic for this analytic, teams should treat it as a detection design requirement rather than a ready-to-deploy rule. Focus on correlating file characteristics with execution output and process/network outcomes, and tune carefully to avoid flagging benign internationalization, formatting, or generated-code use cases without suspicious execution behavior.

Likely telemetry

  • Linux process execution and command-line telemetry
  • Script file metadata and content inspection where legally and operationally appropriate
  • File entropy or structure analysis signals
  • Interpreter activity for shells or scripting runtimes
  • Evidence of decoding behavior such as base64 decode commands or libraries

Detection direction

  • Validate that monitoring can identify invisible Unicode character concentrations in scripts and correlate them with execution, rather than alerting on character presence alone.
  • Correlate suspicious script structure with decoding or interpretation behavior and then with child process creation or network activity.
  • Tune for false positives from legitimate Unicode usage, generated files, localization, or formatting artifacts by requiring behavioral context.
  • Review whether Linux endpoint logging captures full command lines, parent-child relationships, and network activity needed to reconstruct runtime behavior.
  • Because no ATT&CK detection logic or relationships are supplied, test coverage using local benign and suspicious samples rather than assuming vendor defaults cover this pattern.

Mitigation priorities

  • Establish secure script handling standards for Linux systems, including review of automation, deployment, and administrative scripts before execution in sensitive environments.
  • Restrict script execution paths and interpreter use where operationally feasible, especially on servers and automation hosts.
  • Improve logging and retention for Linux process, command-line, file, and network events so investigations can prove what a script did at runtime.
  • Use code review or scanning processes to flag unusual invisible character density and suspicious decoding or dynamic interpretation patterns.
  • Document monitoring coverage and exceptions for compliance and incident response readiness.
Analyst notes and limits

This object is a detection analytic, not a technique or procedure. It is scoped to Linux and describes a behavioral detection concept: hidden or unusual script content combined with decoding or interpretation and follow-on activity. No tactics, relationships, aliases, or detailed official detection logic were supplied, so the most useful action is coverage validation and local tuning.

The supplied ATT&CK fields do not include a concrete detection query, data source mapping, tactic, technique relationship, threat actor context, or evidence of active exploitation. Applicability beyond Linux is not supported by the object. Local environment data is required to determine prevalence, false positives, and operational risk.

Official MITRE ATT&CK definition

Analytic 2064

Detection identifies execution of scripts containing high concentrations of invisible Unicode characters followed by decoding or interpretation behaviors (e.g., base64 decode, eval) and subsequent process or network activity. Emphasis is placed on mismatch between file entropy/structure and execution output.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4dd6f65501469181...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4dd6f6550146…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2064
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use