Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0720: Analytic 0720

On Linux systems, forged credentials may be injected into browser session files, curl/wget headers, or token caches in memory. Detection can leverage auditd to track processes accessing sensitive files (~/.mozilla, ~/.config/chromium, ~/.aws/credentials) and correlate with suspicious outbound connections.

EnterpriseAN0720AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because forged or inserted credentials on Linux endpoints can turn ordinary tools and browser sessions into unauthorized access paths. For leaders, the key decision is whether the organization can see unusual access to local credential stores and then connect that activity to suspicious outbound network behavior before it becomes an incident response blind spot.

Executive priority

Prioritize this where Linux workstations, developer systems, cloud administration hosts, or automation nodes store browser sessions, AWS credentials, or other reusable tokens. The business risk is not just endpoint compromise; it is loss of trust in identities and sessions used to access cloud or web services. Leaders should ask whether SOC, identity, and cloud teams share enough telemetry to prove when local credential material is accessed and whether that access is followed by abnormal external connections.

Technical view

The supplied ATT&CK analytic is Linux-focused and describes using auditd to monitor process access to sensitive credential/session locations such as ~/.mozilla, ~/.config/chromium, and ~/.aws/credentials, then correlating that file access with suspicious outbound connections. Detection engineering should validate whether auditd rules cover these paths, whether process identity and command context are retained, and whether network telemetry can be joined to the same host and process or user context. Because no ATT&CK tactic, technique relationship, or formal detection logic is supplied, teams should treat this as a detection design prompt rather than a complete analytic.

Likely telemetry

  • Linux auditd file access events for browser profile, token cache, and cloud credential paths
  • Process metadata including executable, parent process, user, command line, and working directory where available
  • Outbound network connection telemetry from the Linux host
  • User and host identity context to correlate local file access with network activity
  • Cloud or service authentication logs, where available, to validate whether accessed credentials were subsequently used

Detection direction

  • Validate auditd coverage for sensitive user-level credential and browser session locations on Linux systems.
  • Correlate credential/session file access with outbound connections from the same host, user, or process within a defensible time window.
  • Tune for expected administrative, browser, backup, synchronization, and developer workflows to reduce false positives.
  • Pay special attention to non-browser or unexpected processes accessing browser profiles, cloud credential files, or token-related paths.
  • Identify blind spots where endpoint file telemetry exists but cannot be joined to network or identity logs.

Mitigation priorities

  • Inventory Linux systems that store reusable browser sessions, cloud credentials, or token caches, especially administrator and developer endpoints.
  • Reduce unnecessary local storage of long-lived credentials where operationally feasible.
  • Apply least privilege to local files and user accounts that can access credential material.
  • Ensure auditd or equivalent endpoint telemetry is enabled and retained for high-value Linux systems.
  • Create an incident response playbook for suspected local credential/session tampering that includes credential rotation and cloud/session validation.
Analyst notes and limits

This object is a detection analytic, not a full technique entry. Its main defensive value is in combining Linux file-access auditing with outbound network correlation. Glexia would use it to drive coverage validation across SOC telemetry, IAM/cloud logging, and incident response procedures for Linux endpoints that hold reusable credentials.

The supplied ATT&CK fields do not include a tactic, related techniques, relationship context, or official detection logic beyond the description. This take does not assert active exploitation, attribution, impact, or guaranteed detection. Local path conventions, browser usage, cloud tooling, auditd configuration, and network visibility will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0720

On Linux systems, forged credentials may be injected into browser session files, curl/wget headers, or token caches in memory. Detection can leverage auditd to track processes accessing sensitive files (~/.mozilla, ~/.config/chromium, ~/.aws/credentials) and correlate with suspicious outbound connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c172fb7c90887dfa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c172fb7c9088…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0720
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use