AN1199: Analytic 1199
Detects access to known password store files (e.g., /etc/shadow, GNOME Keyring, KWallet, browser credential databases). Monitors anomalous process read attempts and suspicious API calls that attempt to extract stored credentials.
Analyst context for executives and security teams
This analytic matters because Linux password and credential store files are high-value targets: access to files such as /etc/shadow, desktop keyrings, wallet stores, and browser credential databases can indicate attempts to obtain stored credentials. For leaders, the decision value is whether the organization can prove it monitors access to these sensitive stores and can distinguish expected administrative or application behavior from suspicious credential-access activity.
Executive priority
Prioritize this as a Linux identity and incident-readiness control validation. The business question is not just whether these files are protected, but whether SOC and IR teams have evidence when unusual processes attempt to read them. This supports resilience, audit evidence for privileged access controls, and faster incident decisions when credential exposure is suspected.
Technical view
Validate Linux telemetry for process-to-file access involving known password or credential stores, especially anomalous read attempts against /etc/shadow, GNOME Keyring, KWallet, and browser credential databases. Because ATT&CK provides no separate detection logic for this analytic and no relationship context, teams should define local baselines for legitimate readers, administrative tools, backup agents, endpoint security tools, and desktop/browser processes before treating access as suspicious.
Likely telemetry
- Linux file access events for sensitive credential store paths
- Process creation and command-line metadata for processes reading credential stores
- Process ancestry and user context for read attempts
- File permission or access-denied events where available
- Endpoint or audit logs showing suspicious API calls related to credential extraction
Detection direction
- Confirm telemetry captures read attempts against the specific Linux credential store locations used in the environment, not only /etc/shadow.
- Tune allowlists carefully for legitimate system services, package managers, backup tools, endpoint agents, and administrative workflows that may read or inspect protected files.
- Prioritize alerts where unusual processes, unexpected users, abnormal parent processes, or non-administrative contexts access credential stores.
- Correlate file-read activity with process execution and user context to reduce false positives and support incident triage.
- Identify blind spots on Linux endpoints without audit/file-access telemetry or with insufficient process ancestry logging.
Mitigation priorities
- Restrict permissions on sensitive credential stores and validate they match Linux hardening expectations.
- Limit privileged access and administrative workflows that can read password or credential store files.
- Ensure endpoint logging or Linux audit configuration covers sensitive credential file reads where operationally feasible.
- Use local baselines to document expected access patterns and support compliance or incident response evidence.
- Review desktop keyring, wallet, and browser credential storage exposure on Linux systems where these applications are in use.
Analyst notes and limits
This is a detection analytic object for Linux only. The supplied ATT&CK description focuses on access to known password store files and suspicious API calls to extract stored credentials. No ATT&CK tactics, relationships, or detailed detection implementation were supplied, so local engineering is required to translate the concept into precise queries and alert thresholds.
No official detection logic, related techniques, adversary relationships, or tactic mapping were provided. This take does not assert active exploitation, attribution, business impact, or guaranteed detection coverage. Applicability depends on Linux endpoint visibility and the credential stores present in the environment.
Analytic 1199
Detects access to known password store files (e.g., /etc/shadow, GNOME Keyring, KWallet, browser credential databases). Monitors anomalous process read attempts and suspicious API calls that attempt to extract stored credentials.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 027201a68f3b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1199Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.