Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0069: Analytic 0069

Detects unauthorized access, copying, or modification of Kerberos ccache files (krb5cc_%UID% or krb5.ccache) in /tmp or custom paths defined by KRB5CCNAME. Correlates file access with suspicious processes (e.g., credential dumping tools) and subsequent anomalous Kerberos authentication requests from non-standard processes.

EnterpriseAN0069AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0069 is a Linux detection analytic focused on Kerberos credential cache files, such as krb5cc_%UID% or krb5.ccache, in /tmp or paths defined by KRB5CCNAME. Its business value is that Kerberos cache access can affect identity trust and lateral authentication decisions: if these files are accessed, copied, or modified outside expected behavior, defenders need enough file, process, and authentication evidence to decide whether it is benign administration, application behavior, or a credential-security incident.

Executive priority

Prioritize this analytic where Linux systems use Kerberos for access to business-critical services. Leaders should ask whether SOC and IR teams can prove who accessed Kerberos cache files, from which process, and whether unusual Kerberos authentication followed. This supports identity incident response readiness, audit evidence for privileged access monitoring, and control prioritization around Linux endpoint logging and Kerberos authentication visibility.

Technical view

For Linux environments, validate monitoring for unauthorized access, copying, or modification of Kerberos ccache files in /tmp and in custom locations referenced by KRB5CCNAME. Correlate file activity with process context, especially suspicious or non-standard processes, and then look for anomalous Kerberos authentication requests from processes that do not normally initiate them. Because ATT&CK provides no separate detection logic for this object, teams should define local baselines for expected Kerberos cache access by users, services, and administrative tools.

Likely telemetry

  • Linux file access and modification events for /tmp/krb5cc_%UID%, krb5.ccache, and KRB5CCNAME-defined paths
  • Process execution and parent/child process context on Linux hosts
  • Environment variable visibility where KRB5CCNAME may define custom credential cache paths
  • Kerberos authentication request logs or equivalent identity-provider/KDC telemetry
  • User, UID, host, timestamp, and command-line context for correlation

Detection direction

  • Confirm that file monitoring covers both default /tmp cache names and custom KRB5CCNAME paths; default-only coverage may miss material activity.
  • Correlate ccache file access with the responsible process, user, and parent process rather than alerting on path access alone.
  • Tune for known Kerberos-aware applications, login/session managers, and administrative workflows to reduce false positives.
  • Investigate cases where non-standard processes access ccache files and are followed by unusual Kerberos authentication requests.
  • Document visibility gaps where Linux endpoint telemetry, environment variables, or Kerberos authentication logs are unavailable.

Mitigation priorities

  • Establish ownership and permission expectations for Kerberos cache files on Linux systems.
  • Reduce unnecessary access to Kerberos cache locations and limit exposure of custom cache paths where operationally feasible.
  • Ensure endpoint and authentication logging are retained long enough to support incident reconstruction.
  • Include Kerberos ccache access scenarios in identity incident response playbooks and SOC triage procedures.
  • Use local baselines to distinguish normal Kerberos-dependent service behavior from unusual process-driven access.
Analyst notes and limits

This object is a detection analytic, not a technique, and it has no supplied tactic or relationship context. The available description points to Linux Kerberos ccache monitoring and correlation with suspicious processes and anomalous Kerberos authentication. Glexia’s recommended use is as a validation checklist for identity-aware Linux endpoint detection and incident response readiness.

The official ATT&CK fields do not provide detection pseudocode, data source mappings, tactic context, related techniques, or examples. Local environment knowledge is required to identify legitimate Kerberos cache access patterns, expected processes, and available KDC or endpoint telemetry.

Official MITRE ATT&CK definition

Analytic 0069

Detects unauthorized access, copying, or modification of Kerberos ccache files (krb5cc_%UID% or krb5.ccache) in /tmp or custom paths defined by KRB5CCNAME. Correlates file access with suspicious processes (e.g., credential dumping tools) and subsequent anomalous Kerberos authentication requests from non-standard processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
42852229de227da5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 42852229de22…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0069
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use