AN1281: Analytic 1281
File access to NetworkManager connection configs and attempts to read PSK credentials from `/etc/NetworkManager/system-connections/*`.
Analyst context for executives and security teams
This analytic is about detecting access to Linux NetworkManager connection configuration files that may contain pre-shared key credentials. For leaders, the practical issue is not just file access; it is whether endpoint and Linux server monitoring can show when locally stored network credentials are being viewed outside normal administration. If those credentials are exposed, incident responders may need to treat the event as both a host investigation and a network access risk.
Executive priority
Prioritize this as a Linux visibility and credential-protection question. Security leaders should ask whether systems using NetworkManager store sensitive connection data, whether access to those files is restricted and logged, and whether SOC teams can distinguish normal network management activity from suspicious credential access. This can support incident response readiness, audit evidence for privileged access controls, and decisions about credential rotation after suspected unauthorized access.
Technical view
The supplied ATT&CK analytic applies to Linux and focuses on file access to `/etc/NetworkManager/system-connections/*`, especially attempts to read PSK credentials. Because no official detection logic or relationship context is provided, teams should validate coverage by confirming that Linux file-read telemetry, process context, user identity, and privilege-escalation context are collected for this path. Tuning should separate expected NetworkManager or approved administrator activity from unusual interactive users, service accounts, or processes accessing these files.
Likely telemetry
- Linux file access events for `/etc/NetworkManager/system-connections/*`
- Process execution and command-line context associated with file reads
- User, effective user, and privilege context for the accessing process
- Linux audit, EDR, or equivalent host sensor events
- Authentication and sudo logs around the same time window
Detection direction
- Validate that host telemetry records read access to the NetworkManager system-connections directory, not only file modifications.
- Baseline legitimate access by NetworkManager components and authorized administrative workflows before alerting broadly.
- Prioritize investigation when non-administrative users, unexpected service accounts, remote sessions, or unusual processes access these files.
- Correlate file access with authentication, sudo, and process ancestry to reduce false positives from maintenance activity.
- Treat confirmed unauthorized reads as possible credential exposure and preserve host evidence before remediation.
Mitigation priorities
- Restrict file permissions and administrative access to NetworkManager connection configuration files.
- Review sudo and privileged access paths that allow users or processes to read sensitive network configuration files.
- Ensure Linux endpoint logging or EDR policies include sensitive configuration file access where feasible.
- Use configuration management or compliance checks to verify expected ownership and permissions.
- If unauthorized access is confirmed, assess whether stored PSK credentials require rotation and whether network access controls need review.
Analyst notes and limits
This is a detection analytic, not a full ATT&CK technique entry. The object provides a clear Linux file path and behavior but does not specify tactics, related techniques, data sources, or official detection logic. Local baselining is essential because legitimate NetworkManager and administrative activity may access the same files.
No official detection content, relationships, aliases, or tactic mappings were supplied. This take is limited to the provided ATT&CK fields and should not be interpreted as evidence of active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 1281
File access to NetworkManager connection configs and attempts to read PSK credentials from `/etc/NetworkManager/system-connections/*`.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 01a00fa29827… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1281Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.