Analytics Alerts
Browse the Cortex analytics alert reference.
134 alerts match the current filters. tactic: TA0007 ✕
Show ATT&CK heatmapStorage enumeration activity Informational Cloud
An identity attempted to discover cloud objects within storage buckets.This might be an attempt by an adversary to find sensitive data stored in cloud storage, which could lead to data theft.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Storage Object Discovery (T1619) Cloud Infrastructure Discovery (T1580)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: Access sensitive data stored in cloud infrastructure.Investigative actions: Check the identity's role designation in the organization. Identify which storage buckets were enumerated and whether they contained sensitive information.Suspicious Azure enumeration activity Medium Cloud
An Azure identity performed resource enumeration across multiple services using Microsoft Graph.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Map the Azure tenant and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Suspicious Certutil AD CS contact Low 1 variation
A suspicious occurrence of Certutil attempted to contact the AD CS Request Interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: System Service Discovery (T1007) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Look at further action done by the user. Investigate whether other non-standard operations were done regarding the AD CS.Variations
Suspicious Certutil AD CS Admin Interface contact
Medium overridden
A suspicious occurrence of Certutil attempted to contact the AD CS Admin Interface. overridden
Suspicious LDAP search query executed Low 2 variations
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious LDAP search query executed
High overridden
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Suspicious LDAP search query executed
Low overridden
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Suspicious PowerShell Enumeration of Running Processes Low
Attackers often enumerate running processes to find and disable security tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Process Discovery (T1057)Required data: XDR AgentAttacker's goals: Understand the type of host according to the processes running on it; find and disable security tools.Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).Suspicious PowerSploit's recon module (PowerView) net function was executed Medium
An attacker may use PowerSploit to reconnaissance the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify that the relevant function was indeed run by PowerSploit (https://powersploit.readthedocs.io/#recon). Understand what information the attacker had gathered from the command and investigate relevant assets.Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts Medium
An attacker may use PowerSploit to reconnaissance the network for exposed hosts to move laterally to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify that the relevant function was indeed run by PowerSploit (https://powersploit.readthedocs.io/#recon). Understand what information the attacker had gathered from the command and investigate relevant assets.Suspicious container reconnaissance activity in a Kubernetes pod Informational 2 variations
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Suspicious container reconnaissance activity in a Kubernetes pod
Medium overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
Suspicious container reconnaissance activity in a Kubernetes pod
Low overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
Suspicious reconnaissance using LDAP Informational 1 variation
A process executed multiple suspicious LDAP search queries. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.Variations
Suspicious reconnaissance using LDAP from untrusted process
Low overridden
A process executed multiple suspicious LDAP search queries. This may be indicative of LDAP enumeration. overridden
Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet Informational
An attacker may use one of Microsoft's Active Directory PowerShell module remote discovery cmdlet to reconnaissance the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Understand what information the attacker had gathered from the command and investigate relevant assets.System information discovery via psinfo.exe Low
Using psinfo.exe, the attacker can gather information about the network, and gain an in-depth understanding of which devices are relevant to attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Information Discovery (T1082)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.System profiling WMI query execution Informational
Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Uncommon ARP cache listing via arp.exe Low
The arp.exe command is used to display and modify entries in the Address Resolution Protocol (ARP) cache. Adversaries may attempt to use the command to discover remote systems they could compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Network Configuration Discovery (T1016)Required data: XDR AgentAttacker's goals: Adversaries may attempt to use the command to discover remote systems they could compromise.Investigative actions: Check whether the initiating process is allowed in your organization. (If the parent process is cmd.exe, check the process that spawned it).Uncommon IP Configuration Listing via ipconfig.exe Low
The 'ipconfig' command is used to display TCP/IP network configuration information and refresh the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Adversaries may use the command to discover network configuration details.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Network Configuration Discovery (T1016)Required data: XDR AgentAttacker's goals: Attackers can use the ipconfig command to discover network configuration details.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional discovery commands were executed from the same process.Uncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon attempt at discovering a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at discovering /etc/hosts
Informational overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a security testing tool
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon net group command execution Informational 7 variations
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon unsigned net group administrators command execution
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon unsigned net group administrators command execution - fixed localization issues
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group administrators command execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group administrators command execution
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon administrator net group execution by scripting engine or command prompt
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net localgroup command execution Informational 7 variations
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup administrators command execution by a web server process or CGO
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden
Uncommon unsigned net localgroup administrators command execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon unsigned net localgroup administrators command execution - fixed localization issues
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup administrators command execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon remote net localgroup execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon administrator net localgroup execution by scripting engine or command prompt
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution Informational 1 variation
The 'net localgroup' command is used to add, display, or modify groups local to the host. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery (T1069)Required data: XDR AgentAttacker's goals: Attackers can attempt to use the command to find endpoint groups and permissions settings or modify local group memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup execution by an untrusted CGO
Low overridden
The 'net localgroup' command is used to add, display, or modify groups local to the host by an untrusted CGO. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships. overridden
Uncommon routing table listing via route.exe Low
The route.exe command is used to display and modify entries in the local IP routing table. Adversaries may attempt to use the command to discover remote systems they could compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Network Configuration Discovery (T1016)Required data: XDR AgentAttacker's goals: Attackers can attempt to use the command to discover remote systems they could compromise.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it (e.g. an IT script).Uncommon user management via net.exe Informational 1 variation
The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.Variations
Uncommon user management via net.exe by an untrusted CGO
Low overridden
The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden
Unusual AWS systems manager activity Informational Cloud
A cloud identity performed an SSM operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Lateral Movement (TA0008)ATT&CK techniques: Cloud Service Discovery (T1526) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Manipulate SSM operations to take control over EC2 instances and strengthen the foothold in the cloud environment of the organization, by running critical operating system commands, manipulating the parameters store, and patch management configuration.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive SSM operation that it shouldn't.Unusual IAM enumeration activity by a non-user Identity Informational Cloud
An unusual command which may be related to an IAM recon enumeration was executed by a non-user identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: Gcp Audit LogAttacker's goals: Collect information on the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Check if the API call was made by the identity.Check if there are additional unusual API calls from the identity.Unusual Kubernetes dashboard communication from a pod Low 1 variation
The Kubernetes dashboard was accessed by an unusual pod within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes dashboard to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual Kubernetes dashboard communication from a new pod
Informational overridden
The Kubernetes dashboard was accessed by an unusual pod within the environment. overridden
Unusual access to Microsoft 365 storage services Informational Cloud 1 variation
Unusual access was detected to a Microsoft 365 storage service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Extract sensitive information stored in Microsoft 365 storage services.Investigative actions: Determine which items were accessed. Identify whether they contained any sensitive information. Check for signs of a compromised identity, such as abnormal login activity or unusual behavior. Verify if the identity is authorized to access these drives. Monitor the identity for any further suspicious actions.Variations
Unusual access to Microsoft 365 storage services from an uncommon IP
Low overridden
Unusual access was detected to a Microsoft 365 storage service. overridden
Unusual internal access to network device management interface Informational
Unusual internal access to Palo Alto Networks device on management port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.Unusual multi-region AWS Resource Explorer searches Informational Cloud
An identity performed unusual discovery activity in multiple regions using Resource Explorer's Search operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtain a list of resources that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.Unusual process accessed a web browser history file Low 1 variation
An unusual process has accessed a web browser history file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Collection (TA0009)ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's browsing history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.Variations
Unusual process accessed a web browser history file on Linux
Low overridden
An unusual process has accessed a web browser history file. overridden
Unusual resource access by Azure application Informational Cloud 1 variation
An Azure application had interacted with an unusual resource using the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Abuse applications to gain access to the Azure tenant.Investigative actions: Verify whether the application is intended to use the resource in question. Investigate any unusual activity originating from the application.Variations
Suspicious resource access by Azure application
Low overridden
An Azure application had interacted with an unusual resource using the Microsoft Graph API. overridden
User and Group Enumeration via SAMR Informational
The endpoint performed unfamiliar SAMR querying activity to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may enumerate users and groups to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC-based services to multiple hosts. Check if there are any other suspicious activities originating from the same machine.User discovery via WMI query execution Informational 3 variations
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Variations
User discovery via WMI query execution by an unsigned process
Low overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
User modification via WMIC query execution
Low overridden
Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden
User discovery via WMIC query execution
Informational overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
VM Detection attempt Informational
A script has executed commands that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.VM Detection attempt on Linux Informational 2 variations
A Process executed a command and/or accessed a file that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR AgentAttacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the process for additional malicious actions. Check for any additional alerts raised within the same context of the script.Variations
VM Detection attempt on Linux with further reconnaissance commands
Medium overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden
VM Detection attempt on Linux using an unpopular technique
Low overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden