Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

194 alerts match the current filters. tactic: TA0006 ✕

Show ATT&CK heatmap
  • Owner added to Azure application Informational Identity Threat Module

    An identity was added as an owner to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add owners to an application to authenticate as the application later on and access resources.
    Investigative actions: Check if the added account is new to the organization. Check whether the account that added the new owner is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.
  • Possible AS-REP Roasting Attack Medium Identity Analytics 1 variation

    A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    AS-REP Roasting Attack

    High overridden

    A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack. overridden

  • Possible Brute-Force attempt Informational Identity Analytics 2 variations

    This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Possible Brute-Force attempt on a Honey User Account

    Medium overridden

    This may indicate a brute-force attack. overridden

    Possible Brute-Force attempt with a successful login and suspicious characteristics

    Low overridden

    This may indicate a brute-force attack. overridden

  • Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)
    Required data: AzureAD
    Attacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.
    Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.

    Variations

    OAuth Token Theft - Potential Session Hijacking Detected from new ASN

    Low overridden

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden

  • Possible DCSync from a non domain controller Low 5 variations

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check whether one of the machines is a new domain controller.

    Variations

    DCSync from a non domain controller from a non-standard process

    High overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller by AppID

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Possible DCSync from an internet-facing server

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    DCSync from a non domain controller

    Low overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

  • Possible Distributed File System Namespace Management (DFSNM) abuse High

    A possible abuse of Distributed File System Namespace Management (DFSNM).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse the Distributed File System Namespace Management protocol to coerce an authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Look for unusual AD CS certificate requests. Check for possible DCSync alerts.
  • Possible Kerberoasting attack Medium Identity Analytics 1 variation

    A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Kerberoasting attack

    High overridden

    A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack. overridden

  • Possible Kerberoasting without SPNs Low 1 variation

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack service account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Possible Kerberoasting without SPNs on a sensitive server

    Medium overridden

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN. overridden

  • Possible Search For Password Files Medium

    Attackers often search for files that have passwords in them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible authentication coercion Informational Identity Analytics 2 variations

    An unusual Remote Procedure Call (RPC) was made to potentially cause authentication coercion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse Remote Procedure Calls to coerce authentication from servers.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from {actor_remote_ip} to other servers in the network. Check for logged-in users to {actor_remote_ip} and investigate their actions. Check for indicators of compromise on {actor_remote_ip}.

    Variations

    Possible authentication coercion from an unconstrained delegation server to a sensitive server

    Medium overridden

    An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden

    Possible authentication coercion to a sensitive server

    Low overridden

    An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden

  • Possible brute force on sudo user Informational 1 variation

    A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker may gain full privileges to the host.
    Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.

    Variations

    Possible brute force on sudo user

    Low overridden

    A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password. overridden

  • Possible brute force or configuration change attempt on cytool High

    An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.This may indicate an attempt to guess the Administrator password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker may disable the agent to perform malicious activities.
    Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.
  • Possible external RDP Brute-Force Low Identity Analytics 2 variations

    Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: If the source IP is an internal IP, adjust network IP ranges. Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.

    Variations

    Possible external RDP Brute-Force on a Honey User Account

    Medium overridden

    Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack. overridden

    Potential External Brute-Force via RDP on Sensitive User

    Medium overridden

    Multiple failed remote logins from an external IP with a sensitive user and at least one successful login.This may indicate a successful brute-force attack. overridden

  • Possible network sniffing attempt via tcpdump or tshark Low

    Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible new DHCP server Medium

    A DHCP response was sent from an unknown DHCP server.Attackers may send a DHCP response to a host in his LAN to inject a DNS server, route or WPAD server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Adversary-in-the-Middle (T1557)
    Required data: XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check if the source agent is a legitimate DHCP server. Check if the attacked host send DNS queries to an unusual IP. Check if the attacked host send WPAD HTTP/S requests to an unusual host.
  • Possible use of a networking driver for network sniffing Informational 2 variations

    A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.
    Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.

    Variations

    Possible use of a networking driver for network sniffing

    Medium overridden

    A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden

    Possible use of a networking driver for network sniffing

    Low overridden

    A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden

  • Potential DCSync by an unusual user Informational Identity Analytics 1 variation

    Attackers may leverage the domain replication process to extract sensitive information (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.

    Variations

    Possible DCSync by an unusual user

    Low overridden

    Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden

  • Potential NTLM Relay Attack Informational Identity Analytics 3 variations

    Multiple NTLM authentications were made to the same workstation and user from different IPs.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the workstation supports weak, outdated versions of NTLM. Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised. Check for process activity to and from the suspicious IP address to verify if it was compromised. Check for changes in the network configurations, including indicators of poisoning attacks. Monitor closely the actions of the potentially compromised user account for any anomalous behavior.

    Variations

    NTLM Relay Attack using a sensitive user and a vulnerable package

    Medium overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a sensitive user

    Low overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.This might indicate a potential NTLM Relay attack. overridden

  • Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server Informational Identity Analytics 1 variation

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs in a short period of time.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may coerce the SCCM site server to authenticate to a malicious host and relay it to escalate privileges and move laterally across site systems.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack. Check for network activity to and from the suspicious IP address to verify if it is a compromised machine. Monitor closely the actions of the potentially compromised user account for any anomalous behavior, especially suspicious SCCM-related activity occurring near the time of the alert.

    Variations

    Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs using a vulnerable NTLM package in a short period of time.This might indicate a potential NTLM Relay attack. overridden

  • Potential SCCM credential harvesting using WMI detected Low 3 variations

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Obtain credentials used by the SCCM service.
    Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.

    Variations

    Potential SCCM credential harvesting using WMI detected from a remote machine

    Medium overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential SCCM inventory query using WMI detected

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential Enumeration of SCCM User, Device, and Deployment Data via WMI

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

  • Potential creation of persistent cloud credentials Informational Cloud

    A cloud identity invoked a credential-related persistence operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)
    Required data: AWS Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager

    Medium overridden

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden

  • Potential kubelet impersonation attempt Low 1 variation

    A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Impersonate the node agent to gain control over the cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Potential kubelet impersonation attempt by an unusual process

    Medium overridden

    A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server. overridden

  • PowerShell pfx certificate extraction Informational 1 variation

    PowerShell was used to extract a pfx certificate file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may export certificates to .pfx files to use them for authentication, persistence or NTLM extraction.
    Investigative actions: Check if the pfx creation is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).

    Variations

    Suspicious PowerShell pfx certificate extraction

    Low overridden

    A user used PowerShell to extract a pfx certificate file. overridden

  • Procdump executed from an atypical directory Medium

    Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Rare process accessed a Keychain file Informational 5 variations

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Keychain (T1555.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to credentials stored in the Keychain file.
    Investigative actions: Determine whether it is legitimate for the process to access credential data directly. Analyze the process/application that touched the Keychain. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials stored on said Keychain.

    Variations

    Rare process accessed a Keychain file using the networksetup tool

    High overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file while installing a new certificate

    Medium overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file initiated by a causality actor with a rare path

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file initiated by an unsigned causality actor

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare unsigned process accessed a Keychain file

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

  • Reading bash command history file Low

    Attackers may access the bash history file to glean cleartext usernames and passwords that were entered on the command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Shell History (T1552.003)
    Required data: XDR Agent
    Attacker's goals: Adversaries may search the bash history file to search for insecurely stored credentials.
    Investigative actions: Investigate the process activities and use of the extracted credentials.
  • Remote account enumeration Informational Identity Analytics 2 variations

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

    Variations

    Suspicious Remote domain account enumeration

    Medium overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

    Remote account enumeration on domain accounts

    Low overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

  • Remote usage of AWS Lambda's role Informational Cloud 5 variations

    An AWS Lambda's role was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.

    Variations

    Remote command line usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Medium overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Low overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Usage of AWS Lambda's role from a known ASN

    Informational overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

  • Remote usage of VM Service Account token Informational Cloud 1 variation

    A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the service account was attached to a specific VM. Check if the service account was used by a user. Check if the relevant VM is compromised.

    Variations

    Suspicious usage of VM Service Account token

    High overridden

    A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment. overridden

  • Remote usage of an AWS service token Low Cloud 1 variation

    An AWS service token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate a token and abuse it remotely.
    Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.

    Variations

    Suspicious usage of AWS service token

    Medium overridden

    An AWS service token was used externally of the cloud environment. overridden

  • Remote usage of an App engine Service Account token Informational Cloud 1 variation

    A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the Service Account was attached to a specific app engine. Check if the Service Account was used by a user. Check if the relevant app engine is compromised.

    Variations

    Suspicious usage of App engine Service Account token

    High overridden

    A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment. overridden

  • Remote usage of an Azure Managed Identity token Low Cloud 4 variations

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate valid token and abuse it remotely.
    Investigative actions: Verify whether the Managed Identity should be used remotely. Check what API calls were executed by the Managed Identity. Check if the relevant compute service is compromised.

    Variations

    Remote usage of an Azure Function App's Managed Identity token

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Automation Account's Managed Identity token

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Managed Identity token from an unusual ASN

    High overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Managed Identity token from an unusual IP

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

  • Remote usage of an Azure Service Principal token Informational Cloud 2 variations

    An Azure Service Principal token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate valid token and abuse it remotely.
    Investigative actions: Verify whether the service principal should be used remotely. Check what API calls were executed by the service principal. Determine whether the service principal is compromised.

    Variations

    Remote usage of an Azure Service Principal token from an unusual ASN

    High overridden

    An Azure Service Principal token was used externally of the cloud environment. overridden

    Remote usage of an Azure Service Principal token from an unusual IP

    Medium overridden

    An Azure Service Principal token was used externally of the cloud environment. overridden

  • Retrieval of kubelet credentials Informational 1 variation

    A process retrieved kubelet credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Impersonate the node agent to gain control over the cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Retrieval of kubelet credentials by an unusual process

    Low overridden

    A process retrieved kubelet credentials. overridden

  • SSH authentication brute force attempts Informational Identity Analytics 2 variations

    A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    3 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Attackers attempt to log in to a remote host.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Successful SSH Brute Force

    Low overridden

    A user successfully authenticated via SSH after an excessive number of failures in a short period. overridden

    Possible SSH Brute Force

    Low overridden

    A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack. overridden

  • SSO Brute Force Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Brute Force on a Honey User Account

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

  • SSO Password Spray Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Password Spray Involving a Honey User

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

  • Sensitive browser credential files accessed by a rare non browser process Informational 1 variation

    Sensitive browser credential files accessed by a rare non browser process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Achieve Credential Access by harvesting credentials from local browser storage.This facilitates Lateral Movement and Persistence across the environmentto gain unauthorized control over sensitive resources and information.
    Investigative actions: Determine the legitimacy of the actor process that accessed the sensitive browser credential files. Analyze the process signature, file path, and command line arguments to verify the process's authenticity. Identify the process or user responsible for initiating the activity and assess its legitimacy.

    Variations

    Sensitive browser credential files accessed by a rare non browser process from a commonly abused directory

    Low overridden

    Sensitive browser credential files accessed by a rare non browser process. overridden

  • Single account excessively locked out Informational Identity Analytics 1 variation

    A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if there were any successful authentications (event ID 4624). Determine if any programs have stored outdated credentials, causing account lockouts. Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices. Confirm whether the user's credentials have been compromised or leaked. Review if the account is enrolled in multifactor authentication (MFA). Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Single suspicious account excessively locked out

    Low overridden

    A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account. overridden

  • Stored credentials exported using credwiz.exe Low 3 variations

    Attackers may abuse the credwiz tool to export stored accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr function

    Medium overridden

    Attackers may abuse the credwiz tool to export stored accounts using keymgr.dll's KRShowKeyMgr function. overridden

    Stored credentials exported using credwiz.exe over RDP

    Low overridden

    Attackers may abuse the credwiz tool to export stored accounts over RDP. overridden

    Stored credentials exported using credwiz.exe with a built-in Windows tool

    Low overridden

    Attackers may abuse the credwiz tool to export stored accounts with a built-in Windows tool. overridden

  • Sudden spike in outbound email volume Informational Email 2 variations

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    2 Hours
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Sudden spike in outbound emails sent to external recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

    Sudden spike in outbound emails sent to internal recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    A non admin identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Suspicious Certutil AD CS contact Low 1 variation

    A suspicious occurrence of Certutil attempted to contact the AD CS Request Interface.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: System Service Discovery (T1007) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Look at further action done by the user. Investigate whether other non-standard operations were done regarding the AD CS.

    Variations

    Suspicious Certutil AD CS Admin Interface contact

    Medium overridden

    A suspicious occurrence of Certutil attempted to contact the AD CS Admin Interface. overridden

  • Suspicious Kerberos Pre-Auth Failures by Host Low Identity Analytics

    An endpoint failed unusual number of Kerberos pre-authentications (TGT requests) which may indicate a password-spraying attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.
    Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Review source host activity to detect any additional suspicious or lateral movement behavior. Correlate successful logons from the source host to identify potential account compromises following the failed attempts.
  • Suspicious Kubernetes pod token access Medium 2 variations

    A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Gain access to the Kubernetes environment.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Suspicious Kubernetes pod token access by an unusual pod

    High overridden

    A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden

    Suspicious Kubernetes pod token access by an unusual process

    Medium overridden

    A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden

  • Suspicious LDAP queries followed by shared folder access Low

    The user executed suspicious LDAP queries shortly before accessing a shared folder.This behavior may be indicative of Rubeus activity involving Kerberos ticket forgery, such as Golden Ticket or Silver Ticket attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may use LDAP based account discovery and a forged Kerberos ticket (e.g. Silver Ticket) to access shared resources and collect sensitive data.
    Investigative actions: Review the LDAP query content to determine if it targets privileged groups (e.g., Domain Admins) or sensitive objects. Correlate the shared folder path with sensitive file shares (e.g., SYSVOL, NETLOGON, backup shares). Check if the IP address {ip_address} is associated with known administrative systems or unusual user behavior. Determine if Rubeus or other Kerberos abuse tools were used based on timing, patterns, or command line artifacts. Inspect for potential Silver Ticket or Golden Ticket activity by reviewing Kerberos ticket logs and security events. Verify if the user account had prior suspicious authentication events or privilege escalation.
  • Suspicious NTLM authentication with machine account Informational Identity Analytics 1 variation

    A suspicious NTLM authentication attempt was made by a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: An attacker aims to exploit authentication protocols to steal credentials and enable lateral movement within the network.
    Investigative actions: Identify the source and target users and hosts involved in the NTLM authentication attempt. Monitor the users associated with the authentication for any further suspicious activities or unauthorized actions. Look for earlier connections to the source which may cause it to initiate the session. Investigate the root cause of the behavior and determine if it can be mitigated or blocked in the future.

    Variations

    Rare and sensitive NTLM authentication with machine account

    Low overridden

    A rare and sensitive NTLM authentication attempt was made by a machine account. overridden

  • Suspicious Print System Remote Protocol usage by a process Low Identity Analytics

    A host which is trusted for unconstrained delegation initiated an SMB connection to a DC using the Print System Remote Protocol. An attacker can abuse such sessions for relay attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if the suspected account is compromised. Check if the source machine is trusted for unconstrained delegation and verify that the machine's configuration should stay that way. Follow actions by the account and if it performed a DCSync.
  • Suspicious access to cloud credential files Informational Cloud 6 variations

    A process accessed multiple cloud credential files, which may indicate a credential theft activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gain initial access to the cloud environment.
    Investigative actions: Verify if the executing process is doing more suspicious activities. Verify if the exposed credential files were used to access to the cloud environment. Verify which operations were used against the cloud environment with the exposed credentials.

    Variations

    Suspicious access to cloud credential files of various cloud providers within a cloud instance

    Low overridden

    A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden

    Suspicious access to cloud credential files within a cloud instance

    Informational overridden

    A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden

    Suspicious access to Windows cloud credential files of various cloud providers

    Medium overridden

    A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden

    Suspicious access to Windows cloud credential files by an unusual process

    Low overridden

    A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden

    Suspicious access to cloud credential files of various cloud providers

    Medium overridden

    A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden

    Suspicious access to cloud credential files by an unusual process

    Low overridden

    A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden

  • Suspicious access to shadow file Informational 4 variations

    An unpopular process accessed the shadow file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.
    Investigative actions: Check the process for more suspicious activity. Check whether this was a legitimate action.

    Variations

    Suspicious access to shadow file in a Kubernetes Pod using a known text editor

    Medium overridden

    An unpopular process accessed the shadow file in a Kubernetes Pod. overridden

    Suspicious access to shadow file using a known text editor

    Medium overridden

    An unpopular process accessed the shadow file. overridden

    Suspicious access to shadow file in a Kubernetes Pod

    Low overridden

    An unpopular process accessed the shadow file. overridden

    Suspicious access to shadow file

    Low overridden

    An unpopular process accessed the shadow file. overridden

  • Suspicious certificate template modification Informational Identity Analytics 2 variations

    A certificate template was updated with a possible misconfiguration. This may indicate the exploitation of misconfigured certificate template access control (ESC4).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.
    Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes.

    Variations

    Certificate template was updated to be vulnerable to AD CS ESC attack

    Medium overridden

    A certificate template was updated, making it vulnerable to an AD CS ESC attack. This may indicate the potential abuse of AD CS ESC4. overridden

    Certificate template was updated with a misconfiguration configuration

    Low overridden

    A certificate template was updated with new misconfiguration. This may indicate a potential AD CS ESC4 attack. overridden

  • Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin High

    Attackers may attempt to dump the ntds.dit file, which stores all Active Directory account information, to later extract passwords and hashes from it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: NTDS (T1003.003)
    Required data: XDR Agent
    Attacker's goals: Retrieve Active Directory data, to perform malicious activities such as lateral movement.
    Investigative actions: Check the initiator process for additional suspicious activity.
  • Suspicious process accessed certificate files Low

    A suspicious process accessed certificate files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may search for local certificate files for authentication, persistence or NTLM extraction.
    Investigative actions: See whether this was a legitimate action. Follow process/user activities.
  • Suspicious secrets dump activity Informational Cloud 2 variations

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity extracted every secret within the organization across multiple regions

    Medium overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Suspicious setspn.exe execution Low

    A Service Principal Name (SPN) is a unique identifier for a service, mapped to a specific account. Setspn.exe can be used to retrieve SPN information, which may indicate an attacker's attempt to "Kerberoast".

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)
    Required data: XDR Agent
    Attacker's goals: Retrieving SPN information to perform related attacks like 'Kerberoast'.
    Investigative actions: Investigate the user who executed setspn.exe and find out if the act was malicious.
  • Suspicious sshpass command execution Low 1 variation

    The sshpass command was executed, This could be an attempt to check for credential stuffing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Credential Stuffing (T1110.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to check and reuse credentials on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Suspicious sshpass command execution in a Kubernetes pod

    Low overridden

    The sshpass command was executed, This could be an attempt to check for credential stuffing. overridden

  • Suspicious usage of EC2 token Low Cloud 1 variation

    An AWS EC2 STS token was used externally from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.

    Variations

    Suspicious usage of EC2 token

    Medium overridden

    An AWS EC2 STS token was used externally from an EC2 instance. overridden

  • Uncommon SQL like command line Informational 3 variations

    Uncommon SQL query in command line of an executed process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: An attacker may use SQL queries to steal information stored at the target databases.
    Investigative actions: Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.

    Variations

    Uncommon SQL like command line executed by a remote actor

    Medium overridden

    Uncommon SQL query in command line of a process which executed remotely. overridden

    Uncommon SQL like command line executed by an RMM tool

    Medium overridden

    Uncommon SQL query in command line of a process executed by a Remote Monitoring & Management tool. overridden

    Uncommon SQL like command line executed by an uncommon CGO

    Low overridden

    Uncommon SQL query in command line of an executed process. overridden

  • Uncommon SetWindowsHookEx API invocation of a possible keylogger Medium

    A process installed a Windows desktop hook by calling the SetWindowsHookEx API function with an unpopular module. This behavior is commonly seen in keyloggers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Input Capture: Keylogging (T1056.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can monitor keyboard events as another way for credential gathering or to collect more user data over time for espionage purposes.
    Investigative actions: Check if the process has a user interface (a visible window). Check if the process has an option to set or modify keyboard hot-keys. Check if the process is part of a remote control tool. Check if the process is a known user application that was updated recently. Check if the process is built with AutoHotkey and is known to the user. If the process is a scripting engine or a hosting executable, check the actor process command line. Investigate the endpoint if the process writes files to disk.
  • Uncommon WPAD queries Informational 3 variations

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Adversary-in-the-Middle (T1557)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in WPAD.
    Investigative actions: Verify that the source host is legitimate. Examine the legitimacy of the application that produced this uncommon WPAD. Examine the parent process of this application.

    Variations

    Uncommon WPAD queries to a external domain

    Informational overridden

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden

    Suspicious WPAD queries

    Low overridden

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden

    Uncommon WPAD queries using an uncommon port

    Informational overridden

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden

  • Uncommon access to /etc/passwd Informational 11 variations

    A process made an uncommon attempt to access /etc/passwd.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics, Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon access to /etc/passwd by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potential Webshell

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon link creation to /etc/passwd

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd, involving a network utility

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with additional sensitive files in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd via a new inline bash script

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive binary

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive shell

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

  • Uncommon access to Microsoft Teams cookies files Informational Identity Analytics 1 variation

    Sensitive Microsoft Teams cookies files were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555) Steal Application Access Token (T1528)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft Teams
    Attacker's goals: Attacker may access credentials files and steal application access tokens to gain remote access.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Review the host for any additional unusual activity. Investigate the Graph API calls followed by the user that might be related.

    Variations

    Suspicious uncommon access to Microsoft Teams cookies files

    Low overridden

    Sensitive Microsoft Teams cookies files were accessed by a suspicious process. overridden

  • Uncommon access to Microsoft Teams credential files Low 1 variation

    Sensitive Microsoft Teams credential files were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Accessing these files is done by attackers to collect user credentials.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.

    Variations

    Uncommon access to Microsoft Teams credential files by an unsigned and unpopular process

    Low overridden

    Sensitive Microsoft Teams credential files were accessed. by an unsigned and unpopular process. overridden

  • Uncommon access to cloud platforms' sensitive files by a scripting engine Informational 1 variation

    A scripting engine has accessed sensitive cloud platforms' files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access/control over internal cloud platforms or repositories.
    Investigative actions: Investigate if the behavior is known to the user or part of known product's procedure. Investigate if the actor processes command line contains malicious indicators or a script file.

    Variations

    Uncommon access to cloud platforms' sensitive files by an uncommon script or utility

    Low overridden

    A scripting engine has accessed sensitive cloud platforms' files. overridden

  • Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool

    High overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from an SSH private key

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

  • Uncommon creation or access operation of sensitive shadow copy Low 2 variations

    An uncommon creation or access of a sensitive Shadow Copy volume path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.
    Investigative actions: Verify if the shadow copy operation is part of an IT activity. Look for other hosts performing the same shadow copy event with similar causality process behavior. Inspect the causality process and its characteristics as they appear on other hosts.

    Variations

    Uncommon creation or access operation of sensitive shadow copy by a remote actor

    Low overridden

    An uncommon creation or access of a sensitive Shadow Copy volume path. overridden

    Uncommon creation or access operation of sensitive shadow copy by a high-risk process

    High overridden

    An uncommon creation or access of a sensitive Shadow Copy volume path by a high-risk process. overridden

  • Uncommon sensitive filesystem registry hive access Informational 4 variations

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: Security Account Manager (T1003.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.
    Investigative actions: Investigate the process that tried to access the registry hive file. Investigate the actions of the user, for which his credentials were stored in the registry hive file.

    Variations

    Uncommon filesystem registry SAM hive access by a lolbin actor in a shadow copy folder

    High overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a lolbin actor in a shadow copy folder

    Medium overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a rare unsigned actor in a shadow copy folder

    Medium overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a rare unsigned actor

    Low overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

  • Uncommon sensitive registry hive dump Low 4 variations

    A sensitive registry hive was extracted, which is used for accessing credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.
    Investigative actions: Investigate the process that tried to access the registry hive. Investigate the actions of the user for which his credentials were stored in the registry hive.

    Variations

    Uncommon sensitive registry hive dump by unsigned and rare process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by injected process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by reg.exe lolbin process which was executed by rare causality process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by reg.exe lolbin process

    Medium overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

  • Unprivileged process opened a registry hive Low

    An unprivileged process opened a registry hive directly.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.
  • Unusual ADConnect database file access Informational 2 variations

    An unusual process accessed the ADConnect database files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.
    Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.

    Variations

    Suspicious access to ADConnect database file

    Medium overridden

    An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious. overridden

    Access to ADConnect database file by an unsigned or unusual process

    Low overridden

    An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious access. overridden

  • Unusual ADFS Remote Synchronization network connections from non-ADFS server Low

    Detected an unauthorized configuration sync request to the ADFS Policy Store from a non-ADFS server, step for forging SAML tokens in a Golden SAML attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002) Exploitation of Remote Services (T1210)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.
    Investigative actions: Correlate this network event with AD FS service account activity. The attacker must use the service account's credentials to authenticate this request. Check for a possible DCSync alerts. Check alerts that related to ADFS server. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Inspect the source machine for the presence of tools like AADInternals or custom SOAP-based scripts.
  • Unusual Azure AD sync module load Low Identity Threat Module 1 variation

    A process that does not usually load the Azure AD Sync mcrypt.dll loaded the module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent
    Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.
    Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.

    Variations

    Unusual Azure AD sync module load by suspicious process

    Medium overridden

    A suspicious process that does not usually load the Azure AD Sync mcrypt.dll loaded the module. overridden

  • Unusual CIM repository file access Low 1 variation

    An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2). If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems. Determine whether this was a legitimate action.
    Investigative actions: Follow process, user, and host activities. Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources. Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption. Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.

    Variations

    Suspicious CIM repository file access

    Medium overridden

    An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious. overridden

  • Unusual CertLog Remote File Write Low Identity Analytics 1 variation

    A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may be attempting to exploit AD CS misconfigurations and obtain forged authentication certificates for privilege escalation or persistence.
    Investigative actions: Determine whether this was a legitimate certificate request or an unauthorized write operation. Review logs for preceding and subsequent authentication attempts. Investigate the remote host for any suspicious activity. Identify any subsequent Kerberos ticket usage, such as forging or relaying attacks.

    Variations

    Suspicious CertLog Remote File Write

    Medium overridden

    A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks. overridden

  • Unusual Encrypting File System Remote call (EFSRPC) to domain controller Low Identity Analytics 3 variations

    An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse the Encrypting File System Remote Protocol to coerce authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from the server of the requested file location (it may be a relay server). Look for unusual AD CS certificate requests. Look for following suspicious connections using the DC machine account. Check for possible DCSync alerts.

    Variations

    A suspicious Encrypting File System Remote call (EFSRPC) was made to a domain controller

    Medium overridden

    An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden

    Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo for the first time

    Low overridden

    An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller for the first time. overridden

    Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo

    Informational overridden

    An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden

  • Unusual Kubernetes secret access Informational Cloud

    Suspicious Kubernetes secret access.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes Credentials Theft Analytics
    Attacker's goals: Access sensitive data on Kubernetes cluster.
    Investigative actions: Check if {identity_name} should access any Kubernetes secrets and restrict permissions if needed. The event was originated from {caller_ip} using {user_agent}.
  • Unusual Kubernetes service account file read Informational 7 variations

    An unusual process opened a Kubernetes service account file for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Utilize the Kubernetes service account files to perform additional actions on the cluster.
    Investigative actions: Check the exposed Kubernetes service account usage in the cluster. Check if any other suspicious activity was performed inside the pod.

    Variations

    Unusual Kubernetes service account file read within a new pod

    Informational overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Kubernetes service account file read

    Informational overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account file read from the projected volume path

    Medium overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account token read via an interactive shell

    Medium overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account token read by an unusual process

    Low overridden

    An unusual process opened the Kubernetes service account token file for the first time. overridden

    Suspicious Kubernetes service account file read by an unusual process

    Low overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account token read

    Low overridden

    An unusual process opened the Kubernetes service account token file for the first time. overridden

  • Unusual access to the AD Sync credential files Informational Cloud 2 variations

    The AD Sync credential files were accessed in an unusual way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Extracting and decrypting stored Azure AD and Active Directory credentials from Azure AD Connect servers.
    Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Follow unusual actions of the AD Sync user. Check for remote SMB connections to the agent. Check for unusual Azure AD authentications. Check if this happened on other endpoints. Check for unusual logins.

    Variations

    Suspicious process access to the AD Sync credential files

    Medium overridden

    The AD Sync credential files were accessed in an unusual way. overridden

    An abnormal process accessed the AD Sync credential files

    Low overridden

    The AD Sync credential files were accessed in an unusual way. overridden

  • Unusual access to the Windows Internal Database on an ADFS server Informational 1 variation

    The Windows Internal Database (WID) was queried in an unusual way on an ADFS server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can attempt to extract and decrypt the ADFS certificate that is used to sign SAML tokens, and fabricate a new SAML token.
    Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Monitor suspicious LDAP queries to the ADFS container in Active Directory. Check the possibility of a compromised ADFS server. Check for unusual Azure AD authentications. Check for unusual logins.

    Variations

    Suspicious access to the Windows Internal Database on an ADFS server

    Low overridden

    The Windows Internal Database (WID) was queried in an unusual way on an ADFS server. overridden

  • Unusual certificate management activity Informational Cloud

    A cloud identity performed a certificate management operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse certificate management functionalities to generate valid signed certificates, which enable to launch man-in-the-middle attacks against different services.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive certificate management operation that it shouldn't.
  • Unusual cloud Instance Metadata Service (IMDS) access Informational Cloud 6 variations

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Cloud Instance Metadata API (T1552.005)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Extract sensitive cloud compute tokens to access restricted cloud resources.
    Investigative actions: Determine whether a web service was involved and if it was exploited to execute this technique. Identify any additional commands that were executed. Review the permissions assigned to the target machine to identify which resources may be affected. Examine related compute activity in the cloud audit logs.

    Variations

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows web service

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows shell process

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows scripting process

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process

    Low overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

  • Unusual key management activity Informational Cloud

    A cloud identity performed a key management operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse exposed cryptographic keys to decrypt sensitive information or create digital signatures to craft malicious messages.Using the decrypted information, the attacker may perform additional activities in an evasive manner.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive KMS operation that it shouldn't.
  • Unusual process accessed FTP Client credentials Low

    An unusual process has accessed a third-party FTP client's credential file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to passwords stored in the FTP client.
    Investigative actions: Determine whether it is legitimate for the process to access FTP passwords directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the FTP client.
  • Unusual process accessed web browser cookies Informational 1 variation

    An unusual process has accessed a web browser's session cookie store.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Web Session Cookie (T1539)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to or hijack sessions to websites stored in the web browser's cookies.
    Investigative actions: Determine whether it is legitimate for the process to access session cookies directly. Analyze the process/application that accessed the cookie store. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser/cookie store.

    Variations

    Unusual unsigned process accessed web browser cookies

    Low overridden

    An unusual process has accessed a web browser's session cookie store. overridden

  • Unusual process accessed web browser credentials Informational 2 variations

    An unusual process has accessed a web browser credentials file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to credentials (such as cached logins) stored in the web browser.
    Investigative actions: Determine whether it is legitimate for the process to access web browser credential data directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser.

    Variations

    Unusual process accessed web browser credentials and executed by a terminal process

    High overridden

    An unusual process has accessed a web browser credentials file. overridden

    Unusual unsigned process accessed web browser credentials

    Low overridden

    An unusual process has accessed a web browser credentials file. overridden

  • Unusual secret management activity Informational Cloud

    A cloud Identity performed a secret management operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse exposed secrets to gain access to restricted cloud resources and applications.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive secret management operation that it shouldn't.
  • Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation

    Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion, Phishing
    Attacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.

    Variations

    Usage of homograph characters detected in an email attachment(s) extension

    Low overridden

    Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden

  • User attempted to connect from a suspicious country Informational Identity Analytics 1 variation

    A user connected from an unusual country. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    User successfully connected from a suspicious country

    Low overridden

    A user successfully connected from an unusual country. This may indicate the account was compromised. overridden

  • VPN Login Password Spray Informational Identity Analytics 2 variations

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack. Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors). Review the geographic regions behind the failed login attempts. Investigate if a successful login was made after unsuccessful attempts. Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.

    Variations

    Successful VPN Password Spray Threat Detected with unusual characteristics

    Medium overridden

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden

    VPN login password spray with unusual characteristics

    Low overridden

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden

  • VPN login Brute-Force attempt Informational Identity Analytics 2 variations

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker attempts to gain access to the account.
    Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.

    Variations

    Successful VPN Login Brute Force

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden

    VPN login brute-force attempt with suspicious characteristics

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden

  • Vulnerable certificate template loaded Informational Identity Analytics 2 variations

    A possible misconfigured certificate template was loaded by Certificate Services. This may indicate potential certificate template abuse.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.
    Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Look for signs of certificate template enumeration via LDAP. Inspect certificates issued to privileged accounts. Check for abnormal PKINIT authentication or elevated Kerberos tickets.

    Variations

    First detection of AD CS ESC vulnerability in certificate template

    Medium overridden

    A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services for the first time. This may indicate potential certificate template abuse. overridden

    Certificate template vulnerable to AD CS ESC attack

    Low overridden

    A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services. This may indicate potential certificate template abuse. overridden

  • Weakly-Encrypted Kerberos TGT Response Informational 1 variation

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.
    Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).

    Variations

    Abnormal Weakly-Encrypted Kerberos TGT Response

    Low overridden

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden

  • Weakly-Encrypted Kerberos Ticket Requested Low 1 variation

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Weakly-Encrypted Kerberos Ticket Requested on a sensitive server

    Medium overridden

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack. This action occurred on a sensitive server, which may indicate a malicious activity. overridden