AN1444: Analytic 1444

Detects suspicious access to SSSD secrets database and Kerberos key material indicating ticket theft or replay attempts. Correlates anomalous file access with unusual Kerberos service ticket requests.

EnterpriseAN1444AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because Linux identity infrastructure can become a path to credential misuse if SSSD secrets or Kerberos key material are accessed suspiciously. For leaders, the decision value is whether SOC and identity teams can see both sides of the behavior: sensitive local credential-material access and unusual Kerberos service ticket activity.

Executive priority

Prioritize this as an identity and Linux monitoring validation item. It supports resilience and incident readiness by testing whether teams can detect possible ticket theft or replay indicators before they become broader access-control failures. It is also useful audit evidence for privileged access monitoring, authentication oversight, and Linux server hardening programs.

Technical view

Validate collection and correlation for Linux file access involving SSSD secrets databases and Kerberos key material, then correlate those events with unusual Kerberos service ticket requests. Because ATT&CK provides no full detection logic, teams should define local baselines for expected service accounts, administrative tools, host roles, and normal Kerberos request patterns before alerting aggressively.

Likely telemetry

Linux file access audit events for SSSD secrets database paths
Linux file access audit events for Kerberos key material
Kerberos service ticket request logs or authentication telemetry
Process, user, host, and privilege context around sensitive file access
Time correlation between sensitive file access and Kerberos ticket activity

Detection direction

Confirm Linux audit or equivalent telemetry captures reads or access attempts against SSSD secrets and Kerberos key material.
Correlate sensitive file access with unusual Kerberos service ticket requests rather than relying on file events alone.
Tune for legitimate administrative maintenance, SSSD operations, backup activity, and configuration management to reduce false positives.
Prioritize alerts where access is by unexpected users, processes, hosts, or service accounts, especially when followed by abnormal ticket requests.
Document blind spots where Kerberos telemetry, Linux audit policy, or host coverage is incomplete.

Mitigation priorities

Restrict permissions and administrative access to SSSD secrets and Kerberos key material on Linux systems.
Ensure Linux audit policy covers sensitive identity-related files and preserves user, process, and host context.
Centralize Kerberos and Linux authentication telemetry for SOC correlation.
Review service account and administrator access patterns to establish baselines.
Use incident response playbooks that include credential-material exposure assessment and Kerberos ticket activity review.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux. Its description specifically focuses on suspicious access to SSSD secrets databases and Kerberos key material, correlated with unusual Kerberos service ticket requests. No tactics, relationships, or detailed analytic logic were supplied, so implementation should be environment-specific.

Official detection logic was not provided, and no relationship context was supplied. This take does not establish adversary attribution, active exploitation, impact, or guaranteed detection coverage. Local filesystem paths, audit policy, Kerberos logging sources, and normal administrative behavior must be validated in the customer environment.

Official MITRE ATT&CK definition

Analytic 1444

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 1d8eb5360c76107e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`1d8eb5360c76…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1444
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use