Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

207 alerts match the current filters. tactic: TA0003 ✕

Show ATT&CK heatmap
  • A Google Workspace identity created, assigned or modified a role Informational Identity Threat Module 3 variations

    A Google Workspace identity created, assigned or modified a delegated admin role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may create, assign or modify a role to elevate the permissions of other user accounts and persist in their target's environment.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the identity's role designation in the organization. Follow further actions done by the account.

    Variations

    A non-administrative Google Workspace identity created, assigned or modified a role from an unusual ASN

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

    A non-administrative Google Workspace identity created, assigned or modified a role

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

    A Google Workspace identity created, assigned or modified a role from an unusual ASN

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

  • A Google Workspace identity performed an unusual admin console activity Informational Identity Threat Module 1 variation

    A Google Workspace identity performed an admin console activity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: To do.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the changes that were made look suspicious. Follow further actions done by the account.

    Variations

    A non-administrative Google Workspace identity performed an unusual admin console activity

    Informational overridden

    A Google Workspace identity performed an admin console activity for the first time. overridden

  • A Google Workspace user was added to a group Informational Identity Threat Module

    A user added another user to a Google Workspace group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate accounts and groups to maintain access to victim systems.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user was added to a sensitive group. Follow further actions done by the account.
  • A Kubernetes ConfigMap was created or deleted Informational Cloud

    A Kubernetes ConfigMap was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence using valid credentials.
    Investigative actions: Check which changes were made to the Kubernetes ConfigMap.
  • A Kubernetes Cronjob was created Informational Cloud

    A Kubernetes CronJob was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence by scheduling deployment of containers configured to execute malicious code.
    Investigative actions: Check which changes were made to the Kubernetes CronJob.
  • A Kubernetes service account was created or deleted Informational Cloud 1 variation

    A Kubernetes service account was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence using a valid service account.
    Investigative actions: Check which changes were made to the Kubernetes service account.

    Variations

    A Kubernetes service account was created or deleted in a default namespace

    Informational overridden

    A Kubernetes service account was created or deleted. overridden

  • A Microsoft Teams application was installed Informational Identity Threat Module 1 variation

    A Microsoft Teams application was installed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
    Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to install this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.

    Variations

    A Microsoft Teams application was installed with special parameters

    Low overridden

    A Microsoft Teams application was installed. overridden

  • A Microsoft Teams bot was added to a team Informational Identity Threat Module

    A user added a bot to a team in Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams bots to maintain persistent access to compromised Teams accounts.
    Investigative actions: Confirm that the bot was created by a certified and trusted entity. Evaluate the permissions requested by the bot to determine if they are excessive or unusual. Determine if it is within the user's role to add bots to teams. Follow further actions done by the account.
  • A WMI subscriber was created Informational

    A WMI subscriber was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • A browser extension was installed or loaded in an uncommon way Informational 3 variations

    A browser extension was installed or loaded in an uncommon way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Gain persistency on a machine and steal sensitive browsing data.
    Investigative actions: Investigate the extension files and the process that installed them. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.

    Variations

    A browser was forced to load an extension using a special command line argument

    Low overridden

    A browser was forced to load an extension using a special command line argument, an uncommon method. overridden

    A browser extension was installed or loaded in an uncommon way by a LOLBIN process

    Low overridden

    A browser extension was installed or loaded in an uncommon way. overridden

    A browser extension was installed or loaded in an uncommon way by an uncommon process

    Low overridden

    A browser extension was installed or loaded in an uncommon way. overridden

  • A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations

    A cloud identity invoked IAM related persistence operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.

    Variations

    A cloud identity invoked compute instance related persistence operations

    Informational overridden

    A cloud identity invoked compute instance related persistence operations. overridden

    A cloud identity invoked compute function related persistence operations

    Informational overridden

    A cloud identity invoked compute function related persistence operations. overridden

  • A computer account was promoted to DC Low Identity Analytics

    A computer account was promoted to a domain controller via a User Account Control (UAC) change.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain domain administrator privileges.
    Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.
  • A contained executable was executed by an unusual process Medium 3 variations

    A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.

    Variations

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by an unusual process

    Medium overridden

    A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden

  • A process modified an SSH authorized_keys file Informational 3 variations

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers, Generic Persistence Analytics
    Attacker's goals: Adversaries use this to ensure that they possess the corresponding private key and may log in as an existing user via SSH.
    Investigative actions: Check the file modification, try to understand the impact of the related processes and network connections.

    Variations

    A process modified an SSH authorized_keys2 file

    Low overridden

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden

    A process modified an SSH authorized_keys file from within a Kubernetes Pod

    Low overridden

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden

    Unpopular process modified the SSH authorized_keys file

    Low overridden

    An unpopular process modified the SSH authorized_keys file. overridden

  • A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

  • A rare file path was added to the AppInit_DLLs registry value Low 2 variations

    A rare file path was added to AppInit_DLLs registry value.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution (T1546)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.
    Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.

    Variations

    A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

    A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user enabled a default local account Informational Identity Analytics 2 variations

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.
    Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.

    Variations

    A user enabled the Windows DefaultAccount

    Low overridden

    A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

    A user enabled the Windows default Guest account

    Low overridden

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

  • A user logged in to the AWS console for the first time Informational Cloud 1 variation

    A user logged in to the AWS console for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.
    Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.

    Variations

    A non-user identity logged in to the AWS console for the first time

    Medium overridden

    A non-user identity logged in to the AWS console for the first time. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user modified an Okta MFA factor Informational Identity Threat Module 1 variation

    An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.

    Variations

    Abnormal Okta MFA Factor Authentication Modification

    Low overridden

    An OKTA MFA factor was modified by a user with suspicious conditions. overridden

  • A user modified an Okta policy rule Informational Identity Threat Module 1 variation

    An Okta policy rule was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.

    Variations

    A user modified an Okta policy rule with suspicious characteristics

    Low overridden

    An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden

  • A user was added to a Windows security group Informational Identity Analytics 4 variations

    A user was added to a Windows security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added a member to a Windows privileged group for the first time

    Medium overridden

    A user was added to a Windows security privileged group. overridden

    User added to a Windows privileged group

    Low overridden

    A user was added to a Windows security privileged group. overridden

    User removed from a Windows privileged group

    Informational overridden

    A user was removed from a Windows security privileged group. overridden

    A user was removed from a Windows security group

    Informational overridden

    A user was removed from a Windows security group. overridden

  • AWS SES account sending settings modified Informational Cloud

    AWS SES account sending settings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to confidential emails of an organization. Compromise the organization's cloud Email infrastructure.
    Investigative actions: Check whether the SES Email sending setting modification was intentional.
  • AWS STS temporary credentials were generated Informational Cloud

    AWS STS temporary credentials were generated for an AWS identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)
    Required data: AWS Audit Log
    Attacker's goals: Gain access and persistence to AWS account.
    Investigative actions: Check which operation executed with the new credentials.
  • AWS console login without MFA Informational Cloud

    An identity logged in to the AWS console without MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)
    Required data: AWS Audit Log
    Attacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.
    Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.
  • AWS network ACL rule creation Informational Cloud

    An AWS network ACL rule was created with a specific rule number.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.
  • AWS user creation Informational Cloud

    A new AWS user was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Cloud Account (T1136.003)
    Required data: AWS Audit Log
    Attacker's goals: Maintaining persistence by creating backdoor users or malicious resources, ensuring ongoing access even if their initial entry is detected.
    Investigative actions: Check which user was created. Investigate the created user role and permissions. Verify the user who created the new identity is aware of this action. Be aware of any suspicious activity originating from the new user.
  • An AWS Lambda Function was created Informational Cloud

    An AWS Lambda Function was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: AWS Audit Log
    Attacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.
    Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.
  • An AWS database service master user password was changed Informational Cloud 2 variations

    An AWS database service master user password was changed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Gain access and control of the database.
    Investigative actions: Confirm the identity intended to perform this action. Follow further actions done by the identity. Check what other changes were made to the AWS Database instance or cluster.

    Variations

    An AWS Database Service master user password was changed from an unusual country

    Low overridden

    An AWS database service master user password was changed. overridden

    An AWS Database Service master user password was changed by a non-DevOps identity

    Low overridden

    An AWS database service master user password was changed. overridden

  • An Email address was added to AWS SES Informational Cloud

    An Email address was added to AWS SES.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to SES account. Abuse the new identity as a spambot.
    Investigative actions: Check which identity was added to the service.
  • An IAM group was created Informational Cloud

    An IAM group was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: AWS Audit Log
    Attacker's goals: Gain persistence through an IAM user who may be a member of the newly created group.
    Investigative actions: Review the group's permissions. Identify which users were added to the group.
  • An executable was written and executed by a web server Low

    Web server process had written an executable file that was executed shortly after.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.
  • An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations

    An identity attached an administrative policy to an IAM user or role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

    Variations

    An identity attached an administrative policy to itself

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    An identity failed to attach an administrative policy to an IAM user or role

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    A suspicious identity attached an administrative policy to an IAM user/role

    Low overridden

    An identity attached an administrative policy to an IAM user or role. overridden

  • An identity created or updated password for an IAM user Informational Cloud 1 variation

    An identity created or updated an AWS console password for an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges, maintain persistence in cloud environments.
    Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.

    Variations

    A suspicious identity created or updated password for an IAM user

    Low overridden

    An identity created or updated an AWS console password for an IAM user. overridden

  • An uncommon file added to startup-related Registry keys Informational 5 variations

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes files or scripts on user login or computer boot.
    Investigative actions: Verify if the registered file is malicious. Check if the installing software is a malicious binary or script.

    Variations

    An uncommon file added to startup-related Registry keys by an unsigned and unpopular CGO process

    Low overridden

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon script added to startup-related Registry keys

    Low overridden

    An attacker may add a script to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon file added to startup-related Registry keys by a commonly known and signed application

    Low overridden

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon LOLBIN added to startup-related Registry keys

    Low overridden

    An attacker may add a LOLBIN to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon file added to startup-related Registry keys by a remote actor

    Low overridden

    A remote attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

  • An uncommon file was created in the startup folder Informational 4 variations

    An uncommon file was created in the startup folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Maintain persistence on the host through automatic execution at startup.
    Investigative actions: Determine if the file was created as part of a legitimate application installation, and check other files written by the same process. Identify which program opens this file based on its extension. Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.

    Variations

    An executable file with a non-default extension was added to the startup folder

    Medium overridden

    An executable file with a non-default extension was added to the startup folder. overridden

    An executable or script was added to the startup folder

    Low overridden

    An executable or script was added to the startup folder. This may occur during a legitimate program installation but could also indicate a malicious program persisting on the system. overridden

    A file with an uncommon extension was added to the startup folder

    Low overridden

    A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden

    A new shortcut (lnk) was added to the startup folder

    Low overridden

    A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden

  • An uncommon lolbin execution by scheduled task Informational 2 variations

    A lolbin was executed with uncommon commandline by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.
    Investigative actions: Review the lolbin's command line executed by the schedule task. Investigate the specific scheduled task execution chain. Investigate how the scheduled task was created and the actor who created it.

    Variations

    An uncommon lolbin execution by scheduled task on a sensitive server

    Informational overridden

    A lolbin was executed with uncommon commandline by a scheduled task. overridden

    A rare and commonly-abused lolbin execution by scheduled task

    Informational overridden

    A commonly abused lolbin was executed with uncommon commandline by a scheduled task. overridden

  • An uncommon service was started Low 1 variation

    An uncommon service was started using systemctl or service processes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    An uncommon service was started in a Kubernetes pod

    Low overridden

    An uncommon service was started using systemctl or service processes. overridden

  • An unknown account was invited to the AWS organization Informational Cloud

    An unknown account was invited to your AWS organization.The target account was not seen in your tenant for the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Establish persistent access to the compromised cloud account.
    Investigative actions: Identify the invited account ID and ownership. Review additional actions performed by the identity and role.
  • An unsigned process created scheduled task and performed an injection Medium 1 variation

    An unsigned process created scheduled task and performed an injection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.
    Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.

    Variations

    Possible an unsigned installer created scheduled task and performed an injection

    Low overridden

    Possible an unsigned installer created scheduled task and performed an injection. overridden

  • Authentication method added to an Azure account Informational Identity Threat Module 2 variations

    An identity attempted to add an Azure authentication method.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can add an authentication method to an account, so they can have later access to the tenant and resources.
    Investigative actions: Check if the authentication method is legitimate in the organization. Check whether the identity is permitted to perform such actions. Follow the account for possible suspicious or unusual logins.

    Variations

    Suspicious authentication method addition to privileged Azure account

    Medium overridden

    A privileged user added an Azure authentication method. overridden

    Suspicious authentication method addition to Azure account

    Low overridden

    An identity added an Azure authentication method. overridden

  • Authentication method was added to Azure account Informational Cloud

    A new authentication method was added to an Azure AD user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Establish a backdoor for persistent access.
    Investigative actions: Review recent authentication attempts and access logs to detect any unauthorized activities or potential misuse of the newly added authentication method. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Autorun.inf created in root C drive Medium

    An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)
    Required data: XDR Agent
    Attacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.
    Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).
  • Azure AD account unlock/password reset attempt Informational Identity Threat Module 1 variation

    An attempt to unlock an Azure AD identity or reset its password has occurred.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may switch a valid account's password for persistence.
    Investigative actions: Check if the password reset is authorized. Check whether the user who reset the password is permitted to perform such actions. Check if the account is in the password reset group or is acting out of scope. Check whether the user has not completed the password reset and cancelled before successfully passing authentication methods. Follow further actions or suspicious logins from the target account.

    Variations

    Azure AD account unlock/successful password reset

    Low overridden

    An identity successfully reset or changed Azure AD password. overridden

  • Azure Automation Account Creation Informational Cloud

    Azure Automation account was created. An attacker might create an account for persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity that created the account and verify its activity.
  • Azure Automation Runbook Creation/Modification Informational Cloud

    An Azure Automation Runbook was being modified or created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity and its actions after the modify/create action.
  • Azure Automation Webhook creation Informational Cloud

    Azure Automation Webhook can be used to pass a payload with specific attributes to run a malicious Runbook.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity actions prior/after the webhook creation. Find which Runbook was executed using the webhook.
  • Azure Event Hub Authorization rule creation/modification Informational Cloud

    An authorization rule is bound with specific rights, once created within a namespace, which has management permissions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using the created/updated rule.
    Investigative actions: Check the identity that created/updated the authorization rule. What actions were taken using the rule.
  • Azure Service principal/Application creation Informational Cloud

    An Azure Service principal/Application was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To gain persistent access and elevate privileges within the environment.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure account creation by a non-standard account Informational Identity Threat Module 1 variation

    An Azure AD account creation was performed by a user that doesn't typically create users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)
    Required data: AzureAD Audit Log
    Attacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.
    Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.

    Variations

    Unusual Azure account creation by a non-standard account

    Low overridden

    An Azure AD account creation was performed by a user that doesn't typically create users. overridden

  • Azure application URI modification Informational Identity Threat Module 1 variation

    An identity added or updated an Azure application's URI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.

    Variations

    Suspicious Azure application URI modification

    Low overridden

    An identity added or updated an Azure application's URI. overridden

  • Azure application credentials added Informational Identity Threat Module 2 variations

    An identity added credentials to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.

    Variations

    Suspicious credential operation on an Azure application

    Medium overridden

    An identity added a certificate to an Azure application in a suspicious way. overridden

    Unusual certificate operation on an Azure application

    Low overridden

    An identity added a certificate to an Azure application with some unusual parameters. overridden

  • Azure device code authentication flow used Informational Identity Analytics 3 variations

    An Azure AD login was performed with device code flow.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: Azure Audit Log
    Attacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.
    Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.

    Variations

    Suspicious Azure device code authentication flow used by an Azure AD privileged user

    Medium overridden

    An Azure AD login was performed with device code flow. overridden

    Suspicious Azure device code authentication flow used

    Low overridden

    An Azure AD login was performed with device code flow. overridden

    Azure device code authentication flow used by an Azure AD privileged user

    Low overridden

    An Azure AD login was performed with device code flow. overridden

  • Azure domain federation settings modification attempt Low Identity Threat Module 1 variation

    A user or application attempted to modify the federation settings of the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.

    Variations

    A successful Azure domain federation settings modification

    Medium overridden

    A user or application successfully modified the federation settings of the domain. overridden

  • Azure group creation/deletion Informational Cloud

    A group in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence to the environment.
    Investigative actions: Check group's assigned roles. Check which members were added to the group.
  • Azure permission delegation granted Informational Cloud 1 variation

    An identity delegated permissions to access a certain resource or application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log
    Attacker's goals: Gain control over user accounts.
    Investigative actions: Check the user access logs for any suspicious activity. Review the permissions granted and the scope of the permissions.

    Variations

    Azure permission delegation granted by an Azure AD privileged user

    Low overridden

    An identity delegated permissions to access a certain resource or application. overridden

  • Azure user creation/deletion Informational Cloud

    A user in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence into the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure user password reset Informational Cloud

    The password of an Azure AD user was reset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Bitsadmin.exe persistence using command-line callback Medium

    BITSAdmin.exe was used with a command-line that may indicate malware trying to gain persistence on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: BITS Jobs (T1197)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate bitsadmin 'setnotifycmdline' mechanism, which triggers process executions once a Bits job is done or fails.
    Investigative actions: Check if the command line contains any malicious indicators. Check if the parent process is suspicious. Check if the command-line used to persist is malicious or references a malicious binary.
  • Browser Extension Installed Informational 1 variation

    Uncommon browser extension installed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Establish persistent access to victim systems through Chromium-based browser, steal sensitive data such credentials, cookies hijacking and financial data.
    Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.

    Variations

    Uncommon Browser Extension Installed

    Low overridden

    Uncommon browser extension installed. overridden

  • Chrome Extension Installed By User Informational Identity Threat Module

    A Chrome extension was installed or updated by a Google Workspace user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.
    Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.
  • Cloud access key creation Informational Cloud 2 variations

    Cloud access key creation by a cloud identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Persist in the environment.
    Investigative actions: investigate the identity who created the access keys. Check the access key activity in the organization.

    Variations

    Successful access key creation by an unusual identity type

    Informational overridden

    Cloud access key creation by a cloud identity. overridden

    Unusual successful cloud access key creation

    Informational overridden

    Cloud access key creation by a cloud identity. overridden

  • Credentials were added to Azure application Informational Cloud

    Credentials were added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Exchange mailbox delegation permissions added Informational Identity Threat Module Email 1 variation

    A user added delegation permissions to an Exchange mailbox.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)
    Required data: Office 365 Audit
    Attacker's goals: Add delegation permissions to a mailbox for persistence reasons.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).

    Variations

    Addition of Exchange mailbox delegation permissions with suspicious characteristics

    Low overridden

    A user added delegation permissions to an Exchange mailbox. overridden

  • Exchange mailbox folder permission modification Informational Identity Threat Module Email 1 variation

    A user modified permissions to an Exchange mailbox folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Check for abnormal Azure AD non-interactive logins by the user. Monitor for changes that may indicate excessively broad permissions.

    Variations

    Exchange mailbox folder permission modification for a default user

    Low overridden

    A user modified permissions to an Exchange mailbox folder. The user granted the permission is a default user, which effectively grants the permission to any user. overridden

  • Executable or Script file written by a web server process Low 3 variations

    An uncommon executable or script file was created, written, or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gain the ability to execute commands on the host and establish persistence.
    Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.

    Variations

    A driver was written by a web server process

    Low overridden

    An uncommon driver file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process in an internet facing server

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

  • Execution of an uncommon process at an early startup stage Informational 2 variations

    Uncommon execution of an executable found in an early startup stage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup. Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.

    Variations

    Execution of an uncommon process at an early startup stage with suspicious characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage. overridden

    Execution of an uncommon process at an early startup stage with uncommon characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage. overridden

  • Execution of an uncommon process at an early startup stage by Windows system binary Low 2 variations

    Uncommon execution of an executable found in an early startup stage by Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.

    Variations

    Execution of an uncommon process at an early startup stage by Windows system binary with suspicious characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden

    Execution of an uncommon process at an early startup stage by Windows system binary with uncommon characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden

  • Execution of an uncommon process with a local/domain user SID at an early startup stage Informational 2 variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the CGO (causality group owner) is familiar and if any configuration, parameters, or registry keys have been modified.

    Variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with uncommon characteristics

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden

  • Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary Low 3 variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.

    Variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary - Explorer CGO

    Informational overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with a suspicious characteristics by Windows system binary

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with an uncommon characteristics by Windows system binary

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

  • External user invitation to Azure tenant Informational Cloud

    An external user was invited to Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain unauthorized access to the tenant.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • First-time directory sync of an on-premises domain user to an existing cloud account Informational Identity Threat Module

    First-time synchronization of an on-premises domain user with an existing cloud account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Attackers may leverage DirectorySync to move laterally from a compromised on-premise environment into the cloud tenant, allowing them to bypass the cloud's security boundaries and take over high-value cloud identities.
    Investigative actions: Check if the cloud account was an administrator (Global Admin, etc.) before this sync. Determine if the on-premise user was recently created or if its 'proxyAddress' attribute was recently modified. Confirm if the organization intended to transition this account from Cloud-Only to Hybrid. Verify the consistency between the on-premises 'ObjectGUID' and the newly assigned 'ImmutableID' in Azure AD.
  • GCP Service Account creation Informational Cloud

    A GCP service account was created. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Gcp Audit Log
    Attacker's goals: Persistence with service account. An attacker might use this technique to evade detection.
    Investigative actions: Check the identity that created the account and its actions.
  • GCP Service Account key creation Informational Cloud

    A GCP service account key was created. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Gcp Audit Log
    Attacker's goals: Persistence using the created key.
    Investigative actions: Check what actions were taken using the newly created service account key. Check what other actions were taken by the identity that created the key.
  • GCP administrative role granted to a cloud identity Informational Cloud

    A cloud identity granted an administrative IAM role to another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • GCP sensitive Cloud Run role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Cloud Run IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Cloud Run role granted

    Medium overridden

    A cloud identity granted itself a sensitive Cloud Run IAM role. overridden

  • GCP sensitive Deployment Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Deployment Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Deployment Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden

  • GCP sensitive Functions role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Functions IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Functions role granted

    Medium overridden

    A cloud identity granted itself a sensitive Functions IAM role. overridden

  • GCP sensitive IAM role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive IAM role granted

    Medium overridden

    A cloud identity granted itself a sensitive IAM role. overridden

  • GCP sensitive Secret Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Secret Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Secret Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Secret Manager IAM role. overridden

  • GCP sensitive compute role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive compute IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive compute role granted

    Medium overridden

    A cloud identity granted itself a sensitive compute IAM role. overridden

  • GCP sensitive role granted to group Low Cloud 1 variation

    A cloud identity granted a sensitive role to a group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the group.

    Variations

    GCP sensitive role granted to group

    Medium overridden

    A cloud identity granted a sensitive role to a group. overridden

  • GCP sensitive storage role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive storage IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive storage role granted

    Medium overridden

    A cloud identity granted itself a sensitive storage IAM role. overridden

  • GCP set IAM policy activity Informational Cloud

    A cloud identity had modified a resource policy bindings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • Globally uncommon injection from a signed process Informational 3 variations

    A signed process injected into another process that it does not normally target at a global level.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)
    Required data: XDR Agent
    Detector tags: Injection Analytics, Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon suspicious injection from a signed process

    Medium overridden

    A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process which was executed by a scheduled task

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

  • Google Workspace automation was created Informational Identity Threat Module 1 variation

    Google Workspace automation was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.
    Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.

    Variations

    Google Workspace automation was created for a public document

    Low overridden

    The document that the automation was created for is publicly shared. overridden

  • Google Workspace organizational unit was modified Informational Identity Threat Module

    A Google Workspace admin modified an organizational unit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Google Workspace user authentication information changed Informational Identity Threat Module 2 variations

    Google Workspace authentication information was changed for a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.
    Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.

    Variations

    Google Workspace administrative user authentication information changed

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

    Google Workspace user authentication information changed by another account

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

  • IAM User added to an IAM group Informational Cloud

    An IAM user was added to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.
    Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.
  • IAM inline policy was added to group Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to role Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to user Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM instance profile was associated with EC2 instance Informational Cloud

    An AWS IAM instance profile was associated with EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was created Informational Cloud

    An AWS IAM instance profile was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was replaced for EC2 instance Informational Cloud

    An AWS IAM instance profile was replaced for EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM policy default version was changed Informational Cloud

    A cloud identity set the specified version of an AWS IAM policy as the policy's default.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy version was created Informational Cloud

    A cloud identity created an AWS-managed IAM policy version.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to group Informational Cloud

    A cloud identity attached an AWS IAM policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.