Analytics Alerts
Browse the Cortex analytics alert reference.
194 alerts match the current filters. tactic: TA0006 ✕
Show ATT&CK heatmapA Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service
Informational overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service
Medium overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
A Kubernetes secret was created or deleted Informational Cloud
A Kubernetes secret was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Obtain Kubernetes secrets to access restricted information.Investigative actions: Check which changes were made to the Kubernetes secret.A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations
A compute-attached identity performed actions outside the compute instance region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.Variations
A compute-attached identity executed API calls outside the Lambda function's region
Informational overridden
A compute-attached identity performed actions outside the Lambda function region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN
High overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation
Medium overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual ASN
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity failed to execute API calls outside the instance's region
Informational overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A process queried the ADFS database decryption key via LDAP Low Identity Analytics 3 variations
A process queried the ADFS database decryption key (DKM key) via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Federation Services AnalyticsAttacker's goals: An attacker wanting to perform a golden SAML attack will want to steal the ADFS token-signing certificates. To steal the token-signing certificates, the attacker will need to access the ADFS database To access the encrypted ADFS database, an attacker will attempt to retrieve the decryption key via an LDAP query.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Check for unusual ADFS logins. Check the process that initiated the query. Investigate the LDAP search query for any suspicious indicators.Variations
LDAP query explicitly queried the ADFS database decryption key (DKM key)
Medium overridden
A process queried the ADFS database decryption key (DKM key) via LDAP. overridden
A process explicitly queried the ADFS database decryption key (DKM key) via LDAP
Medium overridden
A process queried the ADFS database decryption key (DKM key) via LDAP. overridden
LDAP query queried the ADFS database decryption key (DKM key)
Low overridden
A process queried the ADFS database decryption key (DKM key) via LDAP. overridden
A suspicious process enrolled for a certificate Low 1 variation
A suspicious process enrolled for a certificate.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may authenticate as users using a certificate. If a policy is configured with permissive options, the attacker can authenticate as a user with high privileges.Investigative actions: See whether this was a legitimate action. Follow process/user activities. Check for suspicious certificate authentications.Variations
An unsigned suspicious process enrolled for a certificate
Medium overridden
An unsigned suspicious process enrolled for a certificate. overridden
A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A suspicious process queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.Variations
A user suspiciously queried AD CS objects via LDAP
Low overridden
A user suspiciously queried AD CS objects via LDAP. overridden
A user attempted to bypass Okta MFA Low Identity Threat Module 1 variation
A user may have attempted to bypass Okta MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556) Multi-Factor Authentication Request Generation (T1621)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user who attempted to bypass MFA and ensure the request was legitimate. Check if the user successfully authenticated after the event.Variations
A successful bypass of Okta MFA
Low overridden
Suspicious MFA bypass attempt in Okta. overridden
A user certificate was issued with a mismatch Informational Identity Analytics 1 variation
A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.Variations
Suspicious certificate issuance with a mismatch
Low overridden
A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden
A user connected from a new country Informational Identity Analytics 1 variation
A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
A user connected from a new country - suspicious characteristics detected
Low overridden
The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden
A user connected to a VPN from a new country Informational Identity Analytics 1 variation
A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
A user connected to a VPN from a suspicious country
Low overridden
A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden
A user created a pfx file for the first time Informational Identity Analytics 1 variation
A user created a pfx file for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may export certificates to pfx files to use them for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx creation is legitimate for the user (testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Variations
A user created a pfx in a suspicious folder for the first time
Low overridden
A user created a pfx in a suspicious folder which is publicly accessible, for the first time. overridden
A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation
A user logged in from an unusual country or ASN. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.Variations
A service account successfully logged in from a new country or ASN
Low overridden
A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden
A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations
A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.Variations
Rare user authentication with a certificate via Schannel
Low overridden
A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
Abnormal authentication with a certificate via Schannel
Informational overridden
An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
A user modified an Okta MFA factor Informational Identity Threat Module 1 variation
An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.Variations
Abnormal Okta MFA Factor Authentication Modification
Low overridden
An OKTA MFA factor was modified by a user with suspicious conditions. overridden
A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A user queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.Variations
A user enumerated AD CS objects using suspicious LDAP query
Low overridden
A user enumerated AD CS objects using suspicious LDAP query. overridden
A user received multiple weakly encrypted service tickets Informational Identity Analytics 1 variation
A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Abnormal issuance of weakly encrypted service tickets to a user
Low overridden
A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack. overridden
A user rejected an SSO request from an unusual country Low Identity Analytics
A user rejected an SSO authentication request from an abnormal country.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.A user requested multiple service tickets Informational Identity Analytics 1 variation
A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Abnormal issuance of service tickets to a user
Low overridden
A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack. overridden
A user sent multiple TGT requests to irregular service Low Identity Analytics 2 variations
A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
A user sent an excessive number of TGT requests to irregular services
Medium overridden
A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack. overridden
A user sent a TGT request to irregular service
Informational overridden
A user sent a TGT request to a service other than KRBTGT and KADMIN. This might indicate an attempt to perform a Kerberoasting attack. overridden
ADFS DKM Key Access Low Identity Threat Module
ADFS DKM key attribute (thumbnailphoto) access in AD container, potential Golden SAML token forging attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).AWS SSM parameters discovery Informational Cloud 1 variation
An attempt was made to list parameters stored in AWS SSM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS SSM parameters discovery
Informational overridden
An attempt was made to list parameters stored in AWS SSM. overridden
AWS SSM parameters retrieval Informational Cloud 2 variations
An attempt was made to retrieve parameters stored in AWS SSM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS SSM parameter store.Investigative actions: Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.Variations
AWS SSM encrypted parameters retrieval
Informational overridden
An attempt was made to retrieve encrypted parameters stored in AWS SSM. overridden
Unusual AWS SSM parameters retrieval
Informational overridden
An attempt was made to retrieve parameters stored in AWS SSM. overridden
AWS STS temporary credentials were generated Informational Cloud
AWS STS temporary credentials were generated for an AWS identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)Required data: AWS Audit LogAttacker's goals: Gain access and persistence to AWS account.Investigative actions: Check which operation executed with the new credentials.AWS Secrets Manager Access Informational Cloud 1 variation
An attempt was made to retrieve secrets from AWS Secrets Manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.Investigative actions: Investigate the secret's purpose and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.Variations
Unusual AWS Secrets Manager Access
Informational overridden
An attempt was made to retrieve secrets from AWS Secrets Manager. overridden
AWS Secrets Manager discovery Informational Cloud 1 variation
An attempt was made to list secrets from AWS Secrets Manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS Secrets Manager discovery
Informational overridden
An attempt was made to list secrets from AWS Secrets Manager. overridden
AWS console login without MFA Informational Cloud
An identity logged in to the AWS console without MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)Required data: AWS Audit LogAttacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.Abnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.Variations
Suspicious File Activity in SCCMContentLib Shared Folder by user
Low overridden
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden
Access to Kubernetes CA certificate file Informational 1 variation
A process accessed a Kubernetes CA certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Make API calls against the Kubernetes cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed certificate was used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed certificate.Variations
Access to Kubernetes CA certificate file by an unusual process
Low overridden
A process accessed a Kubernetes CA certificate file for the first time. overridden
Access to Kubernetes configuration file Informational 3 variations
A process accessed a Kubernetes node configuration file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENTAttacker's goals: Gain access to the Kubernetes environment.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to Kubernetes configuration file by an unusual process
Low overridden
A process accessed a Kubernetes node configuration file. overridden
Access to Kubernetes configuration file from an unusual Kubernetes pod
Low overridden
A process accessed a Kubernetes node configuration file. overridden
Access to Kubernetes configuration file from a Kubernetes pod
Informational overridden
A process accessed a Kubernetes node configuration file. overridden
Access to kubelet credentials file Informational 1 variation
A process accessed a kubelet credentials file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to kubelet credentials file by an unusual process
Low overridden
A process accessed a kubelet credentials file for the first time. overridden
Account probing Low Identity Analytics
A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Gain access to hosts by using stolen user-account credentials.Investigative actions: Check if the user account was compromised, and which resources it could access.An Azure Key Vault key was modified Informational Cloud
An Azure Key Vault key was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the Azure Key Vault.Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.An Azure Key Vault was modified Informational Cloud
Azure Key Vault has been modified or deleted by an Identity. This could be an indication of unauthorized access or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the Azure Key Vault.Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.An identity accessed Azure Kubernetes Secrets Informational Cloud
An identity has accessed or attempted to access Azure Kubernetes secrets or Config Objects.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Extract Kubernetes secrets to gain access to restricted resources in the cluster.Investigative actions: Verify whether the identity should be making this action. Check for any suspicious activity initiated by the identity.An identity successfully extracted multiple secrets within the organization Low Cloud 2 variations
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity successfully enumerated and extracted multiple secrets within the organization
Medium overridden
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity successfully extracted multiple secrets within the organization across multiple regions
Medium overridden
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An unusual process in ingress-nginx has accessed a service-account token file High Cloud
An unusual process in ingress-nginx has read a service-account token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.Investigative actions: Check if the process is intended to preform these actions.Azure Key Vault Secrets were modified Informational Cloud
Azure key vault secrets were modified. A change or deletion of secrets in Azure Key Vault has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Gain access to confidential data stored in the Azure Key Vault.Investigative actions: Investigate what Azure Key Vault Secrets were modified or deleted. Check for any suspicious activity initiated by the identity.Azure Key Vault modification Informational Cloud
Azure Key Vault modifications can be crucial as it stores secrets e.g. encryption keys, certifications, etc.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: Azure Audit LogAttacker's goals: Exfiltrate information, persistence on existing users or damage critical accounts.Investigative actions: Check the identity actions before or after the Key Vault modification. Find which credentials were modified and their usage.Azure Storage Account key generated Informational Cloud
Azure storage access keys rotation, might affect services/applications depended on the key set.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528)Required data: Azure Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate information or damage critical services.Investigative actions: Check what actions were made by the users a few hours prior/after to the generation operation. Which actions were taken using the newly generated access keys.Azure application consent Informational Identity Threat Module 1 variation
An identity consented permissions to an application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)Required data: AzureAD Audit LogAttacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.Variations
First seen Azure admin consent to an application
Low overridden
An administrative identity consented permissions to an application. overridden
Brute-force attempt on a local account Informational Identity Analytics 1 variation
A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the account.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Brute force on a local account
Low overridden
A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack. overridden
Cached credentials discovery with cmdkey Low 2 variations
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)Required data: XDR AgentAttacker's goals: Access cached user credentials.Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.Variations
The process cmdkey runs with modified name and extract cached credentials
High overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Transfer cached credentials with cmdkey to other standard output
Medium overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Cloud IMDS access followed by remote token usage Medium Cloud
A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: AWS Audit Log XDR AgentAttacker's goals: Gain unauthorized access by leveraging valid cloud credentials.Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.Copy a process memory file High 1 variation
Copy a process memory file using the dd utility.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: Proc Filesystem (T1003.007)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Read another process memory, mainly for credential access.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Copy a process memory file from a Kubernetes pod
High overridden
Copy a process memory file using the dd utility. overridden
Copy a user's GnuPG directory with rsync Low
Copy a user's GnuPG (.gnupg) directory on to a staging folder using the 'find' and 'rsync' commands.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)Required data: XDR AgentAttacker's goals: Adversaries may use the rsync tool to exfiltrate secrets.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious discovery of accounts without pre-authentication required via LDAP
Medium overridden
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Email contains URL delivering high-risk file type Informational Email 1 variation
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.Variations
External email with URL delivers blocked file types
Low overridden
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden
Excessive user account lockouts Low Identity Analytics 2 variations
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Determine if any programs have stored outdated credentials, causing account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Excessive user account lockouts from a suspicious source
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
Excessive account lockouts on suspicious users
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
External Login Password Spray Informational Identity Analytics 6 variations
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Check the amount of time in between each login attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful login attempts and the ratio of login success versus login failures.Variations
External Login Password Spray Involving a Honey User
Medium overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
External Login Password Spray from Multiple Source Hosts
Informational overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
Successful External Login Password Spray on a Domain Controller
Medium overridden
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden
Successful External Login Password Spray on a sensitive server
Medium overridden
An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time. overridden
Successful External Login Password Spray
Low overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
External Login Password Spray on a Domain Controller
Low overridden
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden
External email with a single internal recipient hidden in BCC Informational Email 1 variation
External email with mailbox owner hidden in BCC as the only internal recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
External email with only a hidden internal BCC recipient
Informational overridden
External email with no visible recipients, mailbox owner is hidden in BCC. overridden
Extracting credentials from Unix files Low
Suspicious Unix files containing insecurely stored credentials were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.Investigative actions: Investigate the process activities and use of the extracted credentials.FTP Connection Using an Anonymous Login or Default Credentials Low
An FTP connection using an anonymous login was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.First VPN access attempt from a country in organization Informational Identity Analytics 1 variation
A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
First successful VPN access from a country in organization
Low overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
First connection from a country in organization Informational Identity Analytics 1 variation
A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
First successful SSO connection from a country in organization
Informational overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
Google Workspace user authentication information changed Informational Identity Threat Module 2 variations
Google Workspace authentication information was changed for a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.Variations
Google Workspace administrative user authentication information changed
Low overridden
Google Workspace authentication information was changed for a user. overridden
Google Workspace user authentication information changed by another account
Low overridden
Google Workspace authentication information was changed for a user. overridden
Granting Access to an Account Informational Cloud
Azure access has been granted to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)Required data: Azure Audit LogAttacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.Hydra Password Brute-Force Tool Execution High 1 variation
Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: The attacker attempts to gain access to the account or host.Investigative actions: Verify that the commands are executed from a trusted source. Audit the victim account or host and verify that they haven't been compromised.Variations
Hydra Password Brute-Force Tool Execution from a Kubernetes pod
High overridden
Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown. overridden
IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.Variations
Potential Targeted SSO Password Spray Activity Detected
Medium overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Suspicious SSO Login Attempts from Multiple IPs
Low overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Impossible traveler - SSO Low Identity Analytics 3 variations
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.Variations
Impossible traveler - non-interactive SSO authentication
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Possible Impossible traveler via SSO
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
SSO impossible traveler from a VPN or proxy
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Impossible traveler - VPN Low Identity Analytics 3 variations
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.Variations
Possible Impossible traveler via VPN
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler from a VPN or proxy
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler with an unusual parameter
Medium overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
Intense SSO failures Informational Identity Analytics 1 variation
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.Variations
Intense SSO failures with suspicious characteristics
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden
Interactive local account enumeration Low Identity Analytics
Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Internal Login Password Spray Informational Identity Analytics 5 variations
An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Check the amount of time in between each authentication attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful authentication attempts and the ratio of login success versus login failures. Monitor for potential abuse of MFA on users who have successfully logged in.Variations
Suspicious intensive and short internal Login Password Spray
Medium overridden
An abnormally high number of login attempts within a very short period of time and suspicious automated behavior. overridden
High-Volume Internal Password Spray Attack
Medium overridden
Over 500 user accounts failed to login within a short period of time. overridden
Internal Login Password Spray with many wrong password attempts
Low overridden
An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time. overridden
Internal Login Password Spray attempt on local user
Low overridden
An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time. overridden
Internal Login Password Spray on many users
Low overridden
An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack. overridden
Invalid SAML Detected Informational Identity Threat Module 1 variation
A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)Required data: AzureAD OktaDetector tags: Active Directory Federation Services AnalyticsAttacker's goals: An attacker might forge a valid SAML token to impersonate other user accounts. This is used to gain persistent, unauthorized access to cloud resources, and bypassing MFA.Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
Suspicious Invalid SAML Detected
Low overridden
A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack. overridden
Kerberos Pre-Auth Failures by Host Low
The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three users when compared to its baseline.This can indicate a password-spraying attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.Investigative actions: Verify whether the host that generated the alert is normally used by many users (for example, a terminal server). Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.Kerberos Pre-Auth Failures by User and Host Informational
The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times.This can indicate a Kerberos brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting to guess the credentials for the user account.Investigative actions: Verify that the password for the account has not been changed recently, without updating the user or the program using it. Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.Key credential attribute modification Informational Identity Analytics 2 variations
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may be attempting to add shadow credentials to an account, gaining persistent unauthorized access.Investigative actions: Follow further PKINIT authentication activity by the modified identity. Verify if Windows Hello for Business is enabled, as this is a common benign cause for this activity. Check if the modified credential maps to an existing device ID in Entra ID. Examine recent activity from the user account, including logon patterns and privilege changes.Variations
Possible shadow credentials addition
Medium overridden
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden
Key credential attribute addition
Low overridden
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden
Keylogging using system commands Low 1 variation
Usage of a Linux system utility to capture input.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Input Capture: Keylogging (T1056.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may capture keystrokes to intercept user credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Keylogging using system commands in a Kubernetes pod
Low overridden
Usage of a Linux system utility to capture input. overridden
Kubernetes admission controller activity Informational Cloud 4 variations
A Kubernetes admission controller has been created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.Variations
Kubernetes validating admission controller was used in the organization for the first time
Low overridden
A validating Kubernetes admission controller has been created or modified. overridden
Kubernetes mutating admission controller was used in the organization for the first time
Medium overridden
A mutating Kubernetes admission controller has been created or modified. overridden
Kubernetes validating admission controller was used in the cluster for the first time
Low overridden
A validating Kubernetes admission controller has been created or modified. overridden
Kubernetes mutating admission controller was used in the cluster for the first time
Medium overridden
A mutating Kubernetes admission controller has been created or modified. overridden
Kubernetes secret enumeration activity Informational 5 variations
Kubectl secret enumeration command was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Attackers may gather sensitive information within a container environment.Investigative actions: Check whether the executing process is performed by authorized identity and if this was a desired behavior as part of its normal execution flow.Variations
Kubernetes secret describe activity from a Kubernetes Pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret value extraction activity from a Kubernetes pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret enumeration activity from a Kubernetes Pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret enumeration activity from a host
Low overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret value extraction activity
Informational overridden
Kubectl secret enumeration command was executed. overridden
LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Abnormal LDAP AD CS Enumeration via Attack Tool
Medium overridden
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden
LSASS dump file written to disk Medium
Dumping Lsass.exe (Local Security Authority Subsystem Service) memory to file allows attackers to later extract credentials from the memory dump.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to extract OS credentials from the dumped Lsass.exe file.Investigative actions: Check the dumping process for more suspicious activity.Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation
A user accessed a large volume of files potentially containing credentials in Google Drive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.Variations
Possible credential files harvesting in Google Drive
Low overridden
A user accessed a large volume of files potentially containing credentials in Google Drive. overridden
MFA Disabled for Google Workspace Low Identity Threat Module 1 variation
An administrator has disabled Multi-Factor Authentication for Google Workspace users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.Investigative actions: Check the MFA settings for the Google Workspace users. Identify the users who have MFA disabled and investigate the reason for it. Check the security log to see if there have been any suspicious activities in the account.Variations
MFA Disabled for Google Workspace from an unusual caller IP ASN
Low overridden
An administrator has disabled Multi-Factor Authentication for Google Workspace users. overridden
MFA was disabled for an Azure identity Low Identity Threat Module 2 variations
MFA was disabled for the user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556)Required data: AzureAD Audit LogAttacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.Variations
Suspicious MFA was disabled for an Azure identity
Medium overridden
MFA was disabled for the user. overridden
MFA was disabled for an Azure identity regularly by the user
Informational overridden
MFA was disabled for the user. overridden
Machine Account NTLM Relay Low
An NTLM NTProofStr was seen from more than one source. This indicates that machine account NTLM authentication data has been relayed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.Memory dumping with comsvcs.dll High
A process memory dump was performed using comsvcs.dll MiniDump. This method is commonly used by attackers to dump Lsass.exe (Local Security Authority Subsystem Service) process memory to a file, so they could later extract credentials from the memory dump.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation
A user registered a device and requested a Microsoft Configuration Manager policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR AgentDetector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious Microsoft Configuration Manager device registration and policy request
Low overridden
A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden
Mimikatz command-line arguments High
These command-line arguments are often used by Mimikatz to dump and harvest credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR AgentAttacker's goals: An attacker is attempting to use Mimikatz, a known credential theft tool, to dump and harvest credentials.Investigative actions: Investigate the executed process to verify if it is malicious. Investigate the command line purpose.Modification of NTLM restrictions in the Registry Low
Allowing the transmission of NTLM could be part of an NTLM downgrade or an Internal Monologue attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Downgrading to a lower NTLM version gives the attacker an easy way to retrieve NTLM hashes from a Windows machine.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Modification of PAM Informational 1 variation
Modification of PAM configuration files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Credential access, defense evasion or persistence.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Modification of PAM from a Kubernetes pod
Informational overridden
Modification of PAM configuration files. overridden
Moniker link detected in URL(s) Informational Email 2 variations
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user on clicking the link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
A suspicious Moniker link, SMB and suspicious extension detected
Medium overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
A suspicious Moniker link pointing to SMB detected
Low overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
Multiple Okta MFA requests sent to a user Informational Identity Analytics 1 variation
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Multi-Factor Authentication Request Generation (T1621)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reasoning behind the MFA request rejections. Follow further actions performed by the user.Variations
Multiple Okta MFA requests sent to a user with unusual characteristics
Low overridden
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack. overridden
Multiple Suspicious FTP Login Attempts Low
Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.Multiple TGT requests for users without Kerberos pre-authentication Informational Identity Analytics 2 variations
Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
An excessive number of TGT requests were sent for users that do not require Kerberos pre-authentication
Low overridden
Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack. overridden
A TGT request was sent for a user who does not require Kerberos pre-authentication
Informational overridden
A TGT request was sent for a user who does not require Kerberos pre-authentication. This might indicate an AS-REP attack. overridden
Multiple Weakly-Encrypted Kerberos Tickets Received Low
A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert, generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the alert.Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Crack account credentials by obtaining easy-to-crack Kerberos tickets.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.Multiple uncommon SSH Servers with the same Server host key Low
Multiple uncommon SSH servers were observed using the same host key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Adversary-in-the-Middle (T1557)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Attackers may attempt to move laterally within the network by exploiting and relaying stolen client credentials to another SSH server.Investigative actions: Audit the authentication attempts to the SSH server using the same key. Look for unusual or repeated connections from the same or unexpected hosts. Audit Client Credentials, check for any signs of compromised client credentials being used on different SSH servers.Multiple user accounts failed login due to account lockouts Low Identity Analytics 1 variation
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if any programs were cached with old credentials, resulting in account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Excessive user account login failure due to lockout from a suspicious source
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
NTDS.dit file written by an uncommon executable Low 3 variations
The Active Directory database file was written by an uncommon process to a non-default location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: NTDS (T1003.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Dump the sensitive contents of the database to masquerade as legitimate domain users.Investigative actions: Investigate the nature of the process writing the sensitive file. Is it a standard backup procedure? Check the path the file was written to. Is it local? Are there other relevant artifacts in this location?Variations
NTDS.dit file written by a remote actor
High overridden
The Active Directory database file was written to the disk by a remote actor. overridden
NTDS.dit file written by a rare executable to a suspicious path
High overridden
The Active Directory database file was written by a rare process to a suspicious path. overridden
NTDS.dit file written by a rare executable
Medium overridden
The Active Directory database file was written by a rare process to a non-default location. overridden
NTLM Brute Force Informational Identity Analytics 2 variations
This may indicate an NTLM brute force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
NTLM brute force on a sensitive user
Medium overridden
This may indicate an NTLM brute force attack. overridden
High-frequency NTLM brute force attempts detected
Low overridden
This may indicate an NTLM brute force attack. overridden
NTLM Brute Force on a Service Account Low Identity Analytics
This may indicate a NTLM brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the service accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.NTLM Brute Force on an Administrator Account Low Identity Analytics
This may indicate an NTLM brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the administrator accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.NTLM Hash Harvesting Medium Identity Analytics
An unusual number of users has sent NTLM to a target in the last hour. This may be indicative of poisoning and NTLM hash harvesting.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to extract NTLM hashes for credential access.Investigative actions: Check that the destination is not a server. Verify that the destination is not external to the organization.NTLM Password Spray Informational Identity Analytics 1 variation
A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time. This may be indicative of a NTLM password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to guess user credential by password spray attack over multiple machines.Investigative actions: Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.Variations
NTLM password spray on a sensitive entity
Low overridden
A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time on a sensitive entity. This may be indicative of a NTLM password spray attack. overridden
NTLM Relay Informational
An NTLM NTProofStr was seen from more than one source. This indicates that NTLM authentication data has been relayed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.Network sniffing detected in Cloud environment Informational Cloud 2 variations
A network sniffing tool was used in a cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.Variations
Unusual Network sniffing detected in Cloud environment
Low overridden
A network sniffing tool was used in a cloud environment. overridden
Successful Network sniffing detected in Cloud environment
Informational overridden
A network sniffing tool was used in a cloud environment. overridden
Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations
Identifies outbound emails that include links to file-sharing services sent externally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.Variations
Outbound email to external recipient(s) uses first-seen for organization file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email to external recipient(s) uses first-seen for sender file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation
Internal sender BCC'd an external recipient whose address has not been observed in prior communications.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
Outbound email sent to an unknown external BCC recipient with no To or CC addresses
Low overridden
Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden
Outbound email to an address hosted by a public email service provider Informational Email 1 variation
Internal sender emailed to an address hosted by a public email service provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Exfiltration, Account TakeoverAttacker's goals: Extracting valuable information outside the company.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Outbound email to a single address hosted by a public email service provider
Informational overridden
Internal sender emailed to a single recipient with public email service provider. overridden