Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1516: Analytic 1516

A process (non-system or user-initiated) accesses private key files in user profile paths or system certificate stores followed by potential network connections or compression activity.

EnterpriseAN1516AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is business-relevant because private key material is often the proof of trust behind user identity, service authentication, code signing, encrypted communications, and access to sensitive systems. On Windows, a non-system or user-initiated process reading private key files in user profiles or certificate stores, especially when followed by network activity or compression, can indicate possible staging or movement of sensitive credential material. Leaders should treat this as a validation point for whether the organization can see and investigate misuse of certificate and key assets, not just passwords.

Executive priority

Prioritize this where private keys support privileged access, remote access, signing, regulated data protection, or operationally critical services. The decision question is whether security teams can prove, with evidence, which Windows processes accessed key material and what happened next. This supports incident response readiness, identity and access management assurance, compliance evidence around protection of cryptographic material, and control prioritization for endpoints that hold high-value certificates or keys.

Technical view

For SOC and detection teams, validate Windows visibility for process-level access to private key locations in user profile paths and system certificate stores, then correlate that access with subsequent network connections or compression/archive behavior. Because the official object provides no tactic, relationship context, or detailed detection logic, teams should avoid treating any single file access as automatically malicious. Focus on unusual non-system processes, user-initiated processes without an expected business need, unexpected parent-child process chains, and temporal correlation between key access and outbound network or compression activity.

Likely telemetry

  • Windows endpoint process creation telemetry with command line, parent process, user, and integrity context
  • File access telemetry for private key files in user profile paths and system certificate store locations
  • Certificate store access or cryptographic key access events where available
  • Network connection telemetry tied to process identity and destination context
  • File creation or process telemetry showing compression or archive utility activity

Detection direction

  • Confirm that monitoring covers Windows systems where private keys or certificates are stored, including user profile paths and system certificate stores.
  • Tune for non-system or user-initiated processes accessing private key material, then enrich with process reputation, signer, path, parent process, and user role.
  • Correlate key access with near-term network connections or compression activity to raise confidence while reducing noise from normal certificate management workflows.
  • Baseline legitimate administrative, backup, browser, certificate enrollment, and enterprise management activity that may access key stores.
  • Investigate blind spots where file access auditing is disabled, EDR does not capture certificate store access, or network events cannot be tied back to the originating process.

Mitigation priorities

  • Inventory Windows endpoints and users that hold sensitive private keys or certificates, with priority on privileged, signing, remote access, and production-adjacent assets.
  • Limit access to private key material to required users, services, and processes using least privilege and appropriate Windows key protection controls.
  • Reduce unnecessary local storage of high-value keys and ensure certificate lifecycle processes are documented and auditable.
  • Harden and monitor endpoints that legitimately handle private keys, including alert handling procedures for suspicious access followed by network or compression behavior.
  • Use incident response playbooks that include certificate/key exposure assessment, revocation decision criteria, and replacement procedures.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique entry. The strongest operational value is as a coverage test: can defenders observe suspicious Windows private key access and connect it to possible staging or exfiltration-adjacent behavior such as compression or network communication? Local baselines are essential because legitimate certificate management and application behavior can generate similar events.

The supplied ATT&CK fields do not include tactics, relationships, detailed detection logic, mitigations, adversary use, or active exploitation context. Conclusions are limited to the official description and Windows platform scope. Environment-specific certificate locations, normal processes, logging configuration, and business use of private keys must be validated locally.

Official MITRE ATT&CK definition

Analytic 1516

A process (non-system or user-initiated) accesses private key files in user profile paths or system certificate stores followed by potential network connections or compression activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2d2758514dfce5d4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2d2758514dfc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1516
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use