Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0456: Analytic 0456

Chain: (1) interactive/non-interactive `chage -l`, `grep`/`cat` of PAM config (e.g., `/etc/pam.d/common-password`, `/etc/security/pwquality.conf`); (2) optional reads of `/etc/login.defs`; (3) same user performs account enumeration or password change attempts shortly after. Use auditd `execve` and file read events plus shell history collection.

EnterpriseAN0456AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0456 is a Linux detection analytic focused on a suspicious sequence: a user checks password aging or password policy configuration, optionally reviews login defaults, and then soon after enumerates accounts or attempts password changes. For leaders, the value is not the individual commands themselves—administrators may run them legitimately—but the combination can indicate preparation for identity abuse or account manipulation on Linux systems.

Executive priority

Prioritize this analytic where Linux systems support critical operations, privileged administration, regulated workloads, or shared infrastructure. It helps validate whether the organization can see early identity-policy reconnaissance before account changes occur. The business decision is whether audit logging, shell history, and file-read visibility are sufficient to support incident response, privileged access review, and compliance evidence around Linux account governance.

Technical view

Validate this analytic on Linux using the supplied chain logic: execution of password aging or policy inspection commands, reads of PAM or password-quality configuration files, optional reads of login defaults, followed shortly by account enumeration or password change attempts by the same user. Because no official detection logic is supplied, SOC teams should define local time windows, user correlation, and allowlisting for expected administrative activity. Incident responders should treat matches as context for account-control investigation rather than as standalone proof of compromise.

Likely telemetry

  • Linux auditd execve events for relevant command execution
  • Linux file read events for PAM, password quality, and login defaults configuration files
  • Shell history collection where available and reliable
  • User identity context tying command execution and file reads to the same account
  • Events showing subsequent account enumeration or password change attempts

Detection direction

  • Correlate policy inspection activity with later account enumeration or password change attempts by the same user rather than alerting on single benign commands alone.
  • Tune for legitimate system administration, compliance checks, and password-policy troubleshooting to reduce false positives.
  • Validate whether auditd captures both command execution and file-read events on in-scope Linux systems.
  • Check whether shell history is collected, protected from tampering, and consistently available for both interactive and non-interactive sessions.
  • Define a practical “shortly after” correlation window using local administrative patterns and incident response needs.

Mitigation priorities

  • Ensure Linux audit policy supports command execution and sensitive configuration file-read visibility for systems where account governance matters.
  • Restrict and monitor privileged account management capabilities according to least privilege and operational need.
  • Maintain approved administrative procedures for password-policy review and account changes so detections can distinguish expected from unusual behavior.
  • Protect and retain relevant logs, including auditd and shell history where used, for investigation and compliance evidence.
  • Review PAM, password quality, and login defaults configuration management so unauthorized changes or suspicious review activity can be investigated in context.
Analyst notes and limits

This is a detection analytic object, not a technique description. Its practical value is in correlation: password-policy discovery followed by account-focused activity from the same Linux user. The absence of official detection logic means each environment must define command patterns, file paths, timing, and administrative exceptions locally.

The supplied object has no tactics, no official detection text, and no relationship context. It supports Linux only. It does not by itself establish malicious intent, attribution, impact, or active exploitation. Coverage depends on local auditd configuration, file-read visibility, shell history availability, and identity correlation quality.

Official MITRE ATT&CK definition

Analytic 0456

Chain: (1) interactive/non-interactive `chage -l`, `grep`/`cat` of PAM config (e.g., `/etc/pam.d/common-password`, `/etc/security/pwquality.conf`); (2) optional reads of `/etc/login.defs`; (3) same user performs account enumeration or password change attempts shortly after. Use auditd `execve` and file read events plus shell history collection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b9a9f5fb3c9af566...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b9a9f5fb3c9a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0456
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use