Analytics Alerts
Browse the Cortex analytics alert reference.
130 alerts match the current filters. tactic: TA0004 ✕
Show ATT&CK heatmapService ticket request with a spoofed sAMAccountName Medium Identity Analytics
A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.Setuid and Setgid file bit manipulation Low 1 variation
The setuid or setgid bits were set on a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application as a different user.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Setuid and Setgid file bit manipulation in a Kubernetes pod
Low overridden
The setuid or setgid bits were set on a file. overridden
Sudoedit Brute force attempt Medium
An unusual amount of sudoedit commands executed in a short period of time. This may indicate an attempt to exploit CVE-2021-3156.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Exploitation for Privilege Escalation (T1068)Required data: XDR AgentAttacker's goals: The attacker may gain higher privileges via exploitation of sudoedit.Investigative actions: Verify that the current version of sudo in not vulnerable to CVE-2021-3156.Suspicious Udev driver rule execution manipulation Low 1 variation
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual Udev driver rule execution manipulation
Low overridden
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden
Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation
Suspicious account attribute modification that matches that of another account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.Variations
Suspicious account attribute modification that matches that of a sensitive machine account
Medium overridden
Suspicious account attribute modification that matches that of another account. overridden
Suspicious container orchestration job Low
A suspicious orchestration job ran with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: XDR AgentAttacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.Investigative actions: Investigate The process activities and impact on the relevant container.Suspicious dNSHostName attribute change to DC name Medium Identity Analytics
The dNSHostName attribute of a machine account was changed to a Domain Controller server name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Suspicious process executed with a high integrity level Informational 1 variation
A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Variations
Suspicious process executed with a high integrity level
Low overridden
A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation. overridden
Suspicious process execution in a privileged container Informational 1 variation
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.Variations
Suspicious process execution in a new privileged container
Informational overridden
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden
Suspicious process modified RC script file Low 1 variation
A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Initialization Scripts: RC Scripts (T1037.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.Investigative actions: Check the modified RC script file and try to understand the impact of the file modification.Variations
Suspicious process modified RC script file in a Kubernetes pod
Low overridden
A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence. overridden
Suspicious sAMAccountName change Low Identity Analytics 1 variation
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Variations
Suspicious sAMAccountName change to DC hostname
Medium overridden
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden
Suspicious systemd timer activity Low
Suspicious systemd timer activity, which may indicate an attempt to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)Required data: XDR AgentAttacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.The CA policy EditFlags was queried Medium
The CA policy EditFlags was queried.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Querying this registry value can indicate an attacker is looking for an enabled EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When this flag is enabled, it allows users to request certificates with a Subject Alternate Name(SAN). This can allow an attacker to obtain a certificate with higher privileges.Investigative actions: Check if the action was allowed by the user. Monitor certificate enrollments with Subject Alternate Names. Check for unusual high privilege users certificate authentications.Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium
A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations
A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host in the context of another process.Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.Variations
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process
High overridden
An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread
Medium overridden
An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process
Medium overridden
A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process
Medium overridden
An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon Security Support Provider (SSP) registered via a registry key Low
Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain clear text passwords and persistency in the network.Investigative actions: Audit the specific key values to verify that the additional values are trusted.Unknown DLL was added to the AD FS Global Assembly Cache path Informational Identity Analytics 1 variation
A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow (T1574)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Identify the user or process responsible for the file creation. Verify if the DLL is digitally signed by Microsoft. Compare the modification timestamp of this DLL against others in the same directory.Variations
Suspicious DLL was added to the AD FS Global Assembly Cache path
Low overridden
A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment. overridden
Unsigned DLL Hijack into a Microsoft process Informational 7 variations
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden
Rare and unsigned DLL into an injected Microsoft process
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a low entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a high entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a recently created Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Side-Loading Informational 6 variations
A signed process loaded an unsigned and rare module from the same folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
DLL Side-Loading of module bearing an invalid Microsoft signature
High overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor
Medium overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading - DLL downloaded from an uncommon source
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned high entropy DLL Side-Loading by untrusted causality actor
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading which was executed by a scheduled task
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned process injecting into a Windows system binary with no command line Medium
An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations
A cloud identity performed an unusual IAM operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.Variations
Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance
Medium overridden
A cloud Internet facing instance performed an unusual IAM operation. overridden
Unusual Identity and Access Management (IAM) activity
Low overridden
A cloud non-user identity performed an unusual IAM operation. overridden
Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden
Unusual resource modification by newly seen IAM user Informational Cloud 3 variations
A cloud resource was modified by a newly seen IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage access to manipulate cloud infrastructure.Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.Variations
Unusual Kubernetes resource modification by newly seen IAM user
Informational overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual IAM resource modification by newly seen IAM user
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual resource modification by newly seen IAM user from an uncommon IP
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual user-agent for a cloud identity Informational Cloud 1 variation
A cloud identity has executed an API call with an unusual user-agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Evade detection by using non-standard tools or scripts.Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.Variations
Unusual user-agent for a cloud identity by a compromised AWS access key
Medium overridden
A cloud identity has executed an API call with an unusual user-agent. overridden
User added SID History to an account Informational Identity Analytics 1 variation
A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.Variations
Suspicious SID History Addition
Medium overridden
A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden
User added to a group and removed Informational Identity Analytics 2 variations
A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.Variations
Rare privileged group addition and removal
Medium overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to a privileged group and removed
Low overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to the SMS Admins local group Low Identity Analytics 1 variation
A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.Variations
User added to the SMS Admins group and removed
Medium overridden
A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden
Windows Installer exploitation for local privilege escalation Medium
The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Exploitation for Privilege Escalation (T1068)Required data: XDR AgentAttacker's goals: An attacker is attempting to gain SYSTEM privileges.Investigative actions: Investigate the actor process SID and path and whether it's benign or normal for this host. This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.