Analytics Alerts
Browse the Cortex analytics alert reference.
130 alerts match the current filters. tactic: TA0004 ✕
Show ATT&CK heatmapA GCP service account was delegated domain-wide authority in Google Workspace Low Identity Threat Module 1 variation
A Google Workspace admin has enabled domain-wide delegation to a GCP service account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious Apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
A Google Workspace admin has enabled domain-wide delegation to a GCP service account and granted him access to a sensitive scope
Medium overridden
A Google Workspace admin has enabled domain-wide delegation to a GCP service account. overridden
A Google Workspace service was configured as unrestricted Informational Identity Threat Module 3 variations
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
A Google Workspace service was configured as unrestricted by a suspicious identity
Low overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Google Workspace service was configured as unrestricted from an unusual ASN
Low overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Google Workspace service was configured as unrestricted by a non-administrative identity
Informational overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Kubernetes cluster role binding was created or deleted Informational Cloud
A Kubernetes cluster role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Escalate privileges to gain access to restricted resources in the Kubernetes cluster.Investigative actions: Check which changes were made to the Kubernetes cluster role binding.A Kubernetes role binding was created or deleted Informational Cloud
A Kubernetes role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Obtain Kubernetes secrets to access restricted information.Investigative actions: Check which changes were made to the Kubernetes secret.A Service Principal was created in Azure Informational Cloud
A Service Principal was created in Azure. This could indicate a malicious actor attempting to gain access to a resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Access user data. Gain control of the Azure environment.Investigative actions: Check the Service Principal to ensure it has the correct access rights. Review the Azure Activity Log to determine the source of the Service Principal creation.A WMI subscriber was created Informational
A WMI subscriber was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.A cloud identity had escalated its permissions Informational Cloud 4 variations
A cloud identity had updated its permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Escalate privileges.Investigative actions: Verify which permissions were granted to the identity.Variations
A cloud identity with high administrative activity had escalated its permissions
Informational overridden
A cloud identity with high administrative activity had updated its permissions. overridden
A cloud compute service had escalated its permissions
Medium overridden
A cloud compute service had updated its permissions. overridden
A cloud non-human identity had escalated its permissions
Low overridden
A cloud non-human identity had updated its permissions. overridden
A cloud identity escalated its permissions to a high privilege role/policy
Low overridden
A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden
A computer account was promoted to DC Low Identity Analytics
A computer account was promoted to a domain controller via a User Account Control (UAC) change.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain domain administrator privileges.Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.A contained executable from a mounted share initiated a suspicious outbound network connection Medium 1 variation
A contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check if the requested IP address is known or malicious. Investigate the contained process and its process tree.Variations
A contained executable from a mounted share initiated a suspicious outbound network connection
Medium overridden
A cloud machine contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical. overridden
A contained executable was executed by an unusual process Medium 3 variations
A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.Variations
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by an unusual process
Medium overridden
A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden
A contained process attempted to escape using the 'notify on release' feature Medium 1 variation
A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Execute arbitrary commands on the host and gain a larger foothold.Investigative actions: Check which commands were executed on the host afterward. Look for the root cause of the execution within the container. Examine the release_agent script content on the container.Variations
A contained process attempted to escape using the 'notify on release' feature
Medium overridden
A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the cloud host. overridden
A machine certificate was issued with a mismatch Medium Identity Analytics
A machine certificate was issued with a mismatch between the requester and the subject.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller machine account.Investigative actions: Check who owns the certificate requester account. Check if the requester DNS name attribute was changed recently. Investigate actions done by the requester and its owner. Check for possible DCSync alerts.A new machine attempted Kerberos delegation Medium Identity Analytics
A newly created machine attempted to perform a Kerberos delegation. This suspicious activity might indicate a Kerberos relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to system.Investigative actions: Check for any other suspicious activity related to the machine involved in the alert. Look for a new machine that was added to the domain.A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare file path was added to the AppInit_DLLs registry value Low 2 variations
A rare file path was added to AppInit_DLLs registry value.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution (T1546)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.Variations
A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A third-party application was authorized to access the Google Workspace APIs Informational Identity Threat Module
A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.Investigative actions: Check which account was granted access to the Domain API. Identify the source IP address of the request. Verify the legitimacy of the request.A user accessed Okta's admin application Informational Identity Threat Module 1 variation
An attempt to access Okta's admin management application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
Suspicious Okta Admin App Access Attempt
Low overridden
A user attempted to access the Okta Admin Application in a suspicious way. overridden
A user certificate was issued with a mismatch Informational Identity Analytics 1 variation
A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.Variations
Suspicious certificate issuance with a mismatch
Low overridden
A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden
A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations
A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.Variations
Rare user authentication with a certificate via Schannel
Low overridden
A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
Abnormal authentication with a certificate via Schannel
Informational overridden
An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
A user was added to a Windows security group Informational Identity Analytics 4 variations
A user was added to a Windows security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added a member to a Windows privileged group for the first time
Medium overridden
A user was added to a Windows security privileged group. overridden
User added to a Windows privileged group
Low overridden
A user was added to a Windows security privileged group. overridden
User removed from a Windows privileged group
Informational overridden
A user was removed from a Windows security privileged group. overridden
A user was removed from a Windows security group
Informational overridden
A user was removed from a Windows security group. overridden
AWS support case creation Informational Cloud
A cloud identity has created a new case in AWS support.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .Abnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.Variations
Suspicious File Activity in SCCMContentLib Shared Folder by user
Low overridden
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden
Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.Variations
Rare RDP User Login to Domain Controller by an Abnormal Department
Medium overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal RDP User Login to Domain Controller
Low overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
RDP User Login to Domain Controller
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal User Login to Domain Controller by an Abnormal Department
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Access to sensitive host files from within a Kubernetes pod Informational 2 variations
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Access to the host filesystem.Investigative actions: Look for additional suspicious activities. Verify if the exposed files were used for malicious activity. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to sensitive host files from within a Kubernetes pod via an interactive shell
Medium overridden
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden
Unusual access to sensitive host files from within a Kubernetes pod
Low overridden
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden
Admin privileges were granted to a Google Workspace user Informational Identity Threat Module
Admin privileges were granted to a Google Workspace user. This user now has access to additional administrative functions and settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to sensitive data stored in Google Workspace. Manipulate or delete data stored in Google Workspace. Gain access to privileged features in Google Workspace.Investigative actions: Check which Google Workspace user was granted the admin privileges. Check if the user is authorized to be granted such privileges. Review the audit logs to determine the actions taken by the user.An Azure Kubernetes Role or Cluster-Role was modified Informational Cloud
An Azure Kubernetes Role or Cluster-Role was modified or deleted. This could indicate malicious activity and should be investigated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.Investigative actions: Review the role or ClusterRole changes made by the identity. Determine whether the identity is authorized to perform these actions.An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted Informational Cloud
An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted. This could indicate a security breach or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.Investigative actions: Investigate which actions were made by the identity and identify any suspicious activity. Review the Kubernetes configuration to identify any other changes.An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations
An identity attached an administrative policy to an IAM user or role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.Variations
An identity attached an administrative policy to itself
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity failed to attach an administrative policy to an IAM user or role
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
A suspicious identity attached an administrative policy to an IAM user/role
Low overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity created or updated password for an IAM user Informational Cloud 1 variation
An identity created or updated an AWS console password for an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit LogAttacker's goals: Escalate privileges, maintain persistence in cloud environments.Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.Variations
A suspicious identity created or updated password for an IAM user
Low overridden
An identity created or updated an AWS console password for an IAM user. overridden
An identity was granted permissions to manage user access to Azure resources Informational Cloud
An identity was granted the User Access Administrator permission at the tenant scope.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)Required data: Azure Audit LogAttacker's goals: Elevate permission to gain access to all Azure Subscriptions.Investigative actions: Verify whether the identity should be making this action. Check what additional API calls were made by the identity.An uncommon service was started Low 1 variation
An uncommon service was started using systemctl or service processes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
An uncommon service was started in a Kubernetes pod
Low overridden
An uncommon service was started using systemctl or service processes. overridden
Azure AD PIM elevation request Informational Identity Threat Module
An Azure AD PIM elevation request was denied/approved.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Getting elevated permissions to perform malicious actions.Investigative actions: Check if the elevation is authorized. Follow further actions or suspicious logins from the elevated account.Azure AD PIM role settings change Low Identity Threat Module 1 variation
An identity changed the PIM role settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.Variations
Suspicious Azure AD PIM role settings change
Medium overridden
An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden
Azure Privilege Escalation Using an Application Medium Identity Threat Module
An Azure application was observed assigning an Azure administrator role to a user. This might indicate a privilege escalation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.Investigative actions: Check if the affected account is new to the organization. Check whether the application that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations
An identity registered an Azure Temporary Access Pass (TAP) to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.Variations
Azure Temporary Access Pass (TAP) registered to a privileged account
Medium overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Abnormal Azure Temporary Access Pass (TAP) account registration
Low overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Azure domain federation settings modification attempt Low Identity Threat Module 1 variation
A user or application attempted to modify the federation settings of the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.Variations
A successful Azure domain federation settings modification
Medium overridden
A user or application successfully modified the federation settings of the domain. overridden
Azure service principal assigned app role Informational Identity Threat Module
An identity assigned an app role (permissions) to a service principal.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker may add roles to service principals that will allow them to access sensitive information and perform other actions.Investigative actions: Check if the added service principle is new to the organization. Check whether the account that added the app role is supposed to perform such actions. Check for possible logins and actions from the service principle with the role. Follow further actions done by the application and the assigner.Azure storage account blob anonymous access is enabled Informational Cloud
It is possible to configure anonymous access to blobs within the storage account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.Change of sudo caching configuration Low 1 variation
Change of sudo caching configuration may have been intended to enable privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use the sudoers file to elevate privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Change of sudo caching configuration in a Kubernetes pod
Low overridden
Change of sudo caching configuration may have been intended to enable privilege escalation. overridden
Creation or modification of the default command executed when opening an application Informational 4 variations
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Check the registry data modified for a potentially malicious command line. Look for processes running matching the command line for malicious activity.Variations
Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening an MMC application
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Credentials were added to Azure application Informational Cloud
Credentials were added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Elevation to SYSTEM via services Low 2 variations
Services were affected by a non SYSTEM integrity level process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Escalate privileges to system and execute commands.Investigative actions: Investigate the service being spawned on the host for malicious activities.Variations
Elevation to SYSTEM via service creation
Low overridden
A service was created from a non SYSTEM integrity level process. overridden
Elevation to SYSTEM via service modification
Low overridden
An existing service was modified from a non SYSTEM integrity level process. overridden
Execution of command from within a Kubernetes pod using kubelet credentials Low 1 variation
A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Access Token Manipulation (T1134)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual execution of command from within a Kubernetes pod using kubelet credentials
Medium overridden
A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API. overridden
External user invitation to Azure tenant Informational Cloud
An external user was invited to Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain unauthorized access to the tenant.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Fodhelper.exe UAC bypass Medium
Attackers may use Fodhelper.exe to bypass UAC (User Account Control) by having it spawn their malicious process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR AgentAttacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Search for a registry event that changes the key Software\Classes\ms-settings. Review the process that made the registry key. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.GCP administrative role granted to a cloud identity Informational Cloud
A cloud identity granted an administrative IAM role to another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.GCP sensitive Cloud Run role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Cloud Run IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Cloud Run role granted
Medium overridden
A cloud identity granted itself a sensitive Cloud Run IAM role. overridden
GCP sensitive Deployment Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Deployment Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Deployment Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden
GCP sensitive Functions role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Functions IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Functions role granted
Medium overridden
A cloud identity granted itself a sensitive Functions IAM role. overridden
GCP sensitive IAM role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive IAM role granted
Medium overridden
A cloud identity granted itself a sensitive IAM role. overridden
GCP sensitive Secret Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Secret Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Secret Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Secret Manager IAM role. overridden
GCP sensitive compute role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive compute IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive compute role granted
Medium overridden
A cloud identity granted itself a sensitive compute IAM role. overridden
GCP sensitive role granted to group Low Cloud 1 variation
A cloud identity granted a sensitive role to a group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the group.Variations
GCP sensitive role granted to group
Medium overridden
A cloud identity granted a sensitive role to a group. overridden
GCP sensitive storage role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive storage IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive storage role granted
Medium overridden
A cloud identity granted itself a sensitive storage IAM role. overridden
GCP service account impersonation attempt Informational Cloud
An attempt to impersonate the GCP service account failed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: Gcp Audit LogAttacker's goals: Escalate privileges to gain elevated access to cloud resources.Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.GCP set IAM policy activity Informational Cloud
A cloud identity had modified a resource policy bindings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Gmail delegation was turned on for the organization Informational Identity Threat Module
A Google Workspace admin turned on Gmail delegation for all the organization's users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Email Collection.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if any user in the organization granted other users access to their mail inbox. Follow further actions done by the account.Google Marketplace restrictions were modified Informational Identity Threat Module 3 variations
An identity modified Google Marketplace Restrictions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious Apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
Google Marketplace restrictions were modified by a suspicious identity
Low overridden
An identity modified Google Marketplace Restrictions. overridden
Google Marketplace restrictions were modified from an unusual ASN
Low overridden
An identity modified Google Marketplace Restrictions. overridden
Google Marketplace restrictions were modified by a non Google Workspace administrative user
Informational overridden
An identity modified Google Marketplace Restrictions. overridden
Google Workspace third-party application's security settings were changed Informational Identity Threat Module 3 variations
An identity changed Google Workspace third-party application's security settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
Google Workspace third-party application's security settings were changed by a suspicious identity
Low overridden
An identity changed Google Workspace third-party application's security settings. overridden
Google Workspace third-party application's security settings were changed from an unusual ASN
Low overridden
An identity changed Google Workspace third-party application's security settings. overridden
Google Workspace third-party application's security settings were changed by a non Google Workspace administrative user
Informational overridden
An identity changed Google Workspace third-party application's security settings. overridden
IAM User added to an IAM group Informational Cloud
An IAM user was added to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.IAM inline policy was added to group Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to role Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to user Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM instance profile was associated with EC2 instance Informational Cloud
An AWS IAM instance profile was associated with EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was created Informational Cloud
An AWS IAM instance profile was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was replaced for EC2 instance Informational Cloud
An AWS IAM instance profile was replaced for EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM policy default version was changed Informational Cloud
A cloud identity set the specified version of an AWS IAM policy as the policy's default.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy version was created Informational Cloud
A cloud identity created an AWS-managed IAM policy version.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to group Informational Cloud
A cloud identity attached an AWS IAM policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to role Informational Cloud 1 variation
An AWS IAM policy was attached to this role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.Variations
Administrative IAM policy was attached to role
Informational overridden
An AWS IAM policy was attached to this role. overridden
IAM role trust policy modification Informational Cloud
A cloud identity updated the trust policy of an AWS IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM role was created Informational Cloud
An IAM role was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity or role.Image file execution options (IFEO) registry key set Low 3 variations
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.Variations
Image file execution options (IFEO) registry key set to execute a shell or scripting engine process
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden
Image file execution options (IFEO) registry key set to activate Windows licenses illegally
Medium overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden
Image file execution options (IFEO) registry key set using reg.exe
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden
Installation of a new System-V service Low 1 variation
Installation of a new System-V service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Installation of a new System-V service in a Kubernetes pod
Low overridden
Installation of a new System-V service. overridden
Interactive at.exe privilege escalation method Low
Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Kubelet server communication from a pod Informational 1 variation
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.Investigative actions: Examine the process on the pod to understand its purpose.Variations
Kubelet server communication from a pod by a first seen process
Low overridden
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden
Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod Created With Sensitive Volume for the first time in the cluster
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time in the namespace
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time by the identity
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access data used by other pods that use the host's IPC namespace.Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.Variations
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Privileged Pod Creation Informational Cloud 3 variations
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Privileged Pod Creation for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time by the identity
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes nsenter container escape Informational 2 variations
The nsenter command was used to execute a process in the context of the initialization process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may break out of a container to run commands on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Kubernetes nsenter container escape from a new Pod
Medium overridden
The nsenter command was used to execute a process in the context of the initialization process. overridden
Kubernetes nsenter container escape from a Pod
Low overridden
The nsenter command was used to execute a process in the context of the initialization process. overridden
Kubernetes pod creation with host network Informational Cloud 3 variations
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.Variations
Kubernetes pod creation with host network for the first time in the cluster
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time in the namespace
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time by the identity
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
LOLBIN process executed with a high integrity level Low 1 variation
A process spawned a suspicious LOLBIN process with a higher/system integrity level.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it.Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Variations
LOLBIN process executed with a high integrity level by a web server process or CGO
Medium overridden
A process spawned a suspicious LOLBIN process with a higher/system integrity level by a web server process or CGO.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges. overridden
Machine account was added to a domain admins group Medium Identity Analytics
A machine account was added to a domain admins group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Member added to a Windows local security group Informational Identity Analytics 2 variations
A member was added to a Windows local security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added to the Windows local Administrator group
Low overridden
A member was added to a Windows local security group. overridden
Member added to the Windows local Administrator group
Informational overridden
A member was added to a Windows local security group. overridden
Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation
A user registered a device and requested a Microsoft Configuration Manager policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR AgentDetector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious Microsoft Configuration Manager device registration and policy request
Low overridden
A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden
Mount command was executed from within a Kubernetes pod to list all the attached filesystems Low 1 variation
The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Access to the host filesystem.Investigative actions: Look for additional suspicious activities. Verify if there was an attempt to access the host system.Variations
Unusual mount command was executed from within a Kubernetes pod to list all the attached filesystems
Medium overridden
The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access. overridden
Multiple failed AWS assume role attempts Informational Cloud 1 variation
An AWS identity performed an unusual high number of failed assume role attempts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.Variations
Suspicious multiple failed AWS assume role attempts
Medium overridden
An AWS identity performed an unusual high number of failed assume role attempts. overridden
Okta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden
Okta admin privilege assignment Informational Identity Threat Module 1 variation
A user assigned admin privileges to a new user or group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Analyze the actions carried out by the user responsible for granting permission.Variations
Abnormal Okta admin privilege assignment with suspicious characteristics
Low overridden
A suspicious user assignment of admin privileges to a new user or group. overridden
Owner was added to Azure application Informational Cloud
An Owner was added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain administrative control and manipulate the application's permissions and settings.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.PKINIT TGT authentication request Informational Identity Analytics 2 variations
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.Variations
Suspicious PKINIT TGT authentication request
Medium overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Abnormal PKINIT TGT authentication request
Low overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Possible DLL Hijack into a Microsoft process Informational 6 variations
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Hijack of a low entropy DLL into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Side-Loading into a Microsoft process from a suspicious folder
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
DLL Hijack into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft development or framework related process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Search Order Hijacking Low 3 variations
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Search Order Hijacking by DLL Substitution
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible Kerberos relay attack Low
A suspicious local network login was observed, which might indicate on Kerberos relay attack. This attack can lead to privilege escalation by obtaining system privileges on the target.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Windows Event Collector XDR AgentAttacker's goals: An attacker is attempting to elevate its privileges on the machine.Investigative actions: Check for any other suspicious activity related to the host involved in the alert. Look for a new machine that was added to the domain.Possible Privilege Escalation using Delegated MSA account Informational Identity Analytics 1 variation
An attacker might abuse dMSA account to escalate its privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may leverage dMSA account migration process to escalate privileges.Investigative actions: Confirm that the user is authorized to create and modify dMSA accounts in the domain. Verify the user should have permissions on the OU under which the dMSA account was created. Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID). Verify that the user superseded an account, with the dMSA account, that should have superseded. Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event). Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object. Investigate the host that initiated the dMSA account migration process for malicious activity.Variations
Possible Privilege Escalation using Delegated MSA account attempt
Medium overridden
An attacker might abuse dMSA account to escalate its privileges. overridden
Privileged certificate request via certificate template Informational Identity Analytics 2 variations
A privileged certificate was requested via certificate template.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller or privileged account.Investigative actions: Check if this is a legitimate certificate request. Check if the certificate issued was used to request a Kerberos ticket. Investigate actions done with the issued certificate and its owner. Check for possible NTLM relay alerts.Variations
Suspicious privileged certificate request denied via certificate template
Medium overridden
A suspicious privileged certificate request was denied via certificate template. overridden
Suspicious privileged certificate request via certificate template
Low overridden
A suspicious privileged certificate was requested via certificate template. overridden
Privileged role used by Azure application Informational Cloud 1 variation
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Leverage high-level permissions to gain persistence and access to sensitive information.Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.Variations
First-time privileged role is used by Azure application
Low overridden
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API. overridden
PsExec was executed with a suspicious command line Informational 4 variations
PsExec.exe was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.Variations
PsExec was executed with a suspicious command line by a LOLBIN
Low overridden
PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden
PsExec was executed with a suspicious command line by an unsigned actor
Medium overridden
PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with NT/System privilege level. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with plain-text credentials. overridden
SPNs cleared from a machine account Low Identity Analytics 1 variation
Service principal names were cleared from a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.Variations
SPNs cleared from a machine account for the first time
Medium overridden
Service principal names were cleared from a machine account. overridden