* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Product Features](https://www2.paloaltonetworks.com/blog/security-operations/category/product-features/)
* How Behavioral Analytics ...

# How Behavioral Analytics Stop Linux C2 \& Credential Theft

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhow-behavioral-analytics-stop-linux-c2-credential-theft%2F)  
[](https://twitter.com/share?text=How+Behavioral+Analytics+Stop+Linux+C2+%26%23038%3B+Credential+Theft&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhow-behavioral-analytics-stop-linux-c2-credential-theft%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhow-behavioral-analytics-stop-linux-c2-credential-theft%2F&title=How+Behavioral+Analytics+Stop+Linux+C2+%26%23038%3B+Credential+Theft&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/how-behavioral-analytics-stop-linux-c2-credential-theft/&ts=markdown)  
\[\](mailto:?subject=How Behavioral Analytics Stop Linux C2 \& Credential Theft)  
Link copied  
By [Shaked Menachem](https://www.paloaltonetworks.com/blog/author/shaked-menachem/?ts=markdown "Posts by Shaked Menachem") and [Maor Korkos](https://www.paloaltonetworks.com/blog/author/maor-korkos/?ts=markdown "Posts by Maor Korkos")  
Mar 17, 2026  
6 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Beaconing malware](https://www.paloaltonetworks.com/blog/tag/beaconing-malware/?ts=markdown)  
[behavioral analytics](https://www.paloaltonetworks.com/blog/tag/behavioral-analytics/?ts=markdown)  
[C2 detection](https://www.paloaltonetworks.com/blog/tag/c2-detection/?ts=markdown)  
[Cortex Cloud CDR](https://www.paloaltonetworks.com/blog/tag/cortex-cloud-cdr/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[credential theft](https://www.paloaltonetworks.com/blog/tag/credential-theft/?ts=markdown)  
[Linux](https://www.paloaltonetworks.com/blog/tag/linux/?ts=markdown)  
[Linux abnormal communication](https://www.paloaltonetworks.com/blog/tag/linux-abnormal-communication/?ts=markdown)  
[Linux credential grabbing](https://www.paloaltonetworks.com/blog/tag/linux-credential-grabbing/?ts=markdown)  
[Linux security](https://www.paloaltonetworks.com/blog/tag/linux-security/?ts=markdown)  
[LOLBin abuse](https://www.paloaltonetworks.com/blog/tag/lolbin-abuse/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

Linux is the backbone of most web applications, the containers orchestrating your microservices, the build pipelines shipping your code, and the developer workstations for your engineering teams. Because of how deeply embedded it is, the volume of activity happening across Linux endpoints and servers makes it a prime target for attackers. Recent [Unit 42 research into the CL-UNK-1068 actor](https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/)reveals the stakes: this group has operated undetected for years by deploying cross-platform tools like the Xnote Linux backdoor, which allows them to bypass firewalls and turn critical Linux infrastructure into a launchpad for cyberespionage and DDoS attacks.

By combining abnormal communication and credential grabbing tag insights with the real-world evidence of actors like CL-UNK-1068, it becomes clear that security can no longer exist in silos. Behavioral analytics for Cortex XDR and Cortex Cloud CDR bridges this gap, ensuring that whether an attacker is communicating with a command-and-control server or harvesting for credentials in a Linux directory, the full lifecycle of the threat is exposed and neutralized in real time.

### Detecting Abnormal Communication

Command and control (C2) detection on Linux is a challenge, because the environment itself creates enormous amounts of legitimate noise. On a typical Linux server, dozens of processes are constantly reaching outward, and this is normal and expected. The answer to this challenge is not to look for known bad indicators, but to understand what normal looks like for a given machine and then surface anything that deviates from that baseline.

Our new Cortex XDR Linux abnormal communication detection tag does exactly that. By building behavioral profiles of each endpoint's standard network and process execution patterns, the detector is capable of surfacing two distinct categories of anomalous activity:

* Process connected to a rare external host
* Recurring rare domain access

#### Example of Detecting a Process Connected to a Rare External Host:

Imagine a standard web server running a common process like 'apache2'. Under normal conditions, this process only communicates with known database clusters. However, if a vulnerability like Log4j is exploited, an attacker might trigger a reverse shell, causing the apache2 process to initiate an outbound connection to an unfamiliar IP address in a different country to receive commands. Because the analytics have built a profile showing that apache2 has never communicated with this specific external host before, the Linux abnormal communication detection tag flags the event immediately. This allows security teams to kill the specific process and sever the C2 link before the attacker can begin internal reconnaissance or data exfiltration.
![Figure 1. Cortex XDR alert indicating Linux webserver exploitation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/03/word-image-354042-1.png)
Figure 1. Cortex XDR alert indicating Linux webserver exploitation

#### Example of Recurring Rare Domain Access:

A user accidentally executes a malicious script via a phishing attachment. Instead of a massive data burst, the malware is programmed to beacon, sending periodic heartbeats to a domain every 30 minutes to check for instructions. While this traffic is small enough to fly under the radar of volume based alerts, the Cortex XDR analytics will notice the recurring nature of the access to a domain that has no history within the endpoint's behavioral profile. By identifying this pattern of persistence, the system surfaces the anomaly as a potential beaconing event, enabling you to isolate the infected host and prevent ransomware.

### Preventing Credential Theft on Linux Workloads

Developer workstations, engineering laptops, and privileged user machines are among the most credential dense environments in any organization. Once an adversary has obtained valid credentials from an endpoint, whether a root password or a cloud access key, they can authenticate as a legitimate user. They'll be able to move laterally across systems without triggering anomaly detection, access resources, and deploy ransomware across the infrastructure while appearing entirely authorized.

Additionally, not all reads of a sensitive file are malicious. A legitimate backup process, a secrets manager agent, or an authorized administrator script may access credential files regularly. The critical insight is context: which process is reading the file, which parent process did it come from, at what time, and does this access pattern match anything in the machine's established behavioral profile?

The credential grabbing tag is designed to answer these questions. By mapping the behavioral norms for file access across the endpoint, it can distinguish a routine interaction from an anomalous one, even when the attacker is using a trusted system binary to perform the access. The Linux credential grabbing detection tag expands coverage across more than 40 sensitive file and directory locations, applying behavioral analytics to surface unusual process interactions with credential material.

What gets detected:

* Uncommon attempt at grabbing credentials from a sensitive file: flagging processes that access credential stores in ways that deviate from established behavioral baselines.
* Uncommon attempt to steal sensitive information from a file: covering configuration files, API token stores, and application secrets.
* Suspicious access to the passwd file: detecting anomalous read patterns on /etc/passwd and related system files.
* Execution of the Hydra Linux password brute-force tool: identifying known credential brute forcing utilities when they are launched on an endpoint.

![Figure 2. Cortex XDR alert triggered when attackers used the SQL Server Management Studio Password Export Tool to extract passwords](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/03/word-image-354042-2.png)
Figure 2. Cortex XDR alert triggered when attackers used the SQL Server Management Studio Password Export Tool to extract passwords

#### Example of an Uncommon Attempt at Grabbing Credentials from a Sensitive File:

Imagine an attacker successfully compromises a developer's Linux laptop and steals AWS CLI access keys. Instead of using a known piece of malware, the attacker uses a standard system tool like 'grep' to read the file and move the contents to a remote server. To a basic security tool, this looks like a normal user running a normal command. However, security analytics will have already established the 'grep' process has no historical baseline for touching those credentials. This will be flagged as an uncommon attempt at grabbing credentials, identifying that even though the tool is "trusted," the behavior is anomalous, allowing your team to kill the session before the attacker can use those keys to pivot into your cloud infrastructure.

### Why Behavioral Analytics Are Required

As adversaries evolve, modern attack chains target workstations across macOS, Windows, and Linux with the same objective: credential theft and lateral movement. To counter these threats on Linux, our credential grabbing and abnormal communication detection tags provide a layered defense. The abnormal communication tag identifies adversaries communicating with untrusted networks that typically blend into legitimate network traffic. Simultaneously, the credential grabbing tag exposes adversaries looking for access inside the machine, specifically highlighting attempts to read sensitive files, abuse system utilities, or brute-force authentication material. Together, these capabilities ensure that both the external reach and internal exploitation attempts of a modern attack chain are met with automated detection.

A Challenge for Security Teams:

* Review your current Linux detection coverage. Do you have behavioral baselines for your critical servers?
* Locate your sensitive credential file locations. Do you know which processes access them, and when?
* Evaluate whether your current tooling can distinguish between a developer's automation script and an APT's post-exploitation routine.

**If the answer to any of these is uncertain, it is time to close the Linux blind spot. Learn more with [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr)and [Cortex Cloud CDR](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response).**

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Ransomware Attacks: Why Your Endpoint Protection Can't Keep Up](https://www2.paloaltonetworks.com/blog/security-operations/ransomware-attacks-why-your-endpoint-protection-cant-keep-up/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Linux Threat Hunting with Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/linux-threat-hunting-with-cortex-xdr/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Cortex XDR Managed Threat Hunting Is Available To All Customers](https://www2.paloaltonetworks.com/blog/2020/05/cortex-xdr-managed-threat-hunting/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Introducing Cortex XDR 5.0: The New Standard for Endpoint Security](https://www2.paloaltonetworks.com/blog/security-operations/introducing-cortex-xdr-5-0-the-new-standard-for-endpoint-security/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### The Detection Nightmare: Years Pass Without a Move](https://www2.paloaltonetworks.com/blog/security-operations/the-detection-nightmare-years-pass-without-a-move/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### The 3CX Supply Chain Attack: When Trusted Software Turns Malicious](https://www2.paloaltonetworks.com/blog/security-operations/the-3cx-supply-chain-attack-when-trusted-software-turns-malicious/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language