Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Interactive login from a shared user account Informational Identity Analytics

    A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.
    Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.
  • Internal Login Password Spray Informational Identity Analytics 5 variations

    An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Check the amount of time in between each authentication attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful authentication attempts and the ratio of login success versus login failures. Monitor for potential abuse of MFA on users who have successfully logged in.

    Variations

    Suspicious intensive and short internal Login Password Spray

    Medium overridden

    An abnormally high number of login attempts within a very short period of time and suspicious automated behavior. overridden

    High-Volume Internal Password Spray Attack

    Medium overridden

    Over 500 user accounts failed to login within a short period of time. overridden

    Internal Login Password Spray with many wrong password attempts

    Low overridden

    An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time. overridden

    Internal Login Password Spray attempt on local user

    Low overridden

    An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time. overridden

    Internal Login Password Spray on many users

    Low overridden

    An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack. overridden

  • Invalid SAML Detected Informational Identity Threat Module 1 variation

    A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)
    Required data: AzureAD Okta
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: An attacker might forge a valid SAML token to impersonate other user accounts. This is used to gain persistent, unauthorized access to cloud resources, and bypassing MFA.
    Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    Suspicious Invalid SAML Detected

    Low overridden

    A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack. overridden

  • Iptables configuration command was executed Informational 7 variations

    The iptables process was executed with a command to add or delete rules on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent
    Attacker's goals: Adding or deleting system firewalls rules to avoid possible detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Rare iptables port forward command was executed

    Low overridden

    An iptables command was executed to perform port forward, This command is unpopular. overridden

    Uncommon iptables port forward command was executed on the host

    Informational overridden

    An iptables command was executed to perform port forward, This command is uncommon for the host. overridden

    Rare iptables delete command was executed

    Low overridden

    An iptables command was executed to delete rule, This command is unpopular. overridden

    A rare iptables delete command was executed on the host

    Informational overridden

    An iptables command was executed to delete rule, This command is uncommon for the host. overridden

    A rare iptables flush all command was executed

    Low overridden

    An iptables command was executed to flush all rules, This command is unpopular. overridden

    A rare iptables flush command was executed

    Low overridden

    An iptables command was executed to flush all rules, This command is unpopular. overridden

    A rare iptables flush command was executed on the host

    Informational overridden

    An iptables command was executed to flush rules, This command is uncommon for the host. overridden

  • Kerberos Pre-Auth Failures by Host Low

    The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three users when compared to its baseline.This can indicate a password-spraying attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.
    Investigative actions: Verify whether the host that generated the alert is normally used by many users (for example, a terminal server). Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • Kerberos Pre-Auth Failures by User and Host Informational

    The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times.This can indicate a Kerberos brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting to guess the credentials for the user account.
    Investigative actions: Verify that the password for the account has not been changed recently, without updating the user or the program using it. Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • Kerberos Traffic from Non-Standard Process Medium 1 variation

    The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known Kerberos port with a different protocol to evade detection.Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.
    Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware. Check if this process was running on other endpoints as well.

    Variations

    Rare Kerberos Traffic from a Process

    Low overridden

    The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally. overridden

  • Kerberos User Enumeration Medium Identity Analytics

    A high amount of Kerberos principal unknown errors were generated on users in the last hour.This may be indicative of Kerberos user enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users and finding service accounts.
    Investigative actions: Check whether any service principal names (SPNs) were not set correctly, as they will always return a principal unknown error.
  • Key credential attribute modification Informational Identity Analytics 2 variations

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may be attempting to add shadow credentials to an account, gaining persistent unauthorized access.
    Investigative actions: Follow further PKINIT authentication activity by the modified identity. Verify if Windows Hello for Business is enabled, as this is a common benign cause for this activity. Check if the modified credential maps to an existing device ID in Entra ID. Examine recent activity from the user account, including logon patterns and privilege changes.

    Variations

    Possible shadow credentials addition

    Medium overridden

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden

    Key credential attribute addition

    Low overridden

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden

  • Keylogging using system commands Low 1 variation

    Usage of a Linux system utility to capture input.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Input Capture: Keylogging (T1056.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may capture keystrokes to intercept user credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Keylogging using system commands in a Kubernetes pod

    Low overridden

    Usage of a Linux system utility to capture input. overridden

  • Known service display name with uncommon image-path Low 3 variations

    Service created with a known display name but has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code with seemingly trustworthy services.
    Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known service display name with uncommon image-path created by an untrusted CGO

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known Palo Alto service display name with uncommon image-path

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known service display name with uncommon image-path in a suspicious folder

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

  • Known service name with an uncommon image-path Low 2 variations

    A Service with a known service name has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code within seemingly trustworthy services.
    Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known Palo Alto service name with an uncommon image-path

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

    Known service name with an uncommon image-path in a suspicious folder

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

  • Kubelet server communication from a pod Informational 1 variation

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)
    ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.
    Investigative actions: Examine the process on the pod to understand its purpose.

    Variations

    Kubelet server communication from a pod by a first seen process

    Low overridden

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden

  • Kubernetes API server communication from within a pod Informational 2 variations

    The Kubernetes API server was accessed from within a pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual Kubernetes API server communication from within a pod performed by curl process

    Medium overridden

    The Kubernetes API server was accessed from within a pod. overridden

    Unusual Kubernetes API server communication from within a pod

    Low overridden

    The Kubernetes API server was accessed from within a pod. overridden

  • Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod Created With Sensitive Volume for the first time in the cluster

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time in the namespace

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time by the identity

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

  • Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access data used by other pods that use the host's IPC namespace.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.

    Variations

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

  • Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

  • Kubernetes Privileged Pod Creation Informational Cloud 3 variations

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Privileged Pod Creation for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

  • Kubernetes admission controller activity Informational Cloud 4 variations

    A Kubernetes admission controller has been created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.
    Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.

    Variations

    Kubernetes validating admission controller was used in the organization for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the organization for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

    Kubernetes validating admission controller was used in the cluster for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the cluster for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

  • Kubernetes cluster events deletion Informational Cloud

    Kubernetes cluster events deletion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Adversaries may delete Kubernetes events to avoid possible detection.
    Investigative actions: Check whether these changes are expected.
  • Kubernetes enumeration activity Informational Cloud 1 variation

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Map the cluster environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious Kubernetes enumeration activity

    Informational overridden

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

  • Kubernetes environment enumeration activity Informational 2 variations

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Map the Kubernetes cluster environment and detect potential resources to abuse.
    Investigative actions: Identify which Kubernetes resources were discovered. Investigate whether affected resources were used to extract sensitive information.

    Variations

    Kubernetes environment enumeration activity from a pod

    Medium overridden

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

    Suspicious Kubernetes environment enumeration activity

    Low overridden

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

  • Kubernetes network policy modification Informational Cloud

    A change has been made to the network policies of a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the network infrastructure. Gain access to sensitive data. Gain access to Kubernetes resources.
    Investigative actions: Investigate the Kubernetes Network Policy to identify the changes made. Verify whether the identity should be making this action.
  • Kubernetes nsenter container escape Informational 2 variations

    The nsenter command was used to execute a process in the context of the initialization process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may break out of a container to run commands on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Kubernetes nsenter container escape from a new Pod

    Medium overridden

    The nsenter command was used to execute a process in the context of the initialization process. overridden

    Kubernetes nsenter container escape from a Pod

    Low overridden

    The nsenter command was used to execute a process in the context of the initialization process. overridden

  • Kubernetes pod creation from unknown container image registry Low Cloud 1 variation

    A Kubernetes pod was created with a container image from an unknown registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy container with a malicious image to facilitate execution.
    Investigative actions: Check the image registry designation in the organization. Scan the container image for any malicious components.

    Variations

    Kubernetes pod creation from unusual container image registry

    Low overridden

    A Kubernetes pod was created with a container image from an unknown registry. overridden

  • Kubernetes pod creation with host network Informational Cloud 3 variations

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.

    Variations

    Kubernetes pod creation with host network for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

  • Kubernetes secret enumeration activity Informational 5 variations

    Kubectl secret enumeration command was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Attackers may gather sensitive information within a container environment.
    Investigative actions: Check whether the executing process is performed by authorized identity and if this was a desired behavior as part of its normal execution flow.

    Variations

    Kubernetes secret describe activity from a Kubernetes Pod

    Medium overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret value extraction activity from a Kubernetes pod

    Medium overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret enumeration activity from a Kubernetes Pod

    Medium overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret enumeration activity from a host

    Low overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret value extraction activity

    Informational overridden

    Kubectl secret enumeration command was executed. overridden

  • Kubernetes service account activity outside the cluster Informational Cloud 2 variations

    A service account user successfully invoked API calls outside the Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Determine which Kubernetes resources were accessed using the service account. Verify whether the service account token was exposed.

    Variations

    Unusual Kubernetes service account activity outside the cluster

    Low overridden

    A service account user successfully invoked API calls outside the Kubernetes cluster. overridden

    Kubernetes service account activity outside the cluster from non-cloud IP

    Low overridden

    A service account user successfully invoked API calls outside the Kubernetes cluster. overridden

  • Kubernetes version disclosure Informational

    The Kubernetes API server was inquired about the Kubernetes version by a process from within a pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to disclose information about the Kubernetes environment.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.
  • Kubernetes vulnerability scanner activity Medium 1 variation

    A Kubernetes cluster was scanned by a known vulnerability scanner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Kubernetes vulnerability scanner activity from within a Kubernetes Pod

    Medium overridden

    A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden

  • Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations

    A known vulnerability scanning tool was used within a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.

    Variations

    Kubernetes vulnerability scanning tool usage within a pod

    Medium overridden

    A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden

    External Kubernetes vulnerability scanning tool usage

    Medium overridden

    A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden

  • LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Abnormal LDAP AD CS Enumeration via Attack Tool

    Medium overridden

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden

  • LDAP search query from an unpopular and unsigned process Low

    An unpopular and unsigned process performed an LDAP search query. This may be indicative of LDAP enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.
  • LDAP traffic from non-standard process Informational 4 variations

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating LDAP. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.

    Variations

    LDAP traffic from reverse SSH tunnel

    Medium overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

    LDAP traffic from non-standard and uncommon process

    Low overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

    LDAP traffic from non-standard process executed under an unsigned causality actor in a commonly abused directory

    Low overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

    LDAP traffic from an injected thread within a non-standard process

    Low overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

  • LOLBAS executable injects into another process Informational 1 variation

    A signed binary, which can be abused to run code, injected code to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.

    Variations

    LOLBAS executable injects into another process under an uncommon CGO

    Low overridden

    A signed binary, which can be abused to run code, injected code to another process. overridden

  • LOLBIN created a PSScriptPolicyTest PowerShell script file Informational 1 variation

    A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Executing PowerShell scripts in a stealthy manner.
    Investigative actions: Investigate the process and command line that created the file and whether it's benign or normal for this host. Investigate the created PowerShell file for potential malicious commands.

    Variations

    LOLBIN created a larger than usual PSScriptPolicyTest PowerShell script file

    Medium overridden

    A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary. overridden

  • LOLBIN process executed with a high integrity level Low 1 variation

    A process spawned a suspicious LOLBIN process with a higher/system integrity level.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it.Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.

    Variations

    LOLBIN process executed with a high integrity level by a web server process or CGO

    Medium overridden

    A process spawned a suspicious LOLBIN process with a higher/system integrity level by a web server process or CGO.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges. overridden

  • LSASS dump file written to disk Medium

    Dumping Lsass.exe (Local Security Authority Subsystem Service) memory to file allows attackers to later extract credentials from the memory dump.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to extract OS credentials from the dumped Lsass.exe file.
    Investigative actions: Check the dumping process for more suspicious activity.
  • Large Upload (FTP) Low 1 variation

    The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Exfiltrate stolen data from the victim network to an attacker's controllable resource.
    Investigative actions: Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive. Identify the entity performing the data transfer to determine if the transfer is sanctioned. Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.

    Variations

    Large Upload (FTP)

    Informational overridden

    The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol. overridden

  • Large Upload (Generic) Low 3 variations

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Transfer data he has stolen from your network to a location that is convenient and useful to him.
    Investigative actions: Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity. Check if the traffic is to/from a misconfigured network. Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

    Variations

    Large Upload (Generic)

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (Generic) Lower than 100 MB

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (Generic) to a Frequently Used Upload Target

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

  • Large Upload (HTTPS) Low 2 variations

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Transfer data she has stolen from your network to a location that is convenient and useful to her.
    Investigative actions: Check if this alert has been falsely triggered by DNS load balancers. If an endpoint routinely uploads data to a site that uses load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR Analytics detector. Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

    Variations

    Large Upload (HTTPS)

    Informational overridden

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (HTTPS) to non-standard port

    Low overridden

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden

  • Large Upload (SMTP) Low 1 variation

    The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Transfer data they have stolen from your network to a location that is convenient and useful to him.
    Investigative actions: Identify the process/user performing the data transfer to determine if the transfer is sanctioned. Verify that the source is not a mail server. Check if the target address represents a mail service that rarely used in the organization. If so, this might indicate on file exfiltration attempt.

    Variations

    Large Upload (SMTP)

    Informational overridden

    The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network. overridden

  • Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation

    A user accessed a large volume of files potentially containing credentials in Google Drive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)
    ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.

    Variations

    Possible credential files harvesting in Google Drive

    Low overridden

    A user accessed a large volume of files potentially containing credentials in Google Drive. overridden

  • Linux local user account creation Informational Identity Analytics 1 variation

    A user executed a process associated with user account creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Local Accounts (T1078.003)
    Required data: XDR Agent
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.

    Variations

    Linux local user account creation by non-root user

    Low overridden

    A non-root user executed a process associated with user account creation. This user does not regularly create accounts. overridden

  • Linux network share discovery Informational

    An adversary might use known tools to discover SMB shares within the compromised network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Share Discovery (T1135)
    Required data: XDR Agent
    Attacker's goals: Exfiltrate or hide sensitive data.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.
  • Linux process execution with a rare GitHub URL Informational

    A process was executed with an uncommon GitHub URL in its command line. This may have legitimate uses, but it might also be used by attackers to download malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check the user activity on the same agent at that time. Check if the host is a development server. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.
  • Linux system firewall was modified Low

    The system firewall was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Exfiltrate data or move laterally in the organization.
    Investigative actions: Examine the command to understand which IPs or ports were affected. Check the communication allowed by the modified firewall rule.
  • Local account discovery Informational

    One of several local account discovery commands were executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Local Account (T1087.001)
    Required data: XDR Agent
    Attacker's goals: Account discovery.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Local group enumeration Informational Identity Analytics 2 variations

    A user performed an enumeration on local groups to retrieve their details.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Local group enumeration for the first time

    Low overridden

    A user performed an enumeration on local groups to retrieve their details. overridden

    Local group enumeration using a builtin Windows binary

    Informational overridden

    A user performed an enumeration on local groups to retrieve their details. overridden

  • Local group enumeration via RPC Informational 1 variation

    A user enumerated local groups via RPC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Remote local group enumeration via RPC

    Informational overridden

    A user enumerated local groups via RPC. overridden

  • Local user account creation Informational Identity Analytics 1 variation

    A user was observed creating a rare local user account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.

    Variations

    Suspicious local user account creation

    Low overridden

    A user was observed creating a rare local user account. This user has not been seen creating user accounts in the past 30 days. overridden

  • Local user account creation by a machine account Informational Identity Analytics

    A machine account was observed creating a rare local user account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the machine that created the user account and verify its activity. Check if the machine account is supposed to create user accounts. Investigate whether the same account was created on different hosts as part of an installation process.
  • Local user enumeration via SAMR Informational 1 variation

    A user enumerated local users via SAMR.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Local Account (T1087.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local user discovery to identify privileged users and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the user enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local users is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Local user enumeration via SAMR on an internet facing server

    Low overridden

    A user enumerated local users via SAMR. overridden

  • Log enumeration via cloud native logging service Informational Cloud 1 variation

    An activity of log enumeration operations via cloud native logging service was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Log Enumeration (T1654)
    Required data: AWS Audit Log
    Attacker's goals: Gaining information about your environment as part of the discovery phase.
    Investigative actions: Check the identity which invoked the operations.

    Variations

    Log enumeration via cloud native logging service invoked by an identity for the first time

    Low overridden

    An activity of log enumeration operations via cloud native logging service was detected. overridden

  • Logging was impaired via external encryption key Medium Cloud

    The resource was configured with an external key This might be an attempt to disrupt log inspection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Modifying the key used to encrypt the logs to remain undetected.
    Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.
  • Login attempt by a honey user Low Identity Analytics 1 variation

    A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.

    Variations

    Successful login by a honey user

    Medium overridden

    A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden

  • Login by a dormant user Informational Identity Analytics 1 variation

    A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use a compromised user account that has not been used for a long time and is therefore less likely to be noticed.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Cached interactive login by a dormant user

    Informational overridden

    A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker. overridden

  • Logs were not collected from a data source for an abnormally long time Low 4 variations

    Logs were not collected from a data source for an abnormally long time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, which indicates a significant stop

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, despite a stable and consistent data stream until recently

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

  • MFA Disabled for Google Workspace Low Identity Threat Module 1 variation

    An administrator has disabled Multi-Factor Authentication for Google Workspace users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.
    Investigative actions: Check the MFA settings for the Google Workspace users. Identify the users who have MFA disabled and investigate the reason for it. Check the security log to see if there have been any suspicious activities in the account.

    Variations

    MFA Disabled for Google Workspace from an unusual caller IP ASN

    Low overridden

    An administrator has disabled Multi-Factor Authentication for Google Workspace users. overridden

  • MFA device was removed/deactivated from an IAM user Informational Cloud

    Deactivate an MFA device and disassociate it from an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: This may allow an attacker to gain access to the IAM user.
    Investigative actions: Check if IAM requires MFA to be enabled.
  • MFA was disabled for a Google Workspace user Informational Identity Threat Module 2 variations

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.
    Investigative actions: Verify if the MFA disablement was authorized. Investigate the source IP and User Agent for previous malicious activity or anomalies. Follow further actions done by the user and IP address.

    Variations

    MFA was disabled for a Google Workspace administrative user

    Medium overridden

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden

    MFA was disabled for a Google Workspace user by a different account for the first time

    Low overridden

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden

  • MFA was disabled for an Azure identity Low Identity Threat Module 2 variations

    MFA was disabled for the user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: AzureAD Audit Log
    Attacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.
    Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.

    Variations

    Suspicious MFA was disabled for an Azure identity

    Medium overridden

    MFA was disabled for the user. overridden

    MFA was disabled for an Azure identity regularly by the user

    Informational overridden

    MFA was disabled for the user. overridden

  • ML artifacts destruction Low Cloud 1 variation

    An identity deleted multiple ML artifacts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.
    Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.

    Variations

    Unusual ML artifacts destruction

    Medium overridden

    An identity deleted multiple ML artifacts.This large volume of deleted ML artifacts had not been seen across all projects for the last 30 days. overridden

  • MSI accessed a web page running a server-side script Informational 1 variation

    The Microsoft installer command line included a URL to a web page running a server-side script, which is suspicious.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: An attacker may use this technique to install a malicious tool from a remote server.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    MSI accessed a web page running a server-side script

    High overridden

    MSI on an internet-facing server accessed a web page running a server-side script. overridden

  • Machine Account NTLM Relay Low

    An NTLM NTProofStr was seen from more than one source. This indicates that machine account NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • Machine account was added to a domain admins group Medium Identity Analytics

    A machine account was added to a domain admins group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.
  • Mailbox Client Access Setting (CAS) changed Medium

    An attacker may use PowerShell to change the Client Access Settings (CAS) for a mailbox, hence gaining access to the data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access to the data in the compromised mailbox.
    Investigative actions: Examine the PowerShell command to identify which mailbox's access setting has been modified. Verify that the change in the client access setting was executed by a trusted source.
  • Mailbox enumeration activity by Azure application Informational Cloud 1 variation

    Microsoft Graph API was used to enumerate mailboxes in Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in mailboxes.
    Investigative actions: Determine which mailboxes were enumerated and whether they contained any sensitive information. Investigate the identity following actions.

    Variations

    Mailbox enumeration activity by Azure user

    Informational overridden

    Microsoft Graph API was used by a user to enumerate mailboxes. overridden

  • Manipulation of netsh helper DLLs Registry keys Medium

    Registering netsh helper DLLs is uncommon, and could be used by malware for persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Netsh Helper DLL (T1546.007)
    Required data: XDR Agent
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Masquerading as a default local account Low Identity Analytics 3 variations

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.

    Variations

    Masquerading as a default local account for the first time

    Medium overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

    Potential masquerading as a power user account

    Low overridden

    A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden

    Masquerading as a default Administrator account

    Informational overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

  • Masquerading as the Linux crond process Low 1 variation

    Copies a file and renames it as crond.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may masquerade as the crond executable.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Masquerading as the Linux crond process from a Kubernetes pod

    Low overridden

    Copies a file and renames it as crond. overridden

  • Massive file activity abnormal to process Informational Identity Threat Module 1 variation

    A user generated massive file activity by size or distinct file count.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.

    Variations

    Massive file activity over 500 MB abnormal to process

    Low overridden

    A user generated massive file activity by size or distinct file count. overridden

  • Massive file compression by user Informational Identity Threat Module

    Multiple archive files were created by a user. This might indicate an attempt to stage data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Stage data on an endpoint in the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • Massive file downloads from SaaS service Informational Identity Threat Module Email 3 variations

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may download files from a SaaS service to exfiltrate sensitive data.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were downloaded to determine if they contain sensitive data. Verify if the user account that downloaded the files is authorized to access them. Analyze the file types that were downloaded. Monitor the account for any further suspicious actions.

    Variations

    Suspicious SaaS service file downloads

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. The user connected from an unknown IP and displayed suspicious characteristics. overridden

    Massive file downloads from SaaS service by terminated user

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden

    Massive code file downloads from SaaS service

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden

  • Massive files deletion in Box Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Box Audit Log
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Box with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Dropbox Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: DropBox
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Dropbox with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Google Drive Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Google Drive with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Microsoft SharePoint or OneDrive Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Microsoft SharePoint or OneDrive with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped. overridden

  • Massive upload to SaaS service Informational Identity Threat Module 1 variation

    A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.

    Variations

    Massive upload to SaaS service by suspicious user

    Low overridden

    A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden

  • Massive upload to a rare storage or mail domain Informational Identity Threat Module 1 variation

    A large amount of data was transferred to an external site that is used for mail or storage. This behavior may indicate data exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent
    Attacker's goals: A user uploaded an abnormal amount of data to a file sharing service. This activity might indicate an attempt to exfiltrate files and data from the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Identify the user uploading the data to determine if the transfer is sanctioned.

    Variations

    A user uploaded over 500 MB to a rare storage or mail domain

    Low overridden

    A user uploaded over 500 MB to a file sharing service that is rarely accessed by them or anyone else in the organization. overridden

  • Member added to a Windows local security group Informational Identity Analytics 2 variations

    A member was added to a Windows local security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added to the Windows local Administrator group

    Low overridden

    A member was added to a Windows local security group. overridden

    Member added to the Windows local Administrator group

    Informational overridden

    A member was added to a Windows local security group. overridden

  • Memory dumping with comsvcs.dll High

    A process memory dump was performed using comsvcs.dll MiniDump. This method is commonly used by attackers to dump Lsass.exe (Local Security Authority Subsystem Service) process memory to a file, so they could later extract credentials from the memory dump.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Microsoft 365 DLP policy disabled or removed Informational Identity Threat Module Email 1 variation

    A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass Microsoft 365 Data Loss Prevention (DLP) policies.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Monitor the user's activity for any access to sensitive data or data exfiltration. Investigate if any other security policies have been changed or removed.

    Variations

    Rare Microsoft 365 DLP policy removal

    Low overridden

    A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion. overridden

  • Microsoft 365 storage services exfiltration activity Low Cloud

    The Microsoft Graph API was used to download Microsoft OneDrive and SharePoint files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft 365 storage services.
    Investigative actions: Determine which items were downloaded and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation

    A user registered a device and requested a Microsoft Configuration Manager policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious Microsoft Configuration Manager device registration and policy request

    Low overridden

    A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden

  • Microsoft Office Process Spawning a Suspicious One-Liner Medium

    A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to gain code execution on the host.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.
  • Microsoft Office adds a value to autostart Registry key Low

    Microsoft Office adds a value to a registry entry (run keys, startup folders) to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence on the host using the Window's autostart Mechanism.
    Investigative actions: Check the registry key and determine what process it'll run. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Microsoft Office injects code into a process Low 5 variations

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned Microsoft Office injects code into a process

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to a non-standard PE section

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to an undeclared memory page

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process from an unsigned process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

  • Microsoft Office process spawns a commonly abused process Low

    Microsoft Office process spawns a commonly abused process with an uncommon command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via a phishing document.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Microsoft Office process spawns conhost.exe Low

    This unusual parent-child relationship may indicate that a Microsoft Office application executed a console-based application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Phishing (T1566)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via an Office application or via an Office document.
    Investigative actions: Check the source of the file or email (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Microsoft OneDrive enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft OneDrive items.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft OneDrive.
    Investigative actions: Determine which OneDrive files were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft OneNote enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft OneNote items.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft OneNote.
    Investigative actions: Determine which OneNote items were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft SharePoint enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft SharePoint sites in an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft SharePoint.
    Investigative actions: Determine which SharePoint sites were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams the application setup policy, which is responsible for application management, was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.

    Variations

    A user changed the Microsoft Teams application setup policy for the first time

    Low overridden

    Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden

  • Microsoft Teams enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft Teams channels in an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs, Microsoft Teams
    Attacker's goals: To extract sensitive information stored in Microsoft Teams.
    Investigative actions: Determine which Teams channels were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams external communication policy was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)
    ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.

    Variations

    Microsoft Teams external communication policy was modified by an unusual user

    Low overridden

    Microsoft Teams external communication policy was modified. overridden

  • Microsoft Teams messages were exported from conversation Informational Identity Threat Module 1 variation

    Microsoft Teams messages were exported from conversation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage message extraction from Microsoft Teams to obtain valuable information.
    Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

    Variations

    Microsoft Teams messages were exported from conversation by a privileged user for the first time

    Low overridden

    Microsoft Teams messages were exported from conversation. overridden

  • Mimikatz command-line arguments High

    These command-line arguments are often used by Mimikatz to dump and harvest credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to use Mimikatz, a known credential theft tool, to dump and harvest credentials.
    Investigative actions: Investigate the executed process to verify if it is malicious. Investigate the command line purpose.
  • Modification of NTLM restrictions in the Registry Low

    Allowing the transmission of NTLM could be part of an NTLM downgrade or an Internal Monologue attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Downgrading to a lower NTLM version gives the attacker an easy way to retrieve NTLM hashes from a Windows machine.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Modification of PAM Informational 1 variation

    Modification of PAM configuration files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Credential access, defense evasion or persistence.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Modification of PAM from a Kubernetes pod

    Informational overridden

    Modification of PAM configuration files. overridden