Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

207 alerts match the current filters. tactic: TA0003 ✕

Show ATT&CK heatmap
  • IAM policy was attached to role Informational Cloud 1 variation

    An AWS IAM policy was attached to this role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.

    Variations

    Administrative IAM policy was attached to role

    Informational overridden

    An AWS IAM policy was attached to this role. overridden

  • IAM role trust policy modification Informational Cloud

    A cloud identity updated the trust policy of an AWS IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM role was created Informational Cloud

    An IAM role was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity or role.
  • Identity assigned an Azure AD Administrator Role Informational Identity Threat Module 2 variations

    An identity was assigned an Azure AD Administrator role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.
    Investigative actions: Check if the added account is new to the organization. Check whether the account that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.

    Variations

    Identity assigned an Azure AD Administrator Role by an Application

    Medium overridden

    An identity was assigned an Azure AD Administrator role by an application. overridden

    Suspicious Azure AD Administrator Role assignment

    Low overridden

    An identity was assigned an Azure AD Administrator role. overridden

  • Image file execution options (IFEO) registry key set Low 3 variations

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.

    Variations

    Image file execution options (IFEO) registry key set to execute a shell or scripting engine process

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

    Image file execution options (IFEO) registry key set to activate Windows licenses illegally

    Medium overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden

    Image file execution options (IFEO) registry key set using reg.exe

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

  • Installation of a new System-V service Low 1 variation

    Installation of a new System-V service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Installation of a new System-V service in a Kubernetes pod

    Low overridden

    Installation of a new System-V service. overridden

  • Known service display name with uncommon image-path Low 3 variations

    Service created with a known display name but has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code with seemingly trustworthy services.
    Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known service display name with uncommon image-path created by an untrusted CGO

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known Palo Alto service display name with uncommon image-path

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known service display name with uncommon image-path in a suspicious folder

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

  • Known service name with an uncommon image-path Low 2 variations

    A Service with a known service name has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code within seemingly trustworthy services.
    Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known Palo Alto service name with an uncommon image-path

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

    Known service name with an uncommon image-path in a suspicious folder

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

  • Kubernetes admission controller activity Informational Cloud 4 variations

    A Kubernetes admission controller has been created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.
    Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.

    Variations

    Kubernetes validating admission controller was used in the organization for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the organization for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

    Kubernetes validating admission controller was used in the cluster for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the cluster for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

  • Linux local user account creation Informational Identity Analytics 1 variation

    A user executed a process associated with user account creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Local Accounts (T1078.003)
    Required data: XDR Agent
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.

    Variations

    Linux local user account creation by non-root user

    Low overridden

    A non-root user executed a process associated with user account creation. This user does not regularly create accounts. overridden

  • Local user account creation Informational Identity Analytics 1 variation

    A user was observed creating a rare local user account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.

    Variations

    Suspicious local user account creation

    Low overridden

    A user was observed creating a rare local user account. This user has not been seen creating user accounts in the past 30 days. overridden

  • Local user account creation by a machine account Informational Identity Analytics

    A machine account was observed creating a rare local user account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the machine that created the user account and verify its activity. Check if the machine account is supposed to create user accounts. Investigate whether the same account was created on different hosts as part of an installation process.
  • MFA was disabled for an Azure identity Low Identity Threat Module 2 variations

    MFA was disabled for the user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: AzureAD Audit Log
    Attacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.
    Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.

    Variations

    Suspicious MFA was disabled for an Azure identity

    Medium overridden

    MFA was disabled for the user. overridden

    MFA was disabled for an Azure identity regularly by the user

    Informational overridden

    MFA was disabled for the user. overridden

  • Manipulation of netsh helper DLLs Registry keys Medium

    Registering netsh helper DLLs is uncommon, and could be used by malware for persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Netsh Helper DLL (T1546.007)
    Required data: XDR Agent
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Masquerading as a default local account Low Identity Analytics 3 variations

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.

    Variations

    Masquerading as a default local account for the first time

    Medium overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

    Potential masquerading as a power user account

    Low overridden

    A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden

    Masquerading as a default Administrator account

    Informational overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

  • Member added to a Windows local security group Informational Identity Analytics 2 variations

    A member was added to a Windows local security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added to the Windows local Administrator group

    Low overridden

    A member was added to a Windows local security group. overridden

    Member added to the Windows local Administrator group

    Informational overridden

    A member was added to a Windows local security group. overridden

  • Microsoft Office adds a value to autostart Registry key Low

    Microsoft Office adds a value to a registry entry (run keys, startup folders) to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence on the host using the Window's autostart Mechanism.
    Investigative actions: Check the registry key and determine what process it'll run. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams the application setup policy, which is responsible for application management, was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.

    Variations

    A user changed the Microsoft Teams application setup policy for the first time

    Low overridden

    Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden

  • Modification of PAM Informational 1 variation

    Modification of PAM configuration files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Credential access, defense evasion or persistence.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Modification of PAM from a Kubernetes pod

    Informational overridden

    Modification of PAM configuration files. overridden

  • Modification of the AD FS IdentityServer configuration file Informational Identity Analytics 1 variation

    The AD FS service configuration file was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow (T1574)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: The attacker's goal is to establish a persistent, high-privilege backdoor by forcing the service to load a malicious configuration that enables remote code execution and the bypass of security controls like MFA.
    Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Investigate the process and user that performed the write operation for signs of compromise.

    Variations

    Suspicious Modification of the AD FS IdentityServer configuration file

    Low overridden

    The AD FS service configuration file was modified. overridden

  • Modification or Deletion of an Azure Application Gateway Detected Informational Cloud

    Modification or Deletion of an Azure Application Gateway Detected. A change has been detected in an Azure Application Gateway. This may indicate unauthorized access or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to the resources behind the Azure Application Gateway.
    Investigative actions: Check the Azure Application Gateway to identify the changes made. Verify whether the identity should be making this action.
  • Multiple suspicious user accounts were created Low Identity Analytics

    A user was observed creating multiple rare user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the accounts and verify the activity.
  • Multiple user accounts were deleted Informational Identity Analytics 1 variation

    A user deleted multiple user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Impact (TA0040)
    ATT&CK techniques: Valid Accounts (T1078) Account Access Removal (T1531)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who deleted the accounts and verify the activity. Look into the recent activity of the deleted accounts and whether they were temporary or dormant.

    Variations

    A user deleted multiple users for the first time

    Low overridden

    A user deleted multiple user accounts. overridden

  • New Teams application published to the organization catalog Informational Identity Threat Module 1 variation

    A new Teams application was published to the organization catalog.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
    Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to publish this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.

    Variations

    A Microsoft Teams application was published to the organization catalog by an unusual user

    Low overridden

    A new Teams application was published to the organization catalog. overridden

  • New cloud identity created with administrative policy Low Cloud 1 variation

    New cloud identity was created and assigned administrative policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Cloud Account (T1136.003) Create Account (T1136) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user/role to whom the administrative policy was attached.

    Variations

    Administrative IAM User Created with Credentials

    Low overridden

    New cloud identity was created and assigned administrative policy. overridden

  • Office process accessed an unusual .LNK file Low

    An attacker may embed a .LNK file in an Office document to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Modify or create a shortcut to gain code or program execution.
    Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.
  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • Okta device assignment Informational Identity Threat Module 1 variation

    A device was assigned as an Okta MFA device to a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.
    Investigative actions: Confirm that the device assignments were intentionally made by the users and are legitimate. Examine the IP address and assess its reputation. Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.

    Variations

    A suspicious assignment of a mobile device to multiple users

    Low overridden

    A single device is being used as an Okta MFA device by multiple users. overridden

  • Owner was added to Azure application Informational Cloud

    An Owner was added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain administrative control and manipulate the application's permissions and settings.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Phantom DLL Loading Medium 2 variations

    An attacker might leverage existing processes missing module loads to load malicious code into trusted processes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection, persist or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious.

    Variations

    Phantom DLL Loading was used to load a DLL into a process after it was extracted from an internet-downloaded archive

    High overridden

    An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden

    Phantom DLL Loading was used to load a DLL into a process after it was downloaded from an uncommon source

    High overridden

    An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden

  • Possible DLL Hijack into a Microsoft process Informational 6 variations

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Hijack of a low entropy DLL into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Side-Loading into a Microsoft process from a suspicious folder

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    DLL Hijack into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft development or framework related process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

  • Possible DLL Search Order Hijacking Low 3 variations

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Search Order Hijacking by DLL Substitution

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

  • Possible Persistence via group policy Registry keys Medium

    Group Policy registry keys were read during system startup. This behavior may indicate a persistence mechanism that triggers on reboot to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Establish persistence on the host using Windows Group Policy mechanisms.
    Investigative actions: Inspect the registry keys and determine which process or command is configured to run. Verify whether the executing process is benign and expected as part of normal system behavior.
  • Possible webshell file written by a web server process Low 3 variations

    An uncommon file with a web file extension was created, written or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.

    Variations

    Possible webshell file written by a node web server process

    Informational overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process in an internet facing server

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

  • Potential creation of persistent cloud credentials Informational Cloud

    A cloud identity invoked a credential-related persistence operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)
    Required data: AWS Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Rare Scheduled Task RPC activity Informational 3 variations

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare remote task registration and creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden

    Rare remote task creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden

    Rare Scheduled Task RPC activity

    Low overridden

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden

  • Rare Scheduled Task RPC activity from a rarely seen host Low

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.
  • Rare access to known advertising domains Informational 2 variations

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)
    ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Causing the user to view excessive advertising content.
    Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.

    Variations

    Rare access to known advertising domains from a Rare User Agent

    Informational overridden

    The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden

    Suspicious Rare access to known advertising domains

    Low overridden

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden

  • Rare machine account creation Informational Identity Analytics

    A user was observed creating a machine account for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Verify the activity of the user who created the account. Follow actions performed by the new machine account.
  • Rare scheduled task created Informational 4 variations

    A new rare scheduled task was created with a rare path and a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics, Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled task.
    Investigative actions: Review the action of the created scheduled task. Investigate the execution chain of the process creating the scheduled task.

    Variations

    Rare scheduled task created by an injected actor

    High overridden

    A new rare scheduled task was created by an injected actor with a rare path and a rare command line. overridden

    Uncommon remote scheduled task created

    Medium overridden

    A new uncommon remote scheduled task was created with a rare path and a rare command line. overridden

    Uncommon local scheduled task created

    Low overridden

    A new uncommon local scheduled task was created with a rare path and a rare command line. overridden

    Highly rare scheduled task created

    Low overridden

    A new rare scheduled task was created with an highly rare path and a rare command line. overridden

  • Rare service DLL was added to the registry Low 2 variations

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.
    Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rare service DLL was added to the registry from an injected thread

    Medium overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

    Rare service DLL was added to the registry from a rare unsigned actor process

    High overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

  • Rare unsigned process execution by scheduled task Low 3 variations

    Rare and unsigned process was executed by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Uncommon unsigned process execution by scheduled task

    Informational overridden

    Uncommon and unsigned process was executed by a scheduled task. overridden

    Rare unsigned process execution with high integrity level by scheduled task

    Medium overridden

    Rare and unsigned process was execution with high integrity level by a scheduled task. overridden

    Rare unsigned process execution by scheduled task on a sensitive server

    Medium overridden

    Rare and unsigned process was executed by a scheduled task. overridden

  • SPNs cleared from a machine account Low Identity Analytics 1 variation

    Service principal names were cleared from a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.

    Variations

    SPNs cleared from a machine account for the first time

    Medium overridden

    Service principal names were cleared from a machine account. overridden

  • Scrcons.exe Rare Child Process Informational 1 variation

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent
    Attacker's goals: The attacker is trying to gain Persistence via WMI script registration.
    Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".

    Variations

    Scrcons.exe Rare Child Process

    Medium overridden

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden

  • Screensaver process executed from Users or temporary folder Low 1 variation

    An executable file with a screensaver extension was executed from the Users or temp folder. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Screensaver (T1546.002)
    Required data: XDR Agent
    Attacker's goals: Gain persistence by configuring a new screensaver.
    Investigative actions: Check whether the executing process (with the SCR extension) is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Screensaver process executed from Users or temporary folder by a scripting engine process

    High overridden

    An executable file with a screensaver extension was executed from the Users or temp folder by a scripting engine process. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators. overridden

  • Script file added to startup-related Registry keys Medium

    An attacker may add a script file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes commands on user login or computer boot.
    Investigative actions: Verify if the registered script is malicious. Check if the installed software is a malicious binary or script.
  • SecureBoot was disabled Low

    SecureBoot was disabled, this might be indicative of someone trying to install an alternate non-UEFI supported OS.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Pre-OS Boot (T1542)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Disable SecureBoot to install another OS on the machine.
    Investigative actions: Check if a new operating system was installed on the same hardware.
  • Service ticket request with a spoofed sAMAccountName Medium Identity Analytics

    A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.
  • Setting Windows Auto Logon by uncommon process Low

    Setting Windows Auto Logon by uncommon process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to set auto logon for persistence and privilege escalation.
    Investigative actions: Investigate the process that set or create the registry key.
  • SharePoint Site Collection admin group addition Informational Identity Threat Module 2 variations

    A user made an addition to the site collection administrators group in SharePoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Office 365 Audit
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Check the IP address from which the access originated. Verify the activity with the performing user. Follow further actions done by the account.

    Variations

    SharePoint site collection admin added to personal site

    Informational overridden

    A user was added as a site collection admin to a personal site, indicating that the user has accessed the SharePoint service for the first time. overridden

    Abnormal SharePoint Site Collection admin group addition

    Low overridden

    A user made an addition to the site collection administrators group in SharePoint. This user has not made any SharePoint site admin additions over the past 30 days. overridden

  • Signed process creates a scheduled task via file access Informational 1 variation

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.
    Investigative actions: Check the created task file and look for the action triggered by the task.

    Variations

    Signed process running from an untrusted directory creates a scheduled task via file access

    Low overridden

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden

  • Successful unusual guest user invitation Informational Identity Threat Module 1 variation

    An identity successfully invited a guest user to the tenant with unusual characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can invite users to for evasion.
    Investigative actions: Check who is the invited guest user. Check whether the inviter is permitted to perform such actions. Check if the domain of the invited guest is allowed for invitations in the organization.

    Variations

    Rare successful guest invitation in the organization

    Low overridden

    An identity successfully invited a suspicious guest user to the tenant. overridden

  • Suspicious HTTP parameters detected Medium

    The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.
  • Suspicious MFA request reported by user in Entra ID Informational Identity Threat Module 1 variation

    A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may attempt to gain unauthorized access to the account.
    Investigative actions: Check if the authentication attempt was legitimate. Investigate any recent unusual login behavior or IP addresses associated with the account. Verify whether the user has recently changed their authentication methods or account settings. Follow the account for possible suspicious or unusual logins.

    Variations

    Suspicious MFA request reported by a sensitive user in Entra ID

    Low overridden

    A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt. overridden

  • Suspicious RunOnce Parent Process Low

    Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user login events.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to perform an action on the system at a later point, achieving persistence.
    Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use RunOnce in its operation.
  • Suspicious Udev driver rule execution manipulation Low 1 variation

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.
    Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual Udev driver rule execution manipulation

    Low overridden

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden

  • Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation

    Suspicious account attribute modification that matches that of another account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.
    Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.

    Variations

    Suspicious account attribute modification that matches that of a sensitive machine account

    Medium overridden

    Suspicious account attribute modification that matches that of another account. overridden

  • Suspicious active setup registered Informational

    The endpoint registered a new active setup, which may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Active Setup (T1547.014)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence using the legitimate windows active setup mechanism, which executes binary on system startup.
    Investigative actions: Verify if the registered binary is malicious. Check if the installing software is a malicious binary.
  • Suspicious authentication package registered Medium

    The endpoint registered a suspicious authentication package, which may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Authentication Package (T1547.002)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate Windows authentication package mechanism, which loads libraries into Windows services.
    Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from "lsass.exe".
  • Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations

    An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.
    Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.

    Variations

    Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity

    Informational overridden

    An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Instance SSH keys were modified for the first time in the cloud provider

    High overridden

    An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification by a service account

    Medium overridden

    A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification

    Informational overridden

    An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious GCP project level metadata modification by a service account

    Low overridden

    A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification attempt

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

  • Suspicious container orchestration job Low

    A suspicious orchestration job ran with a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    10 Minutes
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.
    Investigative actions: Investigate The process activities and impact on the relevant container.
  • Suspicious dNSHostName attribute change to DC name Medium Identity Analytics

    The dNSHostName attribute of a machine account was changed to a Domain Controller server name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • Suspicious domain user account creation Informational Identity Analytics

    A user was observed creating a rare domain account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Domain Account (T1136.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity.
  • Suspicious hidden user created Medium Identity Analytics

    A user account was created with a name that mimics a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user account created and verify its activity.
  • Suspicious modification of the AdminSDHolder's ACL Low Identity Analytics

    A user modified the AdminSDHolder ACL, which may be an indication of a privilege escalation attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers attempt to obtain full control privileges and then move laterally.
    Investigative actions: Check if a new user was added to the AdminSDHolder object. Check if a suspicious user account was recently created. Check if a user was added to a privileged group (e.g. Domain Admins). Investigate any other potentially suspicious behavior from the compromised user. Search for actions that may trigger SDProp, such as modifying the registry or executing an LDAP query.
  • Suspicious print processor registered Medium

    The endpoint registered a new print processor, which may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Print Processors (T1547.012)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate windows print processor mechanism, which loads libraries into Windows services.
    Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from svchost.exe or spoolsv.exe.
  • Suspicious process modified RC script file Low 1 variation

    A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Initialization Scripts: RC Scripts (T1037.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.
    Investigative actions: Check the modified RC script file and try to understand the impact of the file modification.

    Variations

    Suspicious process modified RC script file in a Kubernetes pod

    Low overridden

    A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence. overridden

  • Suspicious runonce.exe parent process Low

    Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user logon events.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious sAMAccountName change Low Identity Analytics 1 variation

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.

    Variations

    Suspicious sAMAccountName change to DC hostname

    Medium overridden

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden

  • Suspicious systemd timer activity Low

    Suspicious systemd timer activity, which may indicate an attempt to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)
    Required data: XDR Agent
    Attacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.
    Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.
  • Suspicious time provider registered Medium 2 variations

    The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Time Providers (T1547.003)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate Windows time provider mechanism, which loads libraries into Windows services.
    Investigative actions: Verify if the registered library is malicious. Check if the software performing the installation is a malicious binary. Check for any network activity from a "svchost.exe -k LocalService" process that seems suspicious.

    Variations

    Suspicious time provider registered manually by reg.exe

    High overridden

    The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden

    Suspicious time provider registered using an uncommon provider name

    High overridden

    The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden

  • Svchost.exe loads a rare unsigned module Low

    Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.
  • TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • Uncommon AT task-job creation by user Low 2 variations

    An unpopular AT task-job was created by a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: At (T1053.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may use at task-jobs for persistence or executing malicious files.
    Investigative actions: Check the AT job task for suspicious activity.

    Variations

    Uncommon AT task-job creation by user from a web server process

    Medium overridden

    A web process used the AT command to create a new AT task-job. overridden

    Uncommon AT task-job creation by user from unpopular process

    Low overridden

    An unpopular process created an AT task-job on the host, which is not popular in the organization. overridden

  • Uncommon Launch Agent persistency was registered or modified Informational 9 variations

    An uncommon Launch Agent persistence mechanism was registered/modified on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Agent (T1543.001)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Establish persistent access to the compromised host by registering malicious code.
    Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.

    Variations

    Uncommon Launch Agent persistency was registered or modified by a security testing tool

    High overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by a security testing tool. overridden

    Uncommon Launch Agent persistency was registered or modified by a tool with possible web access

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by a tool with possible web access. overridden

    Uncommon Launch Agent persistency was registered or modified while using a data communication tool

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency-triggered execution. overridden

    Uncommon Launch Agent persistency was registered or modified while using osascript

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency-triggered execution. overridden

    Uncommon Launch Agent persistency was registered or modified using Plist Buddy with Run-At-Load key

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden

    Uncommon Launch Agent persistency was registered or modified with an uncommon path containing a known vendor name

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden

    Uncommon Launch Agent persistency was registered or modified with an unusual persistency executable path

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden

    Uncommon Launch Agent persistency was registered or modified by a non validly signed process

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by a non validly signed process. overridden

    Uncommon Launch Agent persistency was registered or modified by an unsigned process

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by an unsigned process. overridden

  • Uncommon Launch Daemon persistency was registered or modified Informational 9 variations

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Daemon (T1543.004)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Establish persistent access to the compromised host by registering malicious code.
    Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.

    Variations

    Uncommon Launch Daemon persistency was registered or modified by a security testing tool

    High overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a security testing tool. overridden

    Uncommon Launch Daemon persistency was registered or modified by a tool with possible web access

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a tool with possible web access. overridden

    Uncommon Launch Daemon persistency was registered or modified while using a data communication tool

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency triggered execution. overridden

    Uncommon Launch Daemon persistency was registered or modified while using osascript

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden

    Uncommon Launch Daemon persistency was registered or modified using Plist Buddy with Run-At-Load key

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden

    Uncommon Launch Daemon persistency was registered or modified with an uncommon path containing a known vendor name

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden

    Uncommon Launch Daemon persistency was registered or modified with an unusual persistency executable path

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden

    Uncommon Launch Daemon persistency was registered or modified by a non validly signed process

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a non validly signed process. overridden

    Uncommon Launch Daemon persistency was registered or modified by an unsigned process

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by an unsigned process. overridden

  • Uncommon Managed Object Format (MOF) compiler usage Informational

    The mofcomp.exe WMI MOF compiled is used to compile code into the WMI repository that in turn may enable attackers to run scheduled or triggered code from the context of a Microsoft-signed binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent
    Attacker's goals: Run code via triggers from the context of the WMI executor.
    Investigative actions: Verify if the executing process is suspicious. Check if the MOF file being compiled has any malicious indicators within it.
  • Uncommon PowerShell commands used to create or alter scheduled task parameters Low

    Attackers may create or alter scheduled task parameters to gain higher privileges or persistence on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Create a new scheduled task or alter an existing one to gain persistence in the system or to gain higher privileges.
    Investigative actions: Examine the PowerShell command to identify suspicious scheduled task creation or modification. Inspect the system for suspicious activity that is triggered by a scheduled task.
  • Uncommon browser extension loaded Informational

    An uncommon browser extension was loaded by a Chromium-based browser.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Gain persistency on a machine and steal sensitive browsing data.
    Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.
  • Uncommon jsp file write by a Java process Medium

    An uncommon jsp file was written by a Java process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence on the host.
    Investigative actions: Check if the file was added during regular java process actions. Check if the jsp file contains malicious content.
  • Uncommon local scheduled task creation via schtasks.exe Informational 4 variations

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process that creates the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Uncommon local scheduled task creation via schtasks.exe by a remote actor

    Informational overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by an unsigned and rare actor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by an unsigned actor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by a signed actor from a rare vendor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

  • Uncommon login item persistency was registered or modified Informational 4 variations

    An uncommon login item persistence mechanism was registered/modified on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547) Boot or Logon Autostart Execution: Login Items (T1547.015)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Establish persistent access to the compromised host by registering malicious code.
    Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.

    Variations

    Uncommon login item persistency was registered or modified by a security testing tool

    High overridden

    An uncommon login item persistence mechanism was registered/modified on the system by a security testing tool. overridden

    Uncommon login item persistency was registered or modified while using osascript

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden

    Uncommon login item persistency was registered or modified by an invalidly signed actor process

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed actor process. overridden

    Uncommon login item persistency was registered or modified by an invalidly signed causality process

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed causality process. overridden

  • Uncommon net group command execution Informational 7 variations

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon unsigned net group administrators command execution

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon unsigned net group administrators command execution - fixed localization issues

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group administrators command execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group administrators command execution

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon administrator net group execution by scripting engine or command prompt

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

  • Uncommon net localgroup command execution Informational 7 variations

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon net localgroup administrators command execution by a web server process or CGO

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden

    Uncommon unsigned net localgroup administrators command execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon unsigned net localgroup administrators command execution - fixed localization issues

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup administrators command execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon remote net localgroup execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon administrator net localgroup execution by scripting engine or command prompt

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

  • Uncommon signed process execution by scheduled task Informational 3 variations

    An uncommon process was executed by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain. Check if the vendor is known in the organization for creating scheduled tasks to execute his product.

    Variations

    Uncommon Microsoft signed process execution by scheduled task

    Informational overridden

    An uncommon process was executed by a scheduled task. overridden

    Uncommon signed process execution by scheduled task on a sensitive server

    Low overridden

    An uncommon process was executed by a scheduled task. overridden

    Rare signed process execution by scheduled task

    Low overridden

    A rare process was executed by a scheduled task. overridden

  • Uncommon user management via net.exe Informational 1 variation

    The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.

    Variations

    Uncommon user management via net.exe by an untrusted CGO

    Low overridden

    The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden

  • Unknown DLL was added to the AD FS Global Assembly Cache path Informational Identity Analytics 1 variation

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow (T1574)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.
    Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Identify the user or process responsible for the file creation. Verify if the DLL is digitally signed by Microsoft. Compare the modification timestamp of this DLL against others in the same directory.

    Variations

    Suspicious DLL was added to the AD FS Global Assembly Cache path

    Low overridden

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment. overridden

  • Unsigned DLL Hijack into a Microsoft process Informational 7 variations

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden

    Rare and unsigned DLL into an injected Microsoft process

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a low entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a high entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a recently created Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

  • Unsigned DLL Side-Loading Informational 6 variations

    A signed process loaded an unsigned and rare module from the same folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    DLL Side-Loading of module bearing an invalid Microsoft signature

    High overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor

    Medium overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading - DLL downloaded from an uncommon source

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned high entropy DLL Side-Loading by untrusted causality actor

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading which was executed by a scheduled task

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

  • Unsigned process creates a scheduled task via file access Low 1 variation

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Unsigned process creates a scheduled task via file access on a sensitive server

    Medium overridden

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden

  • Unusual AWS credentials creation Low

    AWS utility was used to create an access key and a secret key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: XDR Agent
    Attacker's goals: Maintain access to an AWS provider.
    Investigative actions: Check the machine timeline and look for abnormal activity. Investigate what other calls were made to the AWS account.
  • Unusual AWS user added to group Low 1 variation

    AWS user added to AWS group, possibly to elevate privileges and gain more access to resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Gain persistence and elevate privileges.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual AWS user added to group from a Kubernetes Pod

    Low overridden

    AWS user added to AWS group, possibly to elevate privileges and gain more access to resources. overridden

  • Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations

    A cloud identity performed an unusual IAM operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

    Variations

    Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance

    Medium overridden

    A cloud Internet facing instance performed an unusual IAM operation. overridden

    Unusual Identity and Access Management (IAM) activity

    Low overridden

    A cloud non-user identity performed an unusual IAM operation. overridden

  • Unusual process access to ld.so.preload file Medium

    Attackers can modify ld.so.preload to inject malicious code into every dynamically linked process, enabling persistence and code execution. This detected operation is considered atypical in terms of access.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: This allows attackers to inject malicious code into system processes, gain persistence, code injection, evade detection, and potentially escalate privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Download the /etc/ld.so.preload file from the host and see if and what libraries are specified there. Download any library specified and see if it's benign.
  • Unusual resource modification by newly seen IAM user Informational Cloud 3 variations

    A cloud resource was modified by a newly seen IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to manipulate cloud infrastructure.
    Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.

    Variations

    Unusual Kubernetes resource modification by newly seen IAM user

    Informational overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual IAM resource modification by newly seen IAM user

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual resource modification by newly seen IAM user from an uncommon IP

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

  • Unusual user account enablement Informational Identity Analytics 1 variation

    A user enabled an account. This user does not usually enable user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may enable a user account to gain persistence.
    Investigative actions: Investigate the associated enabling event. Check if the user is authorized to enable accounts. Confirm that the account enablement was expected. If the account enablement seems suspicious, address it accordingly by disabling the account again, forcing a password change, or monitoring its activity.

    Variations

    Unusual sensitive user account enablement

    Low overridden

    A user enabled a sensitive account. This user does not usually enable user accounts. overridden

  • Unusual user-agent for a cloud identity Informational Cloud 1 variation

    A cloud identity has executed an API call with an unusual user-agent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Evade detection by using non-standard tools or scripts.
    Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.

    Variations

    Unusual user-agent for a cloud identity by a compromised AWS access key

    Medium overridden

    A cloud identity has executed an API call with an unusual user-agent. overridden

  • Unverified domain added to Azure AD Informational Identity Threat Module 1 variation

    A new unverified domain was added to Azure AD.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check if the new domain is known for the organization. Check whether the user changing the configuration is permitted. Monitor network activity to and from the added domain.

    Variations

    Rare unverified domain addition to Azure AD

    Low overridden

    A new unverified domain was added to Azure AD. overridden

  • User account delegation change Informational Identity Analytics 2 variations

    A user account was modified with delegation to a service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to control an Active Directory environment.
    Investigative actions: Verify this action with the user who performed the change. Check if the account modified is a service account. Follow actions by the user, including TGT and TGS requests. Monitor for anomalous Kerberos activity.

    Variations

    User account delegation to KRBTGT

    High overridden

    A user account was modified with delegation to the KRBTGT service. overridden

    User account delegation to a DC

    Low overridden

    A user account was modified with delegation to a service on a domain controller. overridden