Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0856: Analytic 0856

Correlated file access to insecure credential files (e.g., *.env, *.xml, *.ps1) followed by suspicious process execution or authentication using retrieved credentials. Detected through Sysmon logs and Windows Security Event logs.

EnterpriseAN0856AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it looks for a common precursor to credential misuse on Windows: access to insecure files that may contain secrets, followed by suspicious process execution or authentication activity. For leaders, the decision value is not the file pattern alone; it is whether the organization can correlate endpoint file access with Windows authentication evidence quickly enough to support containment and credential-reset decisions.

Executive priority

Prioritize this as a validation point for identity and incident-response readiness on Windows systems. Executives and risk owners should ask whether sensitive credential material is being stored in files such as environment, XML, or PowerShell script files, whether SOC teams can see access to those files, and whether authentication activity can be tied back to the same host or user. This supports business continuity by reducing uncertainty during suspected credential exposure and provides useful evidence for control assurance and audit discussions around secret handling and monitoring.

Technical view

AN0856 is a Windows detection analytic describing correlation between access to insecure credential files, such as *.env, *.xml, and *.ps1, and subsequent suspicious process execution or authentication using retrieved credentials. The supplied ATT&CK object does not specify tactics, related techniques, or a full detection logic, so teams should treat it as a detection design pattern rather than a ready-to-deploy rule. SOC and detection engineers should validate whether Sysmon logs capture relevant file access and process execution events, and whether Windows Security Event logs provide authentication context that can be correlated by user, host, process lineage, and time window.

Likely telemetry

  • Sysmon file access events for credential-like file patterns such as *.env, *.xml, and *.ps1
  • Sysmon process execution telemetry, including command line, parent process, user, host, and timestamp where available
  • Windows Security Event logs showing authentication activity
  • Host and user identity context needed to correlate file access, process execution, and logon events
  • Asset context for Windows systems where credential material may be stored locally

Detection direction

  • Confirm that Sysmon is deployed and configured to capture the file access and process execution evidence required by this analytic on relevant Windows assets.
  • Validate correlation logic rather than relying only on filename matching; access to *.xml or *.ps1 files can be benign, so suspicious follow-on process execution or authentication context is important.
  • Tune for local administrative, developer, automation, and configuration-management activity that may legitimately read these file types.
  • Look for blind spots where Windows Security Event logs are missing, delayed, filtered, or not correlated with endpoint telemetry.
  • Because no ATT&CK relationship context or official detection logic is supplied, require local baselining and test data before using this as a high-confidence alert.

Mitigation priorities

  • Reduce storage of credentials in local files where possible and move secrets into approved managed storage or configuration mechanisms.
  • Review Windows systems for insecure credential-bearing files, especially environment files, XML configuration files, and PowerShell scripts.
  • Restrict file permissions so only required users and processes can access sensitive files.
  • Ensure endpoint and Windows authentication logging are retained long enough to support correlation during incident response.
  • Define IR playbooks for suspected credential-file access, including validation, credential rotation decisions, and affected-account review.
Analyst notes and limits

This object is a detection analytic, not a technique record. The official description supports Windows scope, Sysmon logs, Windows Security Event logs, insecure credential-file access, suspicious process execution, and authentication correlation. No tactics, relationships, aliases, or separate official detection content were supplied, so relationship-driven enrichment is not available.

The ATT&CK fields provided do not include detailed detection logic, event IDs, correlation windows, severity, related techniques, or evidence of active exploitation. Applicability and alert fidelity depend on local Sysmon configuration, Windows Security logging, file naming conventions, identity architecture, and normal administrative activity.

Official MITRE ATT&CK definition

Analytic 0856

Correlated file access to insecure credential files (e.g., *.env, *.xml, *.ps1) followed by suspicious process execution or authentication using retrieved credentials. Detected through Sysmon logs and Windows Security Event logs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
74497ec74c79493e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 74497ec74c79…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0856
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use