Uncommon attempt at grabbing credentials from a sensitive file

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-04

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags	Credentials Grabbing Analytics
ATT&CK Tactic	Credential Access (TA0006) Discovery (TA0007)
ATT&CK Technique	OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)
Severity	Informational

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Variations

Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon attempt at grabbing credentials from an SSH private key

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access a file that may contain sensitive information.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.