Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

145 alerts match the current filters. tactic: TA0002 ✕

Show ATT&CK heatmap
  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A Kubernetes DaemonSet was created Informational Cloud

    A Kubernetes DaemonSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes DaemonSet.
  • A Kubernetes Pod was created with a sidecar container Informational Cloud

    A Kubernetes Pod was created with a sidecar container.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes ReplicaSet was created Informational Cloud

    A Kubernetes ReplicaSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes ReplicaSet.
  • A Kubernetes StatefulSet was created Informational Cloud

    A Kubernetes StatefulSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes StatefulSet.
  • A Kubernetes deployment was created Informational Cloud

    A Kubernetes deployment was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes ephemeral container was created Informational Cloud

    A Kubernetes ephemeral container was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes service account executed an unusual API call Informational Cloud 4 variations

    A Kubernetes service account executed an unusual API call.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Abuse a service account token to gain access to the Kubernetes cluster.
    Investigative actions: Verify whether the service account should be executing this API. Investigate other operations that were performed by the service account within the cluster.

    Variations

    A Kubernetes service account executed an API call on a first-seen resource

    Low overridden

    A Kubernetes service account executed an API call on a first-seen resource. overridden

    A Kubernetes service account executed an API call on an unusual sensitive resource

    Low overridden

    A Kubernetes service account executed an API call on an unusual sensitive resource. overridden

    A Kubernetes service account executed an unusual modification API call

    Informational overridden

    A Kubernetes service account executed an unusual modification API call. overridden

    A Kubernetes service account executed an API call on an unusual resource

    Informational overridden

    A Kubernetes service account executed an API call on an unusual resource. overridden

  • A TCP stream was created directly in a shell Medium

    Attackers may create a TCP stream using the shell command line to generate a reverse shell, enabling remote access to the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Attacker's goals: Attackers may use this device file to create sockets though shell commands as part of a reverse shell.
    Investigative actions: Review the command line used. Search for the corresponding network event. Check the prevalence of the target IP/domain.
  • A cloud function was created with an unusual runtime Low Cloud 3 variations

    A cloud function was created with an unusual runtime.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute arbitrary code in cloud environments.
    Investigative actions: Examine the cloud function's code implementation and look for any unusual invocations. Check for any unusual activities within the same project.

    Variations

    A cloud function was created with an unusual runtime by a known cloud identity

    Informational overridden

    A cloud function was created with an unusual runtime. overridden

    A cloud function was created with a runtime that was not seen in the organization

    Low overridden

    A cloud function was created with an unusual runtime. overridden

    A cloud function was created with a custom runtime

    Medium overridden

    A cloud function was created with an unusual runtime. overridden

  • A cloud identity performed multiple unusual activities Medium Cloud 1 variation

    A cloud identity performed multiple unusual activities across various cloud services.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Adversaries may manipulate accounts to pivot to their next point in the environment, and eventually to access or manipulate data.
    Investigative actions: Check if the identity intended to preform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    A cloud identity performed multiple suspicious activities

    Low overridden

    A cloud identity performed multiple unusual activities across various cloud services. overridden

  • A cloud identity started a Cloud Shell session Informational Cloud

    A cloud identity started a Cloud Shell session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • A remote service was created via RPC over SMB Low 1 variation

    A remote service was created via RPC over SMB.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Process creation on a remote host.
    Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.

    Variations

    A remote service with an uncommon name was created via RPC over SMB

    Medium overridden

    A remote service was created via RPC over SMB. overridden

  • A suspicious direct syscall was executed Low 2 variations

    A suspicious direct syscall was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Native API (T1106)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Direct Syscall Analytics
    Attacker's goals: An attacker might try to use direct syscalls to evade detection from a legitimate program.
    Investigative actions: Investigate the direct syscall-mapped image to verify if it is malicious. Check if this direct syscall is part of the process execution flow.

    Variations

    A suspicious direct syscall was executed by unsigned process from a user folder

    High overridden

    A suspicious direct syscall was executed by unsigned process from a user folder. overridden

    A suspicious direct syscall was executed by a DLL host application

    Medium overridden

    A suspicious direct syscall was executed by a DLL host application. overridden

  • A suspicious executable with multiple file extensions was created Medium

    An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.
    Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.
  • A user uploaded malware to SharePoint or OneDrive Low Identity Threat Module 2 variations

    A user uploaded a file that was classified as malware to SharePoint or OneDrive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Taint Shared Content (T1080) User Execution: Malicious File (T1204.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may upload malware to a shared location to gain execution and move laterally.
    Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the file that was uploaded for any malicious indicators. Follow further actions done by the account.

    Variations

    A user uploaded malware to SharePoint or OneDrive with suspicious characteristics

    Medium overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive with some additional suspicious characteristics. overridden

    A user uploaded a malicious payload to SharePoint or OneDrive

    Informational overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive. The file was labelled as malicious by Microsoft's file scanning engine. overridden

  • AI-determined combination of risky alerts under the same actor process Informational 1 variation

    Multiple alerts likely to be associated with an incident were identified under the same actor process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the actor process of these alerts. Track down other suspicious activity under this actor process.

    Variations

    AI-determined combination of risky alerts under the same actor process: LDAP traffic from non-standard process with SMB traffic from non-standard process

    Medium overridden

    A non-standard process communicated over LDAP ports, combined with SMB traffic from a non-standard process under the same actor process. This combination may indicate an attacker performing Active Directory enumeration while leveraging SMB for lateral movement or discovery. overridden

  • AI-determined combination of risky alerts under the same causality Informational

    Multiple alerts likely to be associated with an incident were identified under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: AI Insight Fusion Analytics
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the causality of these alerts. Track down other suspicious activity under this causality.
  • AWS SSM send command attempt Informational Cloud 2 variations

    An identity executed an AWS SSM Document.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.

    Variations

    AWS SSM SendCommand targeting multiple instances

    Low overridden

    An identity executed an AWS SSM Document. overridden

    Unusual AWS SSM send command

    Low overridden

    An identity executed an AWS SSM Document. overridden

  • Abnormal increase in network-related alerts on the same host Low

    Abnormal increase in network-related alerts on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts.
  • Adding execution privileges Informational 1 variation

    A script was granted execution privileges using chmod before being run.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use chmod to grant execution privileges to scripts or binaries for malicious execution.
    Investigative actions: Verify that this activity is not part of normal IT operations. Check for similar commands executed on other hosts.

    Variations

    Adding execution privileges in a Kubernetes pod

    Informational overridden

    A script was granted execution privileges using chmod before being run. overridden

  • An AWS Lambda Function was created Informational Cloud

    An AWS Lambda Function was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: AWS Audit Log
    Attacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.
    Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.
  • An AWS Lambda function was modified Informational Cloud

    An AWS Lambda function was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: AWS Audit Log
    Attacker's goals: Modification of Lambda functions may provide attackers access to run code against cloud environments.
    Investigative actions: Check what modifications were made to the AWS Lambda function.
  • AppleScript executed a shell script Informational 2 variations

    An uncommon shell script has been executed by the AppleScript interpreter process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002) Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics, Shell Analytics
    Attacker's goals: Use the AppleScript interpreter to execute a second stage payload.
    Investigative actions: Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the script was executed in an unusual way.

    Variations

    AppleScript executed a shell script using an unsigned, globally rare causality actor

    Low overridden

    An uncommon shell script has been executed by the AppleScript interpreter process. overridden

    AppleScript executed a shell script using an uncommon shell process

    Low overridden

    An uncommon shell script has been executed by the AppleScript interpreter process. overridden

  • AppleScript interpreter dynamic library loaded into a process Informational 2 variations

    The AppleScript interpreter dynamic library was loaded into a process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Stealthily execute AppleScript code while evading script-based detections.
    Investigative actions: Analyze the process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior. Check whether the process was executed in an unusual way.

    Variations

    AppleScript interpreter dynamic library loaded into an unsigned applet

    Low overridden

    The AppleScript interpreter dynamic library was loaded into an unsigned applet. overridden

    AppleScript interpreter dynamic library loaded into a process with an uncommon vendor signature

    Low overridden

    The AppleScript interpreter dynamic library was loaded into a process with an uncommon vendor signature. overridden

  • AppleScript process executed with a rare command line Informational 6 variations

    The AppleScript interpreter process was executed with an uncommon command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.
    Investigative actions: Analyze the command line and determine whether it performs any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the process was executed in an unusual way.

    Variations

    AppleScript process executed with a rare command line possibly using Finder to perform operations

    High overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line with an unusual password prompt

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly injects JavaScript into a browser

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly establishes persistence

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly installs a proxy

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line performing clipboard access

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

  • Attempt to execute a command on a remote host using PsExec.exe Low 1 variation

    There was an attempt to run a command on a remote host using PsExec.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run processes remotely.
    Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.

    Variations

    Attempt to execute a command on a remote host using PsExec.exe

    Low overridden

    There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden

  • Azure virtual machine commands execution Informational Cloud

    An Azure virtual machine executed PowerShell commands with System privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: Azure Audit Log
    Attacker's goals: Executing malicious commands for discovery, privilege escalation, etc.
    Investigative actions: Check the VM that executed the commands and their results.
  • Bronze-Bit exploit High

    A forwardable Kerberos ticket for delegation of a Protected User was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain a special user's Kerberos ticket to move laterally.
    Investigative actions: Check the initiating service account delegation privileges. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.
  • ClickFix - PowerShell executed through the run application Low 4 variations

    An attacker may be trying to trick a user to execute PowerShell through the run application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing (T1566)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be trying to trick a user to execute PowerShell through the run application.
    Investigative actions: Check if the command line is known in the organization or malicious. And ask the user what is the source of it.

    Variations

    ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdlet

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long PowerShell command executed through the run application with URL in the command

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long encoded PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Schedule task PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

  • Cloud compute instance user data script modification Informational Cloud 1 variation

    The user data of a cloud compute instance was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Cloud Administration Command (T1651)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute commands within virtual machines.
    Investigative actions: Verify whether this action is expected. Inspect the user data script for malicious content.

    Variations

    Unusual Cloud compute instance user data script modification

    Low overridden

    The user data of a cloud compute instance was modified. overridden

  • Cloud penetration testing tool activity High Cloud 3 variations

    A cloud API was successfully executed using a known cloud penetration testing tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.
    Investigative actions: Confirm if authorized penetration testing activity is currently scheduled. Review the API operations performed by the identity to determine the intent and scope of the activity.

    Variations

    Cloud penetration testing tool usage attempt

    Informational overridden

    A failed cloud API was executed using a known cloud penetration testing tool. overridden

    Cloud security assessment tool activity

    Low overridden

    A cloud API was successfully executed using a known cloud security assessment tool. overridden

    Cloud penetration testing tool activity by Azure application

    Informational overridden

    A cloud API was successfully executed using a known cloud penetration testing tool by an Azure application. overridden

  • Command execution in a Kubernetes pod Informational 2 variations

    Container administration commands were executed within a Kubernetes pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Command execution in a Kubernetes pod for the first time

    Low overridden

    Container administration commands were executed within a Kubernetes pod. overridden

    Command execution in a Kubernetes pod in the kube-system namespace

    Informational overridden

    Container administration commands were executed within a Kubernetes pod. overridden

  • Command execution via AWS SSM Medium Cloud

    A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.
    Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).
  • Command execution via wmiexec Informational

    Attackers may use WMI to execute commands on the target host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Execute commands on the victim host.
    Investigative actions: Correlate the RPC call from the source host and understand which process initiated it.
  • Command running with COMSPEC in the command line argument Low

    COMSPEC is an environmental variable that points to cmd.exe. Attackers may use this command to obfuscate their command and avoid detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
    Required data: XDR Agent
    Attacker's goals: Attackers might use environment variables to try and avoid being detected and obfuscate their commands.
    Investigative actions: Investigate the actor and the command line that executed with COMSPEC Verify that the command executed from a trusted source.
  • Commonly abused AutoIT script connects to an external domain Medium

    AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)
    Required data: XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.
  • Commonly abused AutoIT script drops an executable file to disk Informational

    AutoIT scripts have legitimate uses but are often abused by malware to execute in a signed process context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Command and Scripting Interpreter: Windows Command Shell (T1059.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.
  • Commonly abused process launched as a system service Informational

    This commonly abused host process has been launched by a services.exe parent, indicating it has been installed as a system service. This behavior can have legitimate uses, but often used by malware as a persistence mechanism.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Attacker's goals: Attackers may use services to persist or execute commands on remote hosts.
    Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.
  • Contained process execution with a rare GitHub URL Low

    A contained process was executed with a suspicious GitHub url in the command line. This may be a legitimate use, but this technique is frequently used by attackers to download malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution: Malicious Image (T1204.003)
    Required data: XDR Agent
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check the user activity on the same container at that time. Check if the container is a development container. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.
  • DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations

    An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute malicious content on and move laterally across machine in the network.
    Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.

    Variations

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a script

    High overridden

    An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden

  • Denied API call by a Kubernetes service account Informational Cloud 2 variations

    A Kubernetes service account API call was denied.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Check whether the service account should be making this API call. Check service account's activity, including additional executed API calls.

    Variations

    Denied API call by Kubernetes service account for the first time in the cluster

    Low overridden

    A Kubernetes service account API call was denied. overridden

    Suspicious denied API call by a Kubernetes service account

    Informational overridden

    A Kubernetes service account API call was denied. overridden

  • Download a script using the python requests module Low

    Download a shell script from a remote location using the Python requests module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Python (T1059.006)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse Python commands and scripts to download additional malicious files or for exfiltration.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Elevation to SYSTEM via services Low 2 variations

    Services were affected by a non SYSTEM integrity level process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Escalate privileges to system and execute commands.
    Investigative actions: Investigate the service being spawned on the host for malicious activities.

    Variations

    Elevation to SYSTEM via service creation

    Low overridden

    A service was created from a non SYSTEM integrity level process. overridden

    Elevation to SYSTEM via service modification

    Low overridden

    An existing service was modified from a non SYSTEM integrity level process. overridden

  • Email attachment with Right-to-Left Override Unicode character Low Email

    The email message contains an attachment with a hidden Right-to-Left Override Unicode character.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.
  • Email attachment with a potentially malicious file extension Informational Email 2 variations

    The email message includes attachments with file types that are typically blocked by the email vendor as a precaution due to their suspicious nature.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable.

    Variations

    Attachment(s) with a potentially malicious file extension unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious file extension unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email attachment with multiple extensions Informational Email 2 variations

    This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.

    Variations

    Email executable attachment with multiple extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

    Email executable attachment with multiple executable extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

  • Email attachment(s) with potentially malicious MIME type Informational Email 2 variations

    The email message contains an attachment(s) with a potentially malicious MIME type.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.

    Variations

    Attachment(s) with potentially malicious MIME type unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious MIME type that is unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email containing a link with an IP address convention was detected Informational Email

    A link with IP address convention was detected within the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email containing a redirected link Informational Email 1 variation

    An email with a redirected link has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers can use link redirection to disguise malicious URLs.
    Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email containing a redirected link with multiple redirections

    Informational overridden

    An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden

  • Email contains URL delivering high-risk file type Informational Email 1 variation

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.
    Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.

    Variations

    External email with URL delivers blocked file types

    Low overridden

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden

  • Email with file-sharing link containing auto-download parameter Low Email 1 variation

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing: Spearphishing Link (T1566.002) User Execution: Malicious File (T1204.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: The attacker may be attempting to deliver malware or exfiltrate data using auto-download file-sharing links.
    Investigative actions: Analyze the linked file(s) to determine if they pose any security risk. Check the sender's communication history within the organization. Analyze the file reputation using sandbox or threat intelligence sources. Verify whether similar links were sent to other users.

    Variations

    External email with file-sharing link containing auto-download parameter

    Low overridden

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download. overridden

  • External email with a single internal recipient hidden in BCC Informational Email 1 variation

    External email with mailbox owner hidden in BCC as the only internal recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.
    Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    External email with only a hidden internal BCC recipient

    Informational overridden

    External email with no visible recipients, mailbox owner is hidden in BCC. overridden

  • Globally uncommon process execution from a signed process Informational 4 variations

    A signed process has executed a process that, on a global level, it usually doesn't execute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Check if the actor process was injected or loaded a suspicious DLL before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon process execution from a signed process from a known vendor

    Medium overridden

    A signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally rare process execution from a signed process

    Medium overridden

    A signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally uncommon process execution from an injected thread in a signed process

    Low overridden

    An injected thread in a signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally uncommon process execution from a web server process or CGO

    Low overridden

    A web server process or CGO has executed a process that, on a global level, it usually doesn't execute. overridden

  • Google Workspace automation was created Informational Identity Threat Module 1 variation

    Google Workspace automation was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.
    Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.

    Variations

    Google Workspace automation was created for a public document

    Low overridden

    The document that the automation was created for is publicly shared. overridden

  • Interactive at.exe privilege escalation method Low

    Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Known service display name with uncommon image-path Low 3 variations

    Service created with a known display name but has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code with seemingly trustworthy services.
    Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known service display name with uncommon image-path created by an untrusted CGO

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known Palo Alto service display name with uncommon image-path

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known service display name with uncommon image-path in a suspicious folder

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

  • Known service name with an uncommon image-path Low 2 variations

    A Service with a known service name has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code within seemingly trustworthy services.
    Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known Palo Alto service name with an uncommon image-path

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

    Known service name with an uncommon image-path in a suspicious folder

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

  • Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod Created With Sensitive Volume for the first time in the cluster

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time in the namespace

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time by the identity

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

  • Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access data used by other pods that use the host's IPC namespace.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.

    Variations

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

  • Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

  • Kubernetes Privileged Pod Creation Informational Cloud 3 variations

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Privileged Pod Creation for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

  • Kubernetes pod creation from unknown container image registry Low Cloud 1 variation

    A Kubernetes pod was created with a container image from an unknown registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy container with a malicious image to facilitate execution.
    Investigative actions: Check the image registry designation in the organization. Scan the container image for any malicious components.

    Variations

    Kubernetes pod creation from unusual container image registry

    Low overridden

    A Kubernetes pod was created with a container image from an unknown registry. overridden

  • Kubernetes pod creation with host network Informational Cloud 3 variations

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.

    Variations

    Kubernetes pod creation with host network for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

  • Kubernetes vulnerability scanner activity Medium 1 variation

    A Kubernetes cluster was scanned by a known vulnerability scanner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Kubernetes vulnerability scanner activity from within a Kubernetes Pod

    Medium overridden

    A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden

  • Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations

    A known vulnerability scanning tool was used within a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.

    Variations

    Kubernetes vulnerability scanning tool usage within a pod

    Medium overridden

    A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden

    External Kubernetes vulnerability scanning tool usage

    Medium overridden

    A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden

  • LOLBIN created a PSScriptPolicyTest PowerShell script file Informational 1 variation

    A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Executing PowerShell scripts in a stealthy manner.
    Investigative actions: Investigate the process and command line that created the file and whether it's benign or normal for this host. Investigate the created PowerShell file for potential malicious commands.

    Variations

    LOLBIN created a larger than usual PSScriptPolicyTest PowerShell script file

    Medium overridden

    A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary. overridden

  • Linux process execution with a rare GitHub URL Informational

    A process was executed with an uncommon GitHub URL in its command line. This may have legitimate uses, but it might also be used by attackers to download malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check the user activity on the same agent at that time. Check if the host is a development server. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.
  • Microsoft Office Process Spawning a Suspicious One-Liner Medium

    A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to gain code execution on the host.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.
  • Microsoft Office process spawns a commonly abused process Low

    Microsoft Office process spawns a commonly abused process with an uncommon command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via a phishing document.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Microsoft Office process spawns conhost.exe Low

    This unusual parent-child relationship may indicate that a Microsoft Office application executed a console-based application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Phishing (T1566)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via an Office application or via an Office document.
    Investigative actions: Check the source of the file or email (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Moniker link detected in URL(s) Informational Email 2 variations

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user on clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    A suspicious Moniker link, SMB and suspicious extension detected

    Medium overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

    A suspicious Moniker link pointing to SMB detected

    Low overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

  • Multiple Rare LOLBIN Process Executions by User Low Identity Analytics 1 variation

    A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    Multiple curl process executions by user

    Informational overridden

    A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account. overridden

  • Multiple Rare Process Executions in Organization Informational Identity Analytics

    Multiple unusual processes were executed in the organization. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.
  • Multiple alerts of different MITRE tactics were seen Low

    Multiple alerts of different MITRE tactics were seen on the same host under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the causality of all the linked alerts. It is visible in the bottom of the causality page. Assess whether it looks like a threat actor executing multiple tactics.
  • Multiple network-related alerts of different MITRE tactics on the same host Low

    Multiple alerts of different MITRE tactics were seen on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts. Asses whether it looks like a threat actor executing multiple tactics.
  • Multiple network-related alerts produced by different detectors on the same host Low

    Multiple alerts produced by different detectors were seen on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts.
  • Office process accessed an unusual .LNK file Low

    An attacker may embed a .LNK file in an Office document to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Modify or create a shortcut to gain code or program execution.
    Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.
  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations

    Identifies outbound emails that include links to file-sharing services sent externally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.
    Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.

    Variations

    Outbound email to external recipient(s) uses first-seen for organization file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

    Outbound email to external recipient(s) uses first-seen for sender file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

  • Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.
    Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    Outbound email sent to an unknown external BCC recipient with no To or CC addresses

    Low overridden

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden

  • Outbound email to an address hosted by a public email service provider Informational Email 1 variation

    Internal sender emailed to an address hosted by a public email service provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Outbound email to a single address hosted by a public email service provider

    Informational overridden

    Internal sender emailed to a single recipient with public email service provider. overridden

  • Penetration testing tool activity attempt Informational Identity Analytics 1 variation

    A SaaS API was invoked by a penetration testing tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: Office 365 Audit
    Attacker's goals: Usage of known tools and frameworks.
    Investigative actions: Check if there is an active PT test ongoing.

    Variations

    Penetration testing tool activity attempt

    Medium overridden

    A SaaS API was successfully invoked by a penetration testing tool. overridden

  • Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)
    Required data: AzureAD
    Attacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.
    Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.

    Variations

    OAuth Token Theft - Potential Session Hijacking Detected from new ASN

    Low overridden

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden

  • Possible compromised machine account Medium

    A Kerberos TGT for machine account has been used and does not match the hostname.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Gain a special user Kerberos ticket to move laterally.
    Investigative actions: Check the source host for possible credential dumping. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.
  • Potential SCCM credential harvesting using WMI detected Low 3 variations

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Obtain credentials used by the SCCM service.
    Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.

    Variations

    Potential SCCM credential harvesting using WMI detected from a remote machine

    Medium overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential SCCM inventory query using WMI detected

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential Enumeration of SCCM User, Device, and Deployment Data via WMI

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

  • PowerShell Initiates a Network Connection to GitHub Low 1 variation

    PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check for additional file/network operations by the same PowerShell instance.

    Variations

    PowerShell Initiates a Network Connection to GitHub from a sensitive server

    Medium overridden

    PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads. overridden

  • PowerShell runs suspicious base64-encoded commands Low 2 variations

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Run code to perform actions or download other malicious programs.
    Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.

    Variations

    PowerShell runs rare base64-encoded command via remote causality actor

    Medium overridden

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden

    PowerShell runs rare base64-encoded command by windows built-in scripting engine

    High overridden

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden

  • PowerShell suspicious flags Medium

    Abbreviated flags in PowerShell indicate malicious intent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Run code to perform actions or download other malicious programs.
    Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.
  • PowerShell used to remove mailbox export request logs High

    An attacker may use PowerShell to remove evidence of an export request for a mailbox as part of the clean-up stage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Remove evidence for mailbox export commands.
    Investigative actions: Examine the PowerShell command to identify which mailbox has been compromised. Investigate the host that executes the command for potential further exploitation.
  • PsExec was executed with a suspicious command line Informational 4 variations

    PsExec.exe was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.
    Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.

    Variations

    PsExec was executed with a suspicious command line by a LOLBIN

    Low overridden

    PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden

    PsExec was executed with a suspicious command line by an unsigned actor

    Medium overridden

    PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with NT/System privilege level. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with plain-text credentials. overridden

  • Punycode characters detected in URL(s) Informational Email

    Punycode character(s) detected within URL(s) in email content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.
    Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rare LOLBIN Process Execution by User Informational Identity Analytics

    A user executed a living-off-the-land binary (LOLBIN) process that is unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory Low

    Microsoft Office executed an unsigned process in a suspicious directory. This behavior is common with malicious macros.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Attackers execute commands after infiltrating by using phishing or exploiting a vulnerability in an office.
    Investigative actions: Investigate the executed process. Investigate the document/email that initiated it.
  • Rare process executed by an AppleScript Low

    An uncommon process has been executed by the AppleScript interpreter process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Use the AppleScript interpreter to execute a second-stage payload.
    Investigative actions: Analyze the AppleScript and executed process to determine whether they perform any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the AppleScript was executed in an unusual way.
  • Rare process execution by user Informational Identity Analytics

    An unusual process was executed by a user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare process execution in organization Informational Identity Analytics

    An unusual process was executed in the organization. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare process spawned by srvany.exe Informational

    Unusual process spawned by srvany.exe, which allows applications to run as services with system privileges, this might be an indication of malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Attacker's goals: Execute malware on the host in a manner that doesn't leave event logs within the system.
    Investigative actions: Validate if the binary that srvany.exe executed is malicious. Track down the source of the srvany.exe binary and the executed process. Validate if this is a legitimate software installed by IT.
  • Remote PsExec-like command execution Informational 5 variations

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.

    Variations

    Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service

    High overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from an unsigned non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from a signed non-standard PsExec service

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec command execution

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

  • Remote code execution into Kubernetes Pod Informational 2 variations

    A container administration service was used to execute commands within a Kubernetes Pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Remote code execution into Kubernetes Pod from another Pod for the first time

    Medium overridden

    A container administration service was used to execute commands within a Kubernetes Pod. overridden

    Remote code execution into Kubernetes Pod from another Pod

    Low overridden

    A container administration service was used to execute commands within a Kubernetes Pod. overridden