Analytics Alerts
Browse the Cortex analytics alert reference.
194 alerts match the current filters. tactic: TA0006 ✕
Show ATT&CK heatmapOwner added to Azure application Informational Identity Threat Module
An identity was added as an owner to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528)Required data: AzureAD Audit LogAttacker's goals: An attacker may add owners to an application to authenticate as the application later on and access resources.Investigative actions: Check if the added account is new to the organization. Check whether the account that added the new owner is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.Possible AS-REP Roasting Attack Medium Identity Analytics 1 variation
A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
AS-REP Roasting Attack
High overridden
A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack. overridden
Possible Brute-Force attempt Informational Identity Analytics 2 variations
This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Possible Brute-Force attempt on a Honey User Account
Medium overridden
This may indicate a brute-force attack. overridden
Possible Brute-Force attempt with a successful login and suspicious characteristics
Low overridden
This may indicate a brute-force attack. overridden
Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)Required data: AzureADAttacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.Variations
OAuth Token Theft - Potential Session Hijacking Detected from new ASN
Low overridden
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden
Possible DCSync from a non domain controller Low 5 variations
Attackers may pose a compromised host as a DC to replicate data to it (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check whether one of the machines is a new domain controller.Variations
DCSync from a non domain controller from a non-standard process
High overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller by AppID
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible DCSync from an internet-facing server
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
DCSync from a non domain controller
Low overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible Distributed File System Namespace Management (DFSNM) abuse High
A possible abuse of Distributed File System Namespace Management (DFSNM).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse the Distributed File System Namespace Management protocol to coerce an authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Look for unusual AD CS certificate requests. Check for possible DCSync alerts.Possible Kerberoasting attack Medium Identity Analytics 1 variation
A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Kerberoasting attack
High overridden
A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack. overridden
Possible Kerberoasting without SPNs Low 1 variation
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Crack service account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Possible Kerberoasting without SPNs on a sensitive server
Medium overridden
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN. overridden
Possible Search For Password Files Medium
Attackers often search for files that have passwords in them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible authentication coercion Informational Identity Analytics 2 variations
An unusual Remote Procedure Call (RPC) was made to potentially cause authentication coercion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse Remote Procedure Calls to coerce authentication from servers.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from {actor_remote_ip} to other servers in the network. Check for logged-in users to {actor_remote_ip} and investigate their actions. Check for indicators of compromise on {actor_remote_ip}.Variations
Possible authentication coercion from an unconstrained delegation server to a sensitive server
Medium overridden
An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden
Possible authentication coercion to a sensitive server
Low overridden
An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden
Possible brute force on sudo user Informational 1 variation
A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker may gain full privileges to the host.Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.Variations
Possible brute force on sudo user
Low overridden
A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password. overridden
Possible brute force or configuration change attempt on cytool High
An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.This may indicate an attempt to guess the Administrator password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker may disable the agent to perform malicious activities.Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.Possible external RDP Brute-Force Low Identity Analytics 2 variations
Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: If the source IP is an internal IP, adjust network IP ranges. Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.Variations
Possible external RDP Brute-Force on a Honey User Account
Medium overridden
Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack. overridden
Potential External Brute-Force via RDP on Sensitive User
Medium overridden
Multiple failed remote logins from an external IP with a sensitive user and at least one successful login.This may indicate a successful brute-force attack. overridden
Possible network sniffing attempt via tcpdump or tshark Low
Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible new DHCP server Medium
A DHCP response was sent from an unknown DHCP server.Attackers may send a DHCP response to a host in his LAN to inject a DNS server, route or WPAD server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Adversary-in-the-Middle (T1557)Required data: XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check if the source agent is a legitimate DHCP server. Check if the attacked host send DNS queries to an unusual IP. Check if the attacked host send WPAD HTTP/S requests to an unusual host.Possible use of a networking driver for network sniffing Informational 2 variations
A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.Variations
Possible use of a networking driver for network sniffing
Medium overridden
A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden
Possible use of a networking driver for network sniffing
Low overridden
A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden
Potential DCSync by an unusual user Informational Identity Analytics 1 variation
Attackers may leverage the domain replication process to extract sensitive information (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.Variations
Possible DCSync by an unusual user
Low overridden
Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden
Potential NTLM Relay Attack Informational Identity Analytics 3 variations
Multiple NTLM authentications were made to the same workstation and user from different IPs.This might indicate a potential NTLM Relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the workstation supports weak, outdated versions of NTLM. Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised. Check for process activity to and from the suspicious IP address to verify if it was compromised. Check for changes in the network configurations, including indicators of poisoning attacks. Monitor closely the actions of the potentially compromised user account for any anomalous behavior.Variations
NTLM Relay Attack using a sensitive user and a vulnerable package
Medium overridden
Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack using a vulnerable package
Low overridden
Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack using a sensitive user
Low overridden
Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server Informational Identity Analytics 1 variation
Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs in a short period of time.This might indicate a potential NTLM Relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentDetector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may coerce the SCCM site server to authenticate to a malicious host and relay it to escalate privileges and move laterally across site systems.Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack. Check for network activity to and from the suspicious IP address to verify if it is a compromised machine. Monitor closely the actions of the potentially compromised user account for any anomalous behavior, especially suspicious SCCM-related activity occurring near the time of the alert.Variations
Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server using a vulnerable package
Low overridden
Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs using a vulnerable NTLM package in a short period of time.This might indicate a potential NTLM Relay attack. overridden
Potential SCCM credential harvesting using WMI detected Low 3 variations
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Obtain credentials used by the SCCM service.Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.Variations
Potential SCCM credential harvesting using WMI detected from a remote machine
Medium overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential SCCM inventory query using WMI detected
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential Enumeration of SCCM User, Device, and Deployment Data via WMI
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential creation of persistent cloud credentials Informational Cloud
A cloud identity invoked a credential-related persistence operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)Required data: AWS Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager
Medium overridden
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden
Potential kubelet impersonation attempt Low 1 variation
A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Potential kubelet impersonation attempt by an unusual process
Medium overridden
A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server. overridden
PowerShell pfx certificate extraction Informational 1 variation
PowerShell was used to extract a pfx certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may export certificates to .pfx files to use them for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx creation is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Variations
Suspicious PowerShell pfx certificate extraction
Low overridden
A user used PowerShell to extract a pfx certificate file. overridden
Procdump executed from an atypical directory Medium
Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Rare process accessed a Keychain file Informational 5 variations
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Keychain (T1555.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to credentials stored in the Keychain file.Investigative actions: Determine whether it is legitimate for the process to access credential data directly. Analyze the process/application that touched the Keychain. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials stored on said Keychain.Variations
Rare process accessed a Keychain file using the networksetup tool
High overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file while installing a new certificate
Medium overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file initiated by a causality actor with a rare path
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file initiated by an unsigned causality actor
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare unsigned process accessed a Keychain file
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Reading bash command history file Low
Attackers may access the bash history file to glean cleartext usernames and passwords that were entered on the command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Shell History (T1552.003)Required data: XDR AgentAttacker's goals: Adversaries may search the bash history file to search for insecurely stored credentials.Investigative actions: Investigate the process activities and use of the extracted credentials.Remote account enumeration Informational Identity Analytics 2 variations
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Variations
Suspicious Remote domain account enumeration
Medium overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Remote account enumeration on domain accounts
Low overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Remote usage of AWS Lambda's role Informational Cloud 5 variations
An AWS Lambda's role was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.Variations
Remote command line usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Medium overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Low overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Usage of AWS Lambda's role from a known ASN
Informational overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Remote usage of VM Service Account token Informational Cloud 1 variation
A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the service account was attached to a specific VM. Check if the service account was used by a user. Check if the relevant VM is compromised.Variations
Suspicious usage of VM Service Account token
High overridden
A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment. overridden
Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden
Remote usage of an App engine Service Account token Informational Cloud 1 variation
A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the Service Account was attached to a specific app engine. Check if the Service Account was used by a user. Check if the relevant app engine is compromised.Variations
Suspicious usage of App engine Service Account token
High overridden
A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token Low Cloud 4 variations
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Azure Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate valid token and abuse it remotely.Investigative actions: Verify whether the Managed Identity should be used remotely. Check what API calls were executed by the Managed Identity. Check if the relevant compute service is compromised.Variations
Remote usage of an Azure Function App's Managed Identity token
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Automation Account's Managed Identity token
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token from an unusual ASN
High overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token from an unusual IP
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Service Principal token Informational Cloud 2 variations
An Azure Service Principal token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Azure Audit LogAttacker's goals: Exfiltrate valid token and abuse it remotely.Investigative actions: Verify whether the service principal should be used remotely. Check what API calls were executed by the service principal. Determine whether the service principal is compromised.Variations
Remote usage of an Azure Service Principal token from an unusual ASN
High overridden
An Azure Service Principal token was used externally of the cloud environment. overridden
Remote usage of an Azure Service Principal token from an unusual IP
Medium overridden
An Azure Service Principal token was used externally of the cloud environment. overridden
Retrieval of kubelet credentials Informational 1 variation
A process retrieved kubelet credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Retrieval of kubelet credentials by an unusual process
Low overridden
A process retrieved kubelet credentials. overridden
SSH authentication brute force attempts Informational Identity Analytics 2 variations
A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 3 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: Attackers attempt to log in to a remote host.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Successful SSH Brute Force
Low overridden
A user successfully authenticated via SSH after an excessive number of failures in a short period. overridden
Possible SSH Brute Force
Low overridden
A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack. overridden
SSO Brute Force Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Brute Force on a Honey User Account
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Password Spray Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Password Spray Involving a Honey User
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
Sensitive browser credential files accessed by a rare non browser process Informational 1 variation
Sensitive browser credential files accessed by a rare non browser process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Achieve Credential Access by harvesting credentials from local browser storage.This facilitates Lateral Movement and Persistence across the environmentto gain unauthorized control over sensitive resources and information.Investigative actions: Determine the legitimacy of the actor process that accessed the sensitive browser credential files. Analyze the process signature, file path, and command line arguments to verify the process's authenticity. Identify the process or user responsible for initiating the activity and assess its legitimacy.Variations
Sensitive browser credential files accessed by a rare non browser process from a commonly abused directory
Low overridden
Sensitive browser credential files accessed by a rare non browser process. overridden
Single account excessively locked out Informational Identity Analytics 1 variation
A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if there were any successful authentications (event ID 4624). Determine if any programs have stored outdated credentials, causing account lockouts. Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices. Confirm whether the user's credentials have been compromised or leaked. Review if the account is enrolled in multifactor authentication (MFA). Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Single suspicious account excessively locked out
Low overridden
A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account. overridden
Stored credentials exported using credwiz.exe Low 3 variations
Attackers may abuse the credwiz tool to export stored accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr function
Medium overridden
Attackers may abuse the credwiz tool to export stored accounts using keymgr.dll's KRShowKeyMgr function. overridden
Stored credentials exported using credwiz.exe over RDP
Low overridden
Attackers may abuse the credwiz tool to export stored accounts over RDP. overridden
Stored credentials exported using credwiz.exe with a built-in Windows tool
Low overridden
Attackers may abuse the credwiz tool to export stored accounts with a built-in Windows tool. overridden
Sudden spike in outbound email volume Informational Email 2 variations
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 2 Hours
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Sudden spike in outbound emails sent to external recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Sudden spike in outbound emails sent to internal recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
A non admin identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious Certutil AD CS contact Low 1 variation
A suspicious occurrence of Certutil attempted to contact the AD CS Request Interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: System Service Discovery (T1007) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Look at further action done by the user. Investigate whether other non-standard operations were done regarding the AD CS.Variations
Suspicious Certutil AD CS Admin Interface contact
Medium overridden
A suspicious occurrence of Certutil attempted to contact the AD CS Admin Interface. overridden
Suspicious Kerberos Pre-Auth Failures by Host Low Identity Analytics
An endpoint failed unusual number of Kerberos pre-authentications (TGT requests) which may indicate a password-spraying attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Review source host activity to detect any additional suspicious or lateral movement behavior. Correlate successful logons from the source host to identify potential account compromises following the failed attempts.Suspicious Kubernetes pod token access Medium 2 variations
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Gain access to the Kubernetes environment.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Suspicious Kubernetes pod token access by an unusual pod
High overridden
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden
Suspicious Kubernetes pod token access by an unusual process
Medium overridden
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden
Suspicious LDAP queries followed by shared folder access Low
The user executed suspicious LDAP queries shortly before accessing a shared folder.This behavior may be indicative of Rubeus activity involving Kerberos ticket forgery, such as Golden Ticket or Silver Ticket attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may use LDAP based account discovery and a forged Kerberos ticket (e.g. Silver Ticket) to access shared resources and collect sensitive data.Investigative actions: Review the LDAP query content to determine if it targets privileged groups (e.g., Domain Admins) or sensitive objects. Correlate the shared folder path with sensitive file shares (e.g., SYSVOL, NETLOGON, backup shares). Check if the IP address {ip_address} is associated with known administrative systems or unusual user behavior. Determine if Rubeus or other Kerberos abuse tools were used based on timing, patterns, or command line artifacts. Inspect for potential Silver Ticket or Golden Ticket activity by reviewing Kerberos ticket logs and security events. Verify if the user account had prior suspicious authentication events or privilege escalation.Suspicious NTLM authentication with machine account Informational Identity Analytics 1 variation
A suspicious NTLM authentication attempt was made by a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: An attacker aims to exploit authentication protocols to steal credentials and enable lateral movement within the network.Investigative actions: Identify the source and target users and hosts involved in the NTLM authentication attempt. Monitor the users associated with the authentication for any further suspicious activities or unauthorized actions. Look for earlier connections to the source which may cause it to initiate the session. Investigate the root cause of the behavior and determine if it can be mitigated or blocked in the future.Variations
Rare and sensitive NTLM authentication with machine account
Low overridden
A rare and sensitive NTLM authentication attempt was made by a machine account. overridden
Suspicious Print System Remote Protocol usage by a process Low Identity Analytics
A host which is trusted for unconstrained delegation initiated an SMB connection to a DC using the Print System Remote Protocol. An attacker can abuse such sessions for relay attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if the suspected account is compromised. Check if the source machine is trusted for unconstrained delegation and verify that the machine's configuration should stay that way. Follow actions by the account and if it performed a DCSync.Suspicious access to cloud credential files Informational Cloud 6 variations
A process accessed multiple cloud credential files, which may indicate a credential theft activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gain initial access to the cloud environment.Investigative actions: Verify if the executing process is doing more suspicious activities. Verify if the exposed credential files were used to access to the cloud environment. Verify which operations were used against the cloud environment with the exposed credentials.Variations
Suspicious access to cloud credential files of various cloud providers within a cloud instance
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files within a cloud instance
Informational overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to Windows cloud credential files of various cloud providers
Medium overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to Windows cloud credential files by an unusual process
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files of various cloud providers
Medium overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files by an unusual process
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to shadow file Informational 4 variations
An unpopular process accessed the shadow file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.Investigative actions: Check the process for more suspicious activity. Check whether this was a legitimate action.Variations
Suspicious access to shadow file in a Kubernetes Pod using a known text editor
Medium overridden
An unpopular process accessed the shadow file in a Kubernetes Pod. overridden
Suspicious access to shadow file using a known text editor
Medium overridden
An unpopular process accessed the shadow file. overridden
Suspicious access to shadow file in a Kubernetes Pod
Low overridden
An unpopular process accessed the shadow file. overridden
Suspicious access to shadow file
Low overridden
An unpopular process accessed the shadow file. overridden
Suspicious certificate template modification Informational Identity Analytics 2 variations
A certificate template was updated with a possible misconfiguration. This may indicate the exploitation of misconfigured certificate template access control (ESC4).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes.Variations
Certificate template was updated to be vulnerable to AD CS ESC attack
Medium overridden
A certificate template was updated, making it vulnerable to an AD CS ESC attack. This may indicate the potential abuse of AD CS ESC4. overridden
Certificate template was updated with a misconfiguration configuration
Low overridden
A certificate template was updated with new misconfiguration. This may indicate a potential AD CS ESC4 attack. overridden
Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin High
Attackers may attempt to dump the ntds.dit file, which stores all Active Directory account information, to later extract passwords and hashes from it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: NTDS (T1003.003)Required data: XDR AgentAttacker's goals: Retrieve Active Directory data, to perform malicious activities such as lateral movement.Investigative actions: Check the initiator process for additional suspicious activity.Suspicious process accessed certificate files Low
A suspicious process accessed certificate files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may search for local certificate files for authentication, persistence or NTLM extraction.Investigative actions: See whether this was a legitimate action. Follow process/user activities.Suspicious secrets dump activity Informational Cloud 2 variations
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity extracted every secret within the organization across multiple regions
Medium overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious setspn.exe execution Low
A Service Principal Name (SPN) is a unique identifier for a service, mapped to a specific account. Setspn.exe can be used to retrieve SPN information, which may indicate an attacker's attempt to "Kerberoast".
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)Required data: XDR AgentAttacker's goals: Retrieving SPN information to perform related attacks like 'Kerberoast'.Investigative actions: Investigate the user who executed setspn.exe and find out if the act was malicious.Suspicious sshpass command execution Low 1 variation
The sshpass command was executed, This could be an attempt to check for credential stuffing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Credential Stuffing (T1110.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to check and reuse credentials on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Suspicious sshpass command execution in a Kubernetes pod
Low overridden
The sshpass command was executed, This could be an attempt to check for credential stuffing. overridden
Suspicious usage of EC2 token Low Cloud 1 variation
An AWS EC2 STS token was used externally from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.Variations
Suspicious usage of EC2 token
Medium overridden
An AWS EC2 STS token was used externally from an EC2 instance. overridden
Uncommon SQL like command line Informational 3 variations
Uncommon SQL query in command line of an executed process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: An attacker may use SQL queries to steal information stored at the target databases.Investigative actions: Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.Variations
Uncommon SQL like command line executed by a remote actor
Medium overridden
Uncommon SQL query in command line of a process which executed remotely. overridden
Uncommon SQL like command line executed by an RMM tool
Medium overridden
Uncommon SQL query in command line of a process executed by a Remote Monitoring & Management tool. overridden
Uncommon SQL like command line executed by an uncommon CGO
Low overridden
Uncommon SQL query in command line of an executed process. overridden
Uncommon SetWindowsHookEx API invocation of a possible keylogger Medium
A process installed a Windows desktop hook by calling the SetWindowsHookEx API function with an unpopular module. This behavior is commonly seen in keyloggers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Input Capture: Keylogging (T1056.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can monitor keyboard events as another way for credential gathering or to collect more user data over time for espionage purposes.Investigative actions: Check if the process has a user interface (a visible window). Check if the process has an option to set or modify keyboard hot-keys. Check if the process is part of a remote control tool. Check if the process is a known user application that was updated recently. Check if the process is built with AutoHotkey and is known to the user. If the process is a scripting engine or a hosting executable, check the actor process command line. Investigate the endpoint if the process writes files to disk.Uncommon WPAD queries Informational 3 variations
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Adversary-in-the-Middle (T1557)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in WPAD.Investigative actions: Verify that the source host is legitimate. Examine the legitimacy of the application that produced this uncommon WPAD. Examine the parent process of this application.Variations
Uncommon WPAD queries to a external domain
Informational overridden
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden
Suspicious WPAD queries
Low overridden
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden
Uncommon WPAD queries using an uncommon port
Informational overridden
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden
Uncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to Microsoft Teams cookies files Informational Identity Analytics 1 variation
Sensitive Microsoft Teams cookies files were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555) Steal Application Access Token (T1528)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft TeamsAttacker's goals: Attacker may access credentials files and steal application access tokens to gain remote access.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Review the host for any additional unusual activity. Investigate the Graph API calls followed by the user that might be related.Variations
Suspicious uncommon access to Microsoft Teams cookies files
Low overridden
Sensitive Microsoft Teams cookies files were accessed by a suspicious process. overridden
Uncommon access to Microsoft Teams credential files Low 1 variation
Sensitive Microsoft Teams credential files were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Accessing these files is done by attackers to collect user credentials.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.Variations
Uncommon access to Microsoft Teams credential files by an unsigned and unpopular process
Low overridden
Sensitive Microsoft Teams credential files were accessed. by an unsigned and unpopular process. overridden
Uncommon access to cloud platforms' sensitive files by a scripting engine Informational 1 variation
A scripting engine has accessed sensitive cloud platforms' files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access/control over internal cloud platforms or repositories.Investigative actions: Investigate if the behavior is known to the user or part of known product's procedure. Investigate if the actor processes command line contains malicious indicators or a script file.Variations
Uncommon access to cloud platforms' sensitive files by an uncommon script or utility
Low overridden
A scripting engine has accessed sensitive cloud platforms' files. overridden
Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon creation or access operation of sensitive shadow copy Low 2 variations
An uncommon creation or access of a sensitive Shadow Copy volume path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.Investigative actions: Verify if the shadow copy operation is part of an IT activity. Look for other hosts performing the same shadow copy event with similar causality process behavior. Inspect the causality process and its characteristics as they appear on other hosts.Variations
Uncommon creation or access operation of sensitive shadow copy by a remote actor
Low overridden
An uncommon creation or access of a sensitive Shadow Copy volume path. overridden
Uncommon creation or access operation of sensitive shadow copy by a high-risk process
High overridden
An uncommon creation or access of a sensitive Shadow Copy volume path by a high-risk process. overridden
Uncommon sensitive filesystem registry hive access Informational 4 variations
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: Security Account Manager (T1003.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.Investigative actions: Investigate the process that tried to access the registry hive file. Investigate the actions of the user, for which his credentials were stored in the registry hive file.Variations
Uncommon filesystem registry SAM hive access by a lolbin actor in a shadow copy folder
High overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a lolbin actor in a shadow copy folder
Medium overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a rare unsigned actor in a shadow copy folder
Medium overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a rare unsigned actor
Low overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive registry hive dump Low 4 variations
A sensitive registry hive was extracted, which is used for accessing credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.Investigative actions: Investigate the process that tried to access the registry hive. Investigate the actions of the user for which his credentials were stored in the registry hive.Variations
Uncommon sensitive registry hive dump by unsigned and rare process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by injected process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by reg.exe lolbin process which was executed by rare causality process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by reg.exe lolbin process
Medium overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Unprivileged process opened a registry hive Low
An unprivileged process opened a registry hive directly.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Unusual ADConnect database file access Informational 2 variations
An unusual process accessed the ADConnect database files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.Variations
Suspicious access to ADConnect database file
Medium overridden
An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious. overridden
Access to ADConnect database file by an unsigned or unusual process
Low overridden
An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious access. overridden
Unusual ADFS Remote Synchronization network connections from non-ADFS server Low
Detected an unauthorized configuration sync request to the ADFS Policy Store from a non-ADFS server, step for forging SAML tokens in a Golden SAML attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002) Exploitation of Remote Services (T1210)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.Investigative actions: Correlate this network event with AD FS service account activity. The attacker must use the service account's credentials to authenticate this request. Check for a possible DCSync alerts. Check alerts that related to ADFS server. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Inspect the source machine for the presence of tools like AADInternals or custom SOAP-based scripts.Unusual Azure AD sync module load Low Identity Threat Module 1 variation
A process that does not usually load the Azure AD Sync mcrypt.dll loaded the module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR AgentAttacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.Variations
Unusual Azure AD sync module load by suspicious process
Medium overridden
A suspicious process that does not usually load the Azure AD Sync mcrypt.dll loaded the module. overridden
Unusual CIM repository file access Low 1 variation
An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2). If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems. Determine whether this was a legitimate action.Investigative actions: Follow process, user, and host activities. Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources. Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption. Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.Variations
Suspicious CIM repository file access
Medium overridden
An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious. overridden
Unusual CertLog Remote File Write Low Identity Analytics 1 variation
A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may be attempting to exploit AD CS misconfigurations and obtain forged authentication certificates for privilege escalation or persistence.Investigative actions: Determine whether this was a legitimate certificate request or an unauthorized write operation. Review logs for preceding and subsequent authentication attempts. Investigate the remote host for any suspicious activity. Identify any subsequent Kerberos ticket usage, such as forging or relaying attacks.Variations
Suspicious CertLog Remote File Write
Medium overridden
A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks. overridden
Unusual Encrypting File System Remote call (EFSRPC) to domain controller Low Identity Analytics 3 variations
An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse the Encrypting File System Remote Protocol to coerce authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from the server of the requested file location (it may be a relay server). Look for unusual AD CS certificate requests. Look for following suspicious connections using the DC machine account. Check for possible DCSync alerts.Variations
A suspicious Encrypting File System Remote call (EFSRPC) was made to a domain controller
Medium overridden
An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden
Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo for the first time
Low overridden
An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller for the first time. overridden
Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo
Informational overridden
An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden
Unusual Kubernetes secret access Informational Cloud
Suspicious Kubernetes secret access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes Credentials Theft AnalyticsAttacker's goals: Access sensitive data on Kubernetes cluster.Investigative actions: Check if {identity_name} should access any Kubernetes secrets and restrict permissions if needed. The event was originated from {caller_ip} using {user_agent}.Unusual Kubernetes service account file read Informational 7 variations
An unusual process opened a Kubernetes service account file for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Utilize the Kubernetes service account files to perform additional actions on the cluster.Investigative actions: Check the exposed Kubernetes service account usage in the cluster. Check if any other suspicious activity was performed inside the pod.Variations
Unusual Kubernetes service account file read within a new pod
Informational overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Kubernetes service account file read
Informational overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account file read from the projected volume path
Medium overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read via an interactive shell
Medium overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read by an unusual process
Low overridden
An unusual process opened the Kubernetes service account token file for the first time. overridden
Suspicious Kubernetes service account file read by an unusual process
Low overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read
Low overridden
An unusual process opened the Kubernetes service account token file for the first time. overridden
Unusual access to the AD Sync credential files Informational Cloud 2 variations
The AD Sync credential files were accessed in an unusual way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Extracting and decrypting stored Azure AD and Active Directory credentials from Azure AD Connect servers.Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Follow unusual actions of the AD Sync user. Check for remote SMB connections to the agent. Check for unusual Azure AD authentications. Check if this happened on other endpoints. Check for unusual logins.Variations
Suspicious process access to the AD Sync credential files
Medium overridden
The AD Sync credential files were accessed in an unusual way. overridden
An abnormal process accessed the AD Sync credential files
Low overridden
The AD Sync credential files were accessed in an unusual way. overridden
Unusual access to the Windows Internal Database on an ADFS server Informational 1 variation
The Windows Internal Database (WID) was queried in an unusual way on an ADFS server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can attempt to extract and decrypt the ADFS certificate that is used to sign SAML tokens, and fabricate a new SAML token.Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Monitor suspicious LDAP queries to the ADFS container in Active Directory. Check the possibility of a compromised ADFS server. Check for unusual Azure AD authentications. Check for unusual logins.Variations
Suspicious access to the Windows Internal Database on an ADFS server
Low overridden
The Windows Internal Database (WID) was queried in an unusual way on an ADFS server. overridden
Unusual certificate management activity Informational Cloud
A cloud identity performed a certificate management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse certificate management functionalities to generate valid signed certificates, which enable to launch man-in-the-middle attacks against different services.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive certificate management operation that it shouldn't.Unusual cloud Instance Metadata Service (IMDS) access Informational Cloud 6 variations
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Cloud Instance Metadata API (T1552.005)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Extract sensitive cloud compute tokens to access restricted cloud resources.Investigative actions: Determine whether a web service was involved and if it was exploited to execute this technique. Identify any additional commands that were executed. Review the permissions assigned to the target machine to identify which resources may be affected. Examine related compute activity in the cloud audit logs.Variations
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows web service
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows shell process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows scripting process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process
Low overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual key management activity Informational Cloud
A cloud identity performed a key management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse exposed cryptographic keys to decrypt sensitive information or create digital signatures to craft malicious messages.Using the decrypted information, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive KMS operation that it shouldn't.Unusual process accessed FTP Client credentials Low
An unusual process has accessed a third-party FTP client's credential file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to passwords stored in the FTP client.Investigative actions: Determine whether it is legitimate for the process to access FTP passwords directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the FTP client.Unusual process accessed web browser cookies Informational 1 variation
An unusual process has accessed a web browser's session cookie store.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Web Session Cookie (T1539)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to or hijack sessions to websites stored in the web browser's cookies.Investigative actions: Determine whether it is legitimate for the process to access session cookies directly. Analyze the process/application that accessed the cookie store. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser/cookie store.Variations
Unusual unsigned process accessed web browser cookies
Low overridden
An unusual process has accessed a web browser's session cookie store. overridden
Unusual process accessed web browser credentials Informational 2 variations
An unusual process has accessed a web browser credentials file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to credentials (such as cached logins) stored in the web browser.Investigative actions: Determine whether it is legitimate for the process to access web browser credential data directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser.Variations
Unusual process accessed web browser credentials and executed by a terminal process
High overridden
An unusual process has accessed a web browser credentials file. overridden
Unusual unsigned process accessed web browser credentials
Low overridden
An unusual process has accessed a web browser credentials file. overridden
Unusual secret management activity Informational Cloud
A cloud Identity performed a secret management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse exposed secrets to gain access to restricted cloud resources and applications.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive secret management operation that it shouldn't.Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation
Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.Variations
Usage of homograph characters detected in an email attachment(s) extension
Low overridden
Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden
User attempted to connect from a suspicious country Informational Identity Analytics 1 variation
A user connected from an unusual country. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
User successfully connected from a suspicious country
Low overridden
A user successfully connected from an unusual country. This may indicate the account was compromised. overridden
VPN Login Password Spray Informational Identity Analytics 2 variations
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack. Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors). Review the geographic regions behind the failed login attempts. Investigate if a successful login was made after unsuccessful attempts. Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.Variations
Successful VPN Password Spray Threat Detected with unusual characteristics
Medium overridden
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden
VPN login password spray with unusual characteristics
Low overridden
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden
VPN login Brute-Force attempt Informational Identity Analytics 2 variations
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker attempts to gain access to the account.Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.Variations
Successful VPN Login Brute Force
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden
VPN login brute-force attempt with suspicious characteristics
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden
Vulnerable certificate template loaded Informational Identity Analytics 2 variations
A possible misconfigured certificate template was loaded by Certificate Services. This may indicate potential certificate template abuse.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Look for signs of certificate template enumeration via LDAP. Inspect certificates issued to privileged accounts. Check for abnormal PKINIT authentication or elevated Kerberos tickets.Variations
First detection of AD CS ESC vulnerability in certificate template
Medium overridden
A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services for the first time. This may indicate potential certificate template abuse. overridden
Certificate template vulnerable to AD CS ESC attack
Low overridden
A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services. This may indicate potential certificate template abuse. overridden
Weakly-Encrypted Kerberos TGT Response Informational 1 variation
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).Variations
Abnormal Weakly-Encrypted Kerberos TGT Response
Low overridden
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden
Weakly-Encrypted Kerberos Ticket Requested Low 1 variation
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Weakly-Encrypted Kerberos Ticket Requested on a sensitive server
Medium overridden
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack. This action occurred on a sensitive server, which may indicate a malicious activity. overridden