AN1345: Analytic 1345

Behavioral chain: (1) sshd or federated SSO logins from third-party networks or identities; (2) rapid sudo/su privilege elevation; (3) access to sensitive paths or east-west SSH. Correlate auth logs, process execution, and network flows.

EnterpriseAN1345AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because it focuses on a high-risk Linux access pattern: a login from a third-party network or federated identity, followed quickly by privilege elevation and then access to sensitive paths or lateral SSH activity. For leaders, the decision value is whether the organization can prove it would notice suspicious use of trusted remote access and sudo/su privileges before it becomes a broader incident.

Executive priority

Prioritize this as an access governance and incident readiness question: do Linux authentication, privilege escalation, and network flow records exist, are they correlated, and can the SOC distinguish expected third-party administration from risky behavior? The business risk is not the login alone, but the chain of external or federated access, rapid elevation, and movement toward sensitive systems or data paths.

Technical view

Validate coverage on Linux systems by correlating authentication logs for sshd or federated SSO, process execution showing sudo or su, file or command activity involving sensitive paths, and network flows indicating east-west SSH. Because no ATT&CK tactic or standalone detection logic is supplied, treat AN1345 as a behavioral analytic pattern rather than a complete rule. Focus testing on whether timing, identity, source network, host, privilege elevation, and subsequent SSH destinations can be joined reliably.

Likely telemetry

Linux authentication logs, including sshd login events
Federated SSO login records where applicable
Process execution telemetry for sudo and su
File, command, or audit records showing access to sensitive paths
Network flow records for east-west SSH activity

Detection direction

Correlate login source, identity, host, privilege elevation, and follow-on access within a practical time window.
Baseline approved third-party administrative activity to reduce false positives from legitimate support workflows.
Tune for rapid sudo/su after external or federated access, especially when followed by sensitive path access or SSH to internal systems.
Check blind spots where Linux hosts lack process execution logging, auth logs are not centralized, SSO records are not joined to host activity, or network flows do not capture internal SSH.
Use this analytic to validate SOC correlation capability, not just individual log collection.

Mitigation priorities

Inventory Linux systems and confirm centralized collection of authentication, process execution, and relevant network flow telemetry.
Define and document approved third-party and federated administrative access patterns.
Review sudo/su authorization and least-privilege controls for accounts that can access Linux systems remotely.
Ensure incident response playbooks cover suspicious remote login followed by privilege escalation and lateral SSH.
Use audit evidence from logging, access reviews, and correlation testing to support compliance and access governance readiness.

Analyst notes and limits

AN1345 is a detection analytic for Linux with an official behavioral chain but no separate official detection text and no supplied relationship context. Its value is in validating cross-domain correlation across identity, host, and network telemetry for privileged Linux access patterns.

The supplied object does not specify tactics, related techniques, adversary use, severity, prevalence, or exact detection logic. Local environment knowledge is required to define sensitive paths, approved third-party networks or identities, normal sudo/su behavior, and acceptable east-west SSH patterns.

Official MITRE ATT&CK definition

Analytic 1345

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: d6bfb29ff4b5c280...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`d6bfb29ff4b5…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1345
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use