AN0955: Analytic 0955
Access tokens or SSH keys used without corresponding login shell or PAM module activity, particularly for remote execution.
Analyst context for executives and security teams
This analytic matters because it focuses on Linux access that appears to occur without the normal evidence of an interactive login, such as shell or PAM activity. For security leaders, that is a practical signal to validate whether remote execution, automation, service accounts, SSH key use, or token-based access are being monitored well enough to distinguish expected administration from suspicious access patterns.
Executive priority
Prioritize this as an identity and Linux monitoring coverage question rather than a standalone alert. Leaders should ask whether SOC and incident response teams can prove who used SSH keys or access tokens, from where, and for what activity when normal login records are absent. This supports operational resilience, privileged access governance, and audit evidence for remote administration on Linux systems.
Technical view
For Linux environments, validate whether detections can correlate token or SSH key usage with expected login-shell and PAM module activity. The key defensive question is whether remote execution or non-interactive access leaves enough telemetry to identify anomalous use. Because the ATT&CK object provides no tactic mapping, no relationship context, and no detailed detection logic, teams should treat AN0955 as a detection concept requiring local baselining and validation against legitimate automation, scheduled jobs, service accounts, and administrative tooling.
Likely telemetry
- Linux authentication logs, including SSH authentication events
- PAM activity records where available
- Shell session or login-shell evidence
- Process creation telemetry for remote or non-interactive command execution
- SSH key usage and account mapping records
Detection direction
- Correlate SSH key or access token use with expected PAM and login-shell events; investigate cases where access occurs without corresponding session evidence.
- Baseline legitimate non-interactive administration, automation, and service account behavior to reduce false positives.
- Tune for Linux systems where remote execution may not create normal interactive login artifacts.
- Validate whether logging gaps, disabled PAM logging, missing process telemetry, or incomplete SSH audit records create blind spots.
- Use this analytic as a coverage test: confirm the SOC can reconstruct user or key identity, source, target host, and resulting process activity.
Mitigation priorities
- Maintain strong governance over SSH keys, tokens, and privileged Linux accounts.
- Reduce unmanaged or long-lived access credentials where possible and review key-to-account ownership.
- Ensure Linux authentication, PAM, shell/session, process, and remote access logs are collected and retained consistently.
- Document approved automation and remote execution patterns so detection teams can distinguish expected activity from anomalies.
- Periodically test incident response procedures for investigating non-interactive Linux access.
Analyst notes and limits
AN0955 is a MITRE detection analytic for Linux that describes access tokens or SSH keys being used without corresponding login shell or PAM module activity, especially in remote execution contexts. Its value is highest as a control-validation prompt for identity, endpoint, and SOC telemetry coverage.
The supplied ATT&CK object has no official detection logic, no tactics, and no relationship context. This take does not infer adversary behavior, active exploitation, specific tools, or guaranteed detection. Local Linux logging configuration and business-approved automation patterns are required to operationalize it.
Analytic 0955
Access tokens or SSH keys used without corresponding login shell or PAM module activity, particularly for remote execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 006a1ea2bb0d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0955Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.