Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

130 alerts match the current filters. tactic: TA0004 ✕

Show ATT&CK heatmap
  • Service ticket request with a spoofed sAMAccountName Medium Identity Analytics

    A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.
  • Setuid and Setgid file bit manipulation Low 1 variation

    The setuid or setgid bits were set on a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to run the executable application as a different user.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Setuid and Setgid file bit manipulation in a Kubernetes pod

    Low overridden

    The setuid or setgid bits were set on a file. overridden

  • Sudoedit Brute force attempt Medium

    An unusual amount of sudoedit commands executed in a short period of time. This may indicate an attempt to exploit CVE-2021-3156.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Exploitation for Privilege Escalation (T1068)
    Required data: XDR Agent
    Attacker's goals: The attacker may gain higher privileges via exploitation of sudoedit.
    Investigative actions: Verify that the current version of sudo in not vulnerable to CVE-2021-3156.
  • Suspicious Udev driver rule execution manipulation Low 1 variation

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.
    Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual Udev driver rule execution manipulation

    Low overridden

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden

  • Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation

    Suspicious account attribute modification that matches that of another account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.
    Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.

    Variations

    Suspicious account attribute modification that matches that of a sensitive machine account

    Medium overridden

    Suspicious account attribute modification that matches that of another account. overridden

  • Suspicious container orchestration job Low

    A suspicious orchestration job ran with a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    10 Minutes
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.
    Investigative actions: Investigate The process activities and impact on the relevant container.
  • Suspicious dNSHostName attribute change to DC name Medium Identity Analytics

    The dNSHostName attribute of a machine account was changed to a Domain Controller server name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • Suspicious process executed with a high integrity level Informational 1 variation

    A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.

    Variations

    Suspicious process executed with a high integrity level

    Low overridden

    A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation. overridden

  • Suspicious process execution in a privileged container Informational 1 variation

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.

    Variations

    Suspicious process execution in a new privileged container

    Informational overridden

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden

  • Suspicious process modified RC script file Low 1 variation

    A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Initialization Scripts: RC Scripts (T1037.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.
    Investigative actions: Check the modified RC script file and try to understand the impact of the file modification.

    Variations

    Suspicious process modified RC script file in a Kubernetes pod

    Low overridden

    A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence. overridden

  • Suspicious sAMAccountName change Low Identity Analytics 1 variation

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.

    Variations

    Suspicious sAMAccountName change to DC hostname

    Medium overridden

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden

  • Suspicious systemd timer activity Low

    Suspicious systemd timer activity, which may indicate an attempt to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)
    Required data: XDR Agent
    Attacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.
    Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.
  • TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • The CA policy EditFlags was queried Medium

    The CA policy EditFlags was queried.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Querying this registry value can indicate an attacker is looking for an enabled EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When this flag is enabled, it allows users to request certificates with a Subject Alternate Name(SAN). This can allow an attacker to obtain a certificate with higher privileges.
    Investigative actions: Check if the action was allowed by the user. Monitor certificate enrollments with Subject Alternate Names. Check for unusual high privilege users certificate authentications.
  • Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium

    A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.
  • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations

    A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host in the context of another process.
    Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.

    Variations

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process

    High overridden

    An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread

    Medium overridden

    An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process

    Medium overridden

    A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process

    Medium overridden

    An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

  • Uncommon Security Support Provider (SSP) registered via a registry key Low

    Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain clear text passwords and persistency in the network.
    Investigative actions: Audit the specific key values to verify that the additional values are trusted.
  • Unknown DLL was added to the AD FS Global Assembly Cache path Informational Identity Analytics 1 variation

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow (T1574)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.
    Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Identify the user or process responsible for the file creation. Verify if the DLL is digitally signed by Microsoft. Compare the modification timestamp of this DLL against others in the same directory.

    Variations

    Suspicious DLL was added to the AD FS Global Assembly Cache path

    Low overridden

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment. overridden

  • Unsigned DLL Hijack into a Microsoft process Informational 7 variations

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden

    Rare and unsigned DLL into an injected Microsoft process

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a low entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a high entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a recently created Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

  • Unsigned DLL Side-Loading Informational 6 variations

    A signed process loaded an unsigned and rare module from the same folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    DLL Side-Loading of module bearing an invalid Microsoft signature

    High overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor

    Medium overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading - DLL downloaded from an uncommon source

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned high entropy DLL Side-Loading by untrusted causality actor

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading which was executed by a scheduled task

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

  • Unsigned process injecting into a Windows system binary with no command line Medium

    An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.
  • Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations

    A cloud identity performed an unusual IAM operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

    Variations

    Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance

    Medium overridden

    A cloud Internet facing instance performed an unusual IAM operation. overridden

    Unusual Identity and Access Management (IAM) activity

    Low overridden

    A cloud non-user identity performed an unusual IAM operation. overridden

  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden

  • Unusual resource modification by newly seen IAM user Informational Cloud 3 variations

    A cloud resource was modified by a newly seen IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to manipulate cloud infrastructure.
    Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.

    Variations

    Unusual Kubernetes resource modification by newly seen IAM user

    Informational overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual IAM resource modification by newly seen IAM user

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual resource modification by newly seen IAM user from an uncommon IP

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

  • Unusual user-agent for a cloud identity Informational Cloud 1 variation

    A cloud identity has executed an API call with an unusual user-agent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Evade detection by using non-standard tools or scripts.
    Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.

    Variations

    Unusual user-agent for a cloud identity by a compromised AWS access key

    Medium overridden

    A cloud identity has executed an API call with an unusual user-agent. overridden

  • User added SID History to an account Informational Identity Analytics 1 variation

    A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.
    Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.

    Variations

    Suspicious SID History Addition

    Medium overridden

    A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden

  • User added to a group and removed Informational Identity Analytics 2 variations

    A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.

    Variations

    Rare privileged group addition and removal

    Medium overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

    User added to a privileged group and removed

    Low overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

  • User added to the SMS Admins local group Low Identity Analytics 1 variation

    A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.

    Variations

    User added to the SMS Admins group and removed

    Medium overridden

    A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden

  • Windows Installer exploitation for local privilege escalation Medium

    The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Exploitation for Privilege Escalation (T1068)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to gain SYSTEM privileges.
    Investigative actions: Investigate the actor process SID and path and whether it's benign or normal for this host. This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.