AN1418: Analytic 1418
Detects access to SSSD or Quest VAS cached credential databases using tdbdump or other file access patterns, requiring sudo/root access.
Analyst context for executives and security teams
This analytic matters because cached credential stores on Linux identity-integrated systems can become a high-value target after an actor has sudo or root access. For leaders, the key issue is not only whether SSSD or Quest VAS are deployed, but whether the organization can prove it would notice privileged access to their cached credential databases before that access supports broader identity risk or incident escalation.
Executive priority
Prioritize this as an identity and Linux server monitoring validation item where SSSD or Quest VAS are in use. It supports incident readiness and audit evidence by testing whether privileged access to sensitive authentication cache files is logged, reviewed, and actionable. Because the ATT&CK object specifies sudo/root access, this should be considered alongside privileged access management, Linux hardening, and SOC visibility for administrator activity.
Technical view
For SOC and detection teams, validate Linux telemetry around access to SSSD or Quest VAS cached credential databases, especially access involving tdbdump or unusual direct file reads. Since no official detection logic is provided, teams should build environment-specific analytics around privileged process execution, file access to relevant credential cache paths, and sudo/root context. Tune carefully for legitimate identity troubleshooting, backup, migration, or administrative maintenance activity.
Likely telemetry
- Linux process execution telemetry, including command line where available
- sudo or privilege escalation logs showing root-level execution context
- File access or audit telemetry for SSSD and Quest VAS cached credential database locations
- Authentication and identity service logs from systems using SSSD or Quest VAS
- Endpoint detection or host audit records for sensitive file reads by administrative tools such as tdbdump
Detection direction
- Inventory Linux hosts using SSSD or Quest VAS before assessing analytic coverage.
- Confirm whether file access auditing is enabled for credential cache database locations; many environments collect process logs but not sensitive file reads.
- Correlate tdbdump or similar database/file access utilities with sudo/root activity and the target file path.
- Account for legitimate administrator activity, identity service troubleshooting, backups, and system maintenance to reduce false positives.
- Because no tactic or relationship context is supplied, avoid over-mapping this analytic to a specific intrusion phase without local incident evidence.
Mitigation priorities
- Restrict sudo/root access to Linux systems that store cached identity credentials.
- Harden file permissions and administrative access paths for SSSD and Quest VAS credential cache databases.
- Enable and retain host-level audit logs for privileged command execution and sensitive file access.
- Document approved administrative procedures for identity cache inspection so SOC teams can distinguish expected from suspicious activity.
- Include these systems in incident response playbooks for privileged account compromise and Linux identity infrastructure review.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied description is narrow: Linux access to SSSD or Quest VAS cached credential databases using tdbdump or other file access patterns, requiring sudo/root access. The most useful validation question is whether Linux identity infrastructure has sufficient privileged execution and file access telemetry to make this analytic operational.
ATT&CK provides no official detection logic, no tactics, and no relationship context for this object. Specific file paths, event IDs, commands, thresholds, and false-positive baselines must be determined from the local Linux distribution, SSSD or Quest VAS deployment, logging configuration, and administrative practices.
Analytic 1418
Detects access to SSSD or Quest VAS cached credential databases using tdbdump or other file access patterns, requiring sudo/root access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2d8246d312ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1418Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.