Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0672: Analytic 0672

Monitor for file access to certificate directories, commands invoking OpenSSL or PKCS#12 utilities to export or modify certificates, and processes accessing sensitive key storage paths.

EnterpriseAN0672AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0672 is a Linux-focused detection analytic for activity around certificate and private-key material: access to certificate directories, use of OpenSSL or PKCS#12 utilities to export or modify certificates, and processes touching sensitive key storage paths. For leaders, this matters because certificates and keys are trust anchors for services, identity flows, encrypted communications, and compliance evidence. Unreviewed access or modification can create operational, incident response, and audit risk even when no confirmed compromise is present.

Executive priority

Prioritize this as a control-validation question: do teams know where Linux certificate and key material resides, who should access it, and whether that access is logged well enough to support incident decisions? The business value is strongest for environments where Linux systems support authentication, TLS, application delivery, internal PKI, or regulated service availability. This analytic can help justify investment in endpoint telemetry, key-management governance, and audit-ready monitoring around sensitive trust stores.

Technical view

For SOC, detection engineering, and IR teams, validate Linux telemetry for file access to certificate directories, execution of OpenSSL or PKCS#12-related utilities, command lines indicating certificate export or modification, and process access to sensitive key storage paths. Because ATT&CK provides no separate detection text and no relationship context for this analytic, local baselining is essential: administrators, certificate renewal jobs, configuration management, and legitimate application processes may generate expected activity. Detection should focus on unusual users, unexpected parent processes, rare hosts, off-hours activity, or access outside documented certificate-management workflows.

Likely telemetry

  • Linux process creation telemetry including executable name, command line, user, parent process, host, and timestamp
  • File access or audit telemetry for certificate directories and sensitive key storage paths
  • Command execution records involving OpenSSL or PKCS#12 utilities
  • File modification events for certificate or key material
  • Administrative activity logs from approved certificate-management, automation, or configuration-management workflows

Detection direction

  • Confirm that Linux endpoints collecting this analytic can see both process execution and file access events; process-only visibility may miss direct key-store access by non-obvious binaries.
  • Build allowlists or baselines for approved certificate renewal, backup, deployment, and configuration-management activity to reduce false positives.
  • Tune for unusual combinations: OpenSSL or PKCS#12 utility execution by unexpected users, unexpected parent processes, rare hosts, or activity outside maintenance windows.
  • Review whether sensitive key storage paths are explicitly monitored; default logging often does not provide enough file access detail without audit configuration.
  • Correlate certificate/key access with account context and host role before escalation, since legitimate administrative and application behavior can resemble suspicious access.

Mitigation priorities

  • Inventory Linux systems that store or process certificates and private keys, including service hosts and internal PKI-related systems.
  • Restrict access to certificate directories and key storage paths to documented service accounts and administrators.
  • Standardize certificate export, renewal, and modification workflows so monitoring can distinguish approved activity from anomalies.
  • Enable or validate Linux audit/file access logging for sensitive certificate and key locations where operationally feasible.
  • Preserve process, file, and account telemetry long enough to support incident response and compliance review.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic fields. The object identifies Linux as the platform and describes monitoring for certificate-directory access, OpenSSL or PKCS#12 utility use, and sensitive key storage access. No tactic, technique relationship, procedure examples, or official detection logic were supplied, so recommendations are framed as validation and tuning guidance rather than a complete detection rule.

No relationship context, official detection logic, tactics, or associated threat behavior were provided. The exact certificate paths, legitimate tools, and expected administrative patterns vary by Linux distribution, application stack, PKI design, and local operations. Local environment evidence is required before treating any event as suspicious.

Official MITRE ATT&CK definition

Analytic 0672

Monitor for file access to certificate directories, commands invoking OpenSSL or PKCS#12 utilities to export or modify certificates, and processes accessing sensitive key storage paths.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
47a0f3467438b03e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 47a0f3467438…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0672
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use