AN1153: Analytic 1153
Unusual access to bash history, registry credentials paths, or private key files by unauthorized or scripting tools, with correlated file and process activity.
Analyst context for executives and security teams
This analytic is about spotting suspicious access to credential-bearing locations, such as shell history, registry credential paths, or private key files, especially when that access comes from unauthorized users or scripting tools. For leaders, the value is not the analytic name; it is whether the organization can prove it would notice abnormal credential-file access on Windows before it becomes a larger identity or incident response problem.
Executive priority
Prioritize this as an identity and incident-readiness validation item. Credential material stored in files or registry paths can become a control bypass if monitoring only focuses on logons and not on access to the underlying secrets. Security leaders should ask whether endpoint telemetry, SOC playbooks, and audit evidence can show who accessed sensitive credential locations, by what process, and whether that access was expected.
Technical view
Because ATT&CK provides no official detection logic for AN1153, teams should treat it as a validation target rather than a ready-made rule. On Windows, confirm visibility into file access, registry access, process execution, script interpreter activity, command-line context where available, and user/process correlation. Detection engineering should focus on unusual or unauthorized access to credential-related paths and private key files, with correlation to the initiating process, parent process, user, host role, and baseline administrative activity.
Likely telemetry
- Windows endpoint file access events for sensitive credential or private key locations
- Windows registry access events for credential-related paths
- Process creation and parent/child process telemetry
- Script interpreter and automation tool execution telemetry
- User, service account, and host identity context
Detection direction
- Validate whether the SOC can correlate file or registry access with the responsible process and user, not just observe that access occurred.
- Baseline legitimate administrative, backup, security tooling, developer, and automation access to reduce false positives.
- Pay particular attention to scripting tools or unusual processes touching credential-related locations.
- Review blind spots where file auditing, registry auditing, command-line capture, or EDR telemetry is not enabled on Windows endpoints.
- Because no ATT&CK relationships or tactics are supplied, avoid mapping this analytic to a broader campaign or attack stage without local evidence.
Mitigation priorities
- Inventory where credential material, private keys, and credential-related registry data may exist on Windows systems.
- Restrict access to credential-bearing files and registry locations to required users, services, and administrative workflows.
- Reduce storage of reusable secrets in local files or scripts where feasible.
- Harden and monitor scripting and automation usage, especially on endpoints that hold sensitive credentials.
- Ensure incident response procedures include triage of suspicious credential-location access, including user validation, process lineage review, and scope checks across similar hosts.
Analyst notes and limits
AN1153 is a detection analytic object, not a technique description, and the supplied ATT&CK fields provide a short behavioral description but no formal detection logic, tactics, relationships, or aliases. The most defensible use is as a coverage assessment prompt for Windows endpoint and identity-adjacent monitoring.
This take is limited to the supplied official STIX fields and external reference. No active exploitation, threat actor use, impact, exact detection query, or guaranteed coverage is implied. Local environment baselines and approved administrative workflows are required to determine what is truly unusual or unauthorized.
Analytic 1153
Unusual access to bash history, registry credentials paths, or private key files by unauthorized or scripting tools, with correlated file and process activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 503c55b747b5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1153Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.