Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0024: Detect Kerberos Ccache File Theft or Abuse (T1558.005)

This detection strategy is about finding theft or misuse of Kerberos credential cache files associated with ATT&CK T1558.005, Ccache Files. For leaders, th...

EnterpriseDET0024Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about finding theft or misuse of Kerberos credential cache files associated with ATT&CK T1558.005, Ccache Files. For leaders, the practical issue is identity risk: if short-lived Kerberos session credentials are copied or abused on Linux or macOS systems, an attacker may be able to access services without knowing the user’s password. That makes this behavior important for identity assurance, privileged access monitoring, SOC readiness, and incident response scoping.

Executive priority

Prioritize this where Linux or macOS systems use Kerberos for access to important services, administrative workflows, or business-critical infrastructure. Executives should ask whether the organization can prove where Kerberos ccache files reside, who can access them, whether unusual access is logged, and whether IR teams can quickly determine which identities and services may be affected. This is also relevant to audit evidence for identity controls and least-privilege enforcement, because the risk centers on active session credentials rather than password compromise alone.

Technical view

The supplied ATT&CK object has no official description or detection logic, but it is explicitly a detection strategy for T1558.005 Ccache Files under credential access. SOC and detection teams should validate visibility on Linux and macOS endpoints where Kerberos is used. Practical validation should focus on access to Kerberos credential cache locations, references to /etc/krb5.conf, use or changes of the KRB5CCNAME environment variable, and suspicious processes reading, copying, moving, or exfiltrating ccache material outside expected authentication workflows. IR teams should be prepared to map observed file access back to users, hosts, Kerberos realms/services, and active sessions.

Likely telemetry

  • Linux and macOS endpoint process execution telemetry
  • File access, creation, copy, move, permission, and deletion events for Kerberos credential cache locations
  • Monitoring of /etc/krb5.conf where present and relevant
  • Process environment or command context showing KRB5CCNAME usage
  • Authentication and Kerberos-related logs where available

Detection direction

  • Inventory where Kerberos ccache files are expected to exist on Linux and macOS systems before writing alerts; location and naming may vary by configuration.
  • Baseline legitimate access patterns by authentication components, shells, service processes, and administrative tools to reduce false positives.
  • Look for unusual processes reading or copying ccache files, especially from user sessions, temporary paths, or locations referenced by KRB5CCNAME.
  • Correlate ccache access with user logon context, privilege level, service access, and subsequent authentication activity.
  • Validate that host telemetry captures file read/copy behavior, not only file creation or deletion; many environments miss read access by default.

Mitigation priorities

  • Confirm Kerberos usage, ccache storage locations, and ownership/permission expectations across Linux and macOS systems.
  • Harden file permissions and administrative access so only expected users and processes can access credential caches.
  • Limit unnecessary privileged interactive sessions on Kerberos-enabled systems and enforce least privilege for administrators and service accounts.
  • Ensure endpoint logging or EDR policies cover the relevant file paths and process context needed for investigation.
  • Prepare IR procedures for suspected ccache theft, including account/session review, affected host containment, and Kerberos credential/session invalidation steps consistent with local identity architecture.
Analyst notes and limits

This take is based on the detection strategy object DET0024 and its relationship to ATT&CK technique T1558.005, Ccache Files. The key decision value is whether the organization can observe and investigate access to Kerberos session credential material on Linux and macOS hosts. Because the detection strategy object itself does not include official detection text, local Kerberos configuration and endpoint telemetry determine the practical coverage.

The supplied detection strategy has no official description, no official detection guidance, no listed platforms or tactics of its own, and no aliases or labels. Platform and tactic context comes from the related ATT&CK technique only: Linux, macOS, and credential access. Recommendations are therefore conservative validation directions, not guaranteed detections or claims of active exploitation.

Official MITRE ATT&CK definition

Detect Kerberos Ccache File Theft or Abuse (T1558.005)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1558.005 Ccache Files Sub-technique This object detects Ccache Files.
Relationship explorer

All related ATT&CK context

detects · Technique T1558.005: Ccache Files Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2d222e899028f73e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2d222e899028…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0024
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use