AN0591: Analytic 0591

Use of domain accounts via sssd or winbind for logon activity outside of typical patterns, especially on sensitive systems or with lateral movement tools.

EnterpriseAN0591AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN0591 is a Linux-focused detection analytic for unusual domain-account logons through sssd or winbind, especially on sensitive systems or in contexts that may indicate lateral movement. For leaders, the practical issue is whether domain identity use on Linux servers is visible enough to distinguish normal administration from potentially risky access patterns.

Executive priority

Prioritize this where Linux systems are domain-joined, support critical services, or are managed by shared administrative identities. The decision value is in validating identity visibility: can the organization prove who logged into sensitive Linux hosts, whether that access was normal, and whether SOC or IR teams can investigate quickly? This supports operational resilience, privileged-access governance, and audit evidence for access monitoring.

Technical view

SOC and detection teams should baseline domain-account logon activity on Linux systems using sssd or winbind, then review deviations by user, host sensitivity, time, source, and access pattern. Because ATT&CK provides no detection logic or relationships for this analytic, local implementation should focus on validating that Linux authentication events and sssd/winbind evidence are collected, normalized, and correlated with host criticality and identity context.

Likely telemetry

Linux authentication logs showing successful and failed logons
sssd logs and authentication/session records
winbind/Samba authentication logs where used
PAM/session activity associated with domain users
Host inventory or asset criticality data identifying sensitive Linux systems

Detection direction

Establish normal domain-account logon patterns per Linux host, service role, user group, and administrative schedule.
Prioritize alerting on unusual domain-account use on sensitive systems rather than treating all logons equally.
Correlate logon anomalies with signs of lateral movement only where telemetry supports that context; do not assume maliciousness from a single login event.
Tune expected administrative, automation, and service-account activity to reduce false positives.
Validate whether sssd and winbind logs are actually forwarded and retained; a common blind spot is relying only on central identity logs without host-side Linux authentication detail.

Mitigation priorities

Maintain an accurate inventory of Linux systems using sssd or winbind for domain authentication.
Apply least privilege and review which domain accounts or groups can access sensitive Linux hosts.
Ensure centralized collection and retention of Linux authentication, sssd, and winbind logs.
Separate routine administrative access from privileged or emergency access where feasible, so unusual use is easier to identify.
Use periodic access reviews and incident-response playbooks to validate that suspicious domain-account logons can be triaged quickly.

Analyst notes and limits

This object is a detection analytic, not a technique, and no ATT&CK tactic, detection procedure, or relationship context was supplied. The strongest use is as a validation prompt for Linux domain-authentication monitoring and identity-aware host coverage.

The official detection field is not provided, and no relationships were supplied. Any thresholding, anomaly model, host criticality definition, or lateral-movement interpretation must be based on local environment data and approved operating patterns.

Official MITRE ATT&CK definition

Analytic 0591

Use of domain accounts via sssd or winbind for logon activity outside of typical patterns, especially on sensitive systems or with lateral movement tools.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 57895e0e5dcbfb77...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`57895e0e5dcb…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0591
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use