Skip to content

Hide Navigation Hide TOC

Credential File Theft from Agent Environment - ATR-2026-00113 (ce8a59e5-a77d-5b9b-b053-83947f9a0e2b)

Detects tools or agent instructions that access well-known credential files from the host environment. Attackers target files like ~/.aws/credentials, SSH private keys, Docker configs, and Kubernetes configs to gain lateral movement capabilities. When credential file access is combined with a network call, this strongly indicates exfiltration rather than legitimate local usage.

Cluster A Galaxy A Cluster B Galaxy B Level
Credential File Theft from Agent Environment - ATR-2026-00113 (ce8a59e5-a77d-5b9b-b053-83947f9a0e2b) Agent Threat Rules Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2