AN0157: Analytic 0157
Detects adversaries attempting to attach debuggers or memory dump utilities to credential storage daemons analogous to macOS `securityd`. Observes ptrace syscalls, /proc/
Analyst context for executives and security teams
This analytic matters because it focuses on attempts to inspect or dump memory from sensitive credential-handling processes on Linux. For leaders, the practical issue is not the specific tool name; it is whether the organization can see when privileged activity is directed at processes that may hold authentication material, before that activity becomes broader identity compromise or incident response uncertainty.
Executive priority
Prioritize this as an identity and incident-readiness control validation for Linux environments. Executives should ask whether SOC and IR teams can prove they collect the host telemetry needed to identify debugger attachment, direct process memory access, or core dump activity against sensitive daemons. Because ATT&CK provides no official detection logic or relationship context here, this should be treated as a coverage assessment and tuning opportunity rather than evidence of current exposure or confirmed adversary use.
Technical view
For SOC, detection engineering, and IR teams, validate Linux visibility around ptrace syscalls, access to /proc/<pid>/mem, and gcore-style memory dump activity involving credential storage or other sensitive processes. Correlate these events with privilege escalation indicators or credential dumping investigations when available. Since tactics are not specified and no detection query is provided, teams should define the local process inventory, identify which daemons are sensitive, and tune detections against approved debugging, support, crash analysis, or forensic workflows.
Likely telemetry
- Linux syscall telemetry, especially ptrace-related activity
- File access telemetry for /proc/<pid>/mem
- Process execution telemetry for memory dump or core dump utilities
- Process lineage and user context for privileged activity
- Asset and process inventory identifying sensitive credential-handling daemons
Detection direction
- Confirm that Linux endpoint or audit telemetry captures debugger attachment and process memory access events with user, process, target process, and command context.
- Build or validate logic that flags ptrace, /proc/<pid>/mem access, or core dump activity when the target is a sensitive credential-handling daemon.
- Tune for known administrative, diagnostic, crash handling, and incident response activity to reduce false positives.
- Correlate with privilege escalation or credential dumping signals, but do not require that correlation if the target process is highly sensitive.
- Document blind spots where containerized systems, minimal Linux builds, logging exclusions, or insufficient syscall auditing prevent visibility.
Mitigation priorities
- Maintain an inventory of Linux systems and sensitive credential-related processes that require heightened monitoring.
- Restrict unnecessary privileged access and debugging capability on production systems where operationally feasible.
- Review administrative procedures for legitimate debugging, crash dump, and forensic collection so detections can distinguish approved activity from anomalous behavior.
- Ensure SOC and IR playbooks include triage steps for suspicious memory access against sensitive processes.
- Use this analytic as compliance and readiness evidence only where telemetry collection, alert logic, and response procedures are actually implemented and tested.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux, identified as AN0157, describing observation of ptrace syscalls, /proc/<pid>/mem access, and gcore dumps against sensitive processes. No official detection query, tactic mapping, aliases, labels, or relationship context were supplied. Local process knowledge is therefore essential to make the analytic actionable.
This take is limited to the official STIX fields, external reference, and empty relationship context supplied. It does not establish adversary attribution, active exploitation, business impact, or guaranteed detection coverage. The object references credential storage daemons analogous to macOS securityd, but the supplied platform is Linux, so coverage should be scoped to Linux environments.
Analytic 0157
Detects adversaries attempting to attach debuggers or memory dump utilities to credential storage daemons analogous to macOS `securityd`. Observes ptrace syscalls, /proc/
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 51084a85e338… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0157Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.