Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapPossible LDAP enumeration by unsigned process Informational 2 variations
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.Variations
Possible LDAP enumeration by unsigned process
Medium overridden
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden
Possible LDAP enumeration by unsigned process
Low overridden
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden
Possible Pass-the-Hash Low Identity Analytics
An account was successfully logged on to with new credentials. This login type is rare and may be an attacker's attempt to pass-the-hash and move laterally within a network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentAttacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Audit all login events and review for discrepancies. Look for LSASS process access, an indication of an attacker attempting to obtain password hashes. Check for the RunAs command with the /netonly option.Possible Persistence via group policy Registry keys Medium
Group Policy registry keys were read during system startup. This behavior may indicate a persistence mechanism that triggers on reboot to execute malicious code.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Establish persistence on the host using Windows Group Policy mechanisms.Investigative actions: Inspect the registry keys and determine which process or command is configured to run. Verify whether the executing process is benign and expected as part of normal system behavior.Possible Privilege Escalation using Delegated MSA account Informational Identity Analytics 1 variation
An attacker might abuse dMSA account to escalate its privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may leverage dMSA account migration process to escalate privileges.Investigative actions: Confirm that the user is authorized to create and modify dMSA accounts in the domain. Verify the user should have permissions on the OU under which the dMSA account was created. Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID). Verify that the user superseded an account, with the dMSA account, that should have superseded. Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event). Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object. Investigate the host that initiated the dMSA account migration process for malicious activity.Variations
Possible Privilege Escalation using Delegated MSA account attempt
Medium overridden
An attacker might abuse dMSA account to escalate its privileges. overridden
Possible RDP session hijacking using tscon.exe Medium
The executable tscon.exe can be used to hijack other sessions on the same computer. The attacker may use another user's credentials to proceed with the lateral movement or disguise the activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Service Session Hijacking: RDP Hijacking (T1563.002)Required data: XDR AgentAttacker's goals: Attackers might hijack existing sessions on the same host to gain access to private data or leverage the logged-in user credentials to laterally move across the network.Investigative actions: Verify if the executing process is suspicious. Investigate if the interactive user did any more suspicious or malicious actions.Possible SPN enumeration Informational Identity Analytics 1 variation
A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious SPN enumeration via LDAP
Low overridden
A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible Search For Password Files Medium
Attackers often search for files that have passwords in them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible TGT reuse from different hosts (pass the ticket) Informational Identity Analytics 1 variation
We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Ticket (T1550.003)Required data: XDR AgentAttacker's goals: Lateral movement using stolen user-account credentials.Investigative actions: Check if the mentioned hosts are not the same, and investigate if the ticket was stolen from one of them.Variations
TGT reuse from different hosts (pass the ticket)
Low overridden
We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host. overridden
Possible authentication coercion Informational Identity Analytics 2 variations
An unusual Remote Procedure Call (RPC) was made to potentially cause authentication coercion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse Remote Procedure Calls to coerce authentication from servers.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from {actor_remote_ip} to other servers in the network. Check for logged-in users to {actor_remote_ip} and investigate their actions. Check for indicators of compromise on {actor_remote_ip}.Variations
Possible authentication coercion from an unconstrained delegation server to a sensitive server
Medium overridden
An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden
Possible authentication coercion to a sensitive server
Low overridden
An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden
Possible binary padding using dd Informational
A suspicious dd command ran and added data to a binary. This may indicate binary padding to change the hash of a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Binary Padding (T1027.001)Required data: XDR AgentAttacker's goals: An adversary may use binary padding to avoid hash-based blacklists and static antivirus signatures.Investigative actions: Check the padded file and try to understand the impact of padding this specific binary.Possible brute force on sudo user Informational 1 variation
A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker may gain full privileges to the host.Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.Variations
Possible brute force on sudo user
Low overridden
A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password. overridden
Possible brute force or configuration change attempt on cytool High
An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.This may indicate an attempt to guess the Administrator password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker may disable the agent to perform malicious activities.Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.Possible code downloading from a remote host by Regsvr32 Medium
Regsvr32 may be used to fetch arbitrary code from a remote host and execute it without dropping the payload onto the disk. Known to be used for malicious purposes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Regsvr32 (T1218.010)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible collection of screen captures with Windows Problem Steps Recorder Medium
Windows Problem Steps Recorder (psr.exe), can record screen and clicks. Adversaries may abuse psr.exe to create screen captures and collect them afterward.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Screen Capture (T1113)Required data: XDR AgentAttacker's goals: Evading security controls and collecting screen captures of the desktop.Investigative actions: Check the causality of execution and if the TSS script was executed (Microsoft Troubleshooting Script). If output parameters in the command line are executed by the user. If the parent process is known in the organization as a support tool.Possible compromised machine account Medium
A Kerberos TGT for machine account has been used and does not match the hostname.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Gain a special user Kerberos ticket to move laterally.Investigative actions: Check the source host for possible credential dumping. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.Possible data exfiltration over a USB storage device Informational Identity Threat Module
A process generated massive file creation, renaming and write activity to a USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Possible data obfuscation Informational 1 variation
A command that can be used for file obfuscation was executed with an uncommon command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use obfuscated files to cover their tracks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Possible data obfuscation in a Kubernetes pod
Low overridden
A command that can be used for file obfuscation was executed with an uncommon command line. overridden
Possible external RDP Brute-Force Low Identity Analytics 2 variations
Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: If the source IP is an internal IP, adjust network IP ranges. Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.Variations
Possible external RDP Brute-Force on a Honey User Account
Medium overridden
Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack. overridden
Potential External Brute-Force via RDP on Sensitive User
Medium overridden
Multiple failed remote logins from an external IP with a sensitive user and at least one successful login.This may indicate a successful brute-force attack. overridden
Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation
A user generated abnormal massive file activity to a connected USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Variations
Possible internal data exfiltration of over 500 MB via USB storage device
Low overridden
A user generated abnormal massive file activity to a connected USB storage device. overridden
Possible malicious .NET compilation started by a commonly abused process Medium
Attackers may use csc.exe to compile payloads on a compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Compile After Delivery (T1027.004)Required data: XDR AgentAttacker's goals: Compile payloads on the host to evade detection.Investigative actions: Investigate the payload being compiled. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible multistage attack in Microsoft Teams Low Identity Threat Module 1 variation
Possible multistage attack in Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Verify the suspicious activity to validate the legitimacy of the user's actions. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.Variations
Malicious activity had been detected with strong indicators
Medium overridden
Malicious Microsoft Teams activity detected across multiple indicators, the activities have strong indications of a malicious action. overridden
Possible network service discovery via command-line tool Low
An attacker may use command-line utilities to discover open ports and services on a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Unavailable.Investigative actions: Unavailable.Possible network sniffing attempt via tcpdump or tshark Low
Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible new DHCP server Medium
A DHCP response was sent from an unknown DHCP server.Attackers may send a DHCP response to a host in his LAN to inject a DNS server, route or WPAD server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Adversary-in-the-Middle (T1557)Required data: XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check if the source agent is a legitimate DHCP server. Check if the attacked host send DNS queries to an unusual IP. Check if the attacked host send WPAD HTTP/S requests to an unusual host.Possible path traversal via HTTP request Low 3 variations
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.Investigative actions: Inspect the legitimacy of the URI path. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.Variations
Possible sensitive path traversal via HTTP request
Medium overridden
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden
Possible path traversal via HTTP request from a TOR exit node
Medium overridden
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden
Possible credential path traversal via HTTP request
Medium overridden
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden
Possible phishing attack via Microsoft Teams Low Identity Threat Module 3 variations
An external tenant is possibly attempting a phishing attack via Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.Variations
Potential phishing attack with post compromise stages had been detected
High overridden
Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login and post compromise actions. overridden
Potential phishing attack via Microsoft Teams has been detected
Medium overridden
Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login. overridden
Potential phishing attack with post compromise activities in Microsoft Teams has been detected
Medium overridden
Suspicious Microsoft Teams phishing activity detected across multiple indicators. overridden
Possible use of IPFS was detected Informational 1 variation
The host produced traffic consistent with IPFS.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
Possible use of IPFS was detected
Informational overridden
The host produced traffic consistent with IPFS. overridden
Possible use of a networking driver for network sniffing Informational 2 variations
A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.Variations
Possible use of a networking driver for network sniffing
Medium overridden
A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden
Possible use of a networking driver for network sniffing
Low overridden
A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden
Possible webshell file written by a web server process Low 3 variations
An uncommon file with a web file extension was created, written or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.Variations
Possible webshell file written by a node web server process
Informational overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process in an internet facing server
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Potential DCSync by an unusual user Informational Identity Analytics 1 variation
Attackers may leverage the domain replication process to extract sensitive information (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.Variations
Possible DCSync by an unusual user
Low overridden
Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden
Potential NTLM Relay Attack Informational Identity Analytics 3 variations
Multiple NTLM authentications were made to the same workstation and user from different IPs.This might indicate a potential NTLM Relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the workstation supports weak, outdated versions of NTLM. Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised. Check for process activity to and from the suspicious IP address to verify if it was compromised. Check for changes in the network configurations, including indicators of poisoning attacks. Monitor closely the actions of the potentially compromised user account for any anomalous behavior.Variations
NTLM Relay Attack using a sensitive user and a vulnerable package
Medium overridden
Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack using a vulnerable package
Low overridden
Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack using a sensitive user
Low overridden
Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server Informational Identity Analytics 1 variation
Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs in a short period of time.This might indicate a potential NTLM Relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentDetector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may coerce the SCCM site server to authenticate to a malicious host and relay it to escalate privileges and move laterally across site systems.Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack. Check for network activity to and from the suspicious IP address to verify if it is a compromised machine. Monitor closely the actions of the potentially compromised user account for any anomalous behavior, especially suspicious SCCM-related activity occurring near the time of the alert.Variations
Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server using a vulnerable package
Low overridden
Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs using a vulnerable NTLM package in a short period of time.This might indicate a potential NTLM Relay attack. overridden
Potential Okta access limit breach Informational Identity Threat Module 1 variation
A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
A breach in access limits within Okta, accompanied by suspicious characteristics
Low overridden
The user exceeded the access threshold in Okta, triggering a violation alert. overridden
Potential Phishing has been detected Medium Email 4 variations
This email contains multiple indicators consistent with a phishing attack. The message likely attempts to steal credentials, distribute malware, or trick recipients into performing actions that compromise security through deceptive content or suspicious technical characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Box Audit Log DropBox Google Workspace Audit Logs Microsoft 365 Emails Office 365 Audit Okta Audit Log Salesforce Slack Audit LogDetector tags: PhishingAttacker's goals: Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.Investigative actions: Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming. Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk. Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.Variations
Potential Brand Impersonation has been detected
Medium overridden
This email appears to impersonate a legitimate brand or service provider to deceive recipients. Attackers often mimic trusted companies like banks, cloud services, or popular brands to steal credentials, distribute malware, or conduct fraudulent activities. overridden
Potential Spear Phishing has been detected
Medium overridden
This email represents a targeted spear phishing attack aimed at high-value personnel within your organization. These highly personalized attacks often target executives or privileged users to gain unauthorized access to sensitive systems or information. overridden
Potential Business Email Compromise has been detected
Medium overridden
This email exhibits characteristics of a Business Email Compromise attack, where threat actors impersonate executives or trusted business partners to manipulate recipients into authorizing fraudulent financial transactions or wire transfers. overridden
Potential Exfiltration has been detected
Medium overridden
This outbound email shows suspicious patterns consistent with data exfiltration attempts. The communication may involve unauthorized transmission of sensitive organizational data to external recipients through email channels. overridden
Potential SCCM credential harvesting using WMI detected Low 3 variations
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Obtain credentials used by the SCCM service.Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.Variations
Potential SCCM credential harvesting using WMI detected from a remote machine
Medium overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential SCCM inventory query using WMI detected
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential Enumeration of SCCM User, Device, and Deployment Data via WMI
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential creation of persistent cloud credentials Informational Cloud
A cloud identity invoked a credential-related persistence operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)Required data: AWS Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Potential denial of wallet abusing AI services Low Cloud 1 variation
An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Endpoint Denial of Service: Application Exhaustion Flood (T1499.003) Resource Hijacking (T1496)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Disrupting or shutting down an ML service.Investigative actions: Investigate the impact on the ML service.Variations
Possible denial of wallet abusing AI services
Medium overridden
An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption. overridden
Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager
Medium overridden
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden
Potential kubelet impersonation attempt Low 1 variation
A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Potential kubelet impersonation attempt by an unusual process
Medium overridden
A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server. overridden
Potential spoofing of internal domain spotted Informational Email
An external sender is possibly impersonating an employee by spoofing the company's internal address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing (T1566) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.PowerShell Initiates a Network Connection to GitHub Low 1 variation
PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: Palo Alto Networks Url LogsAttacker's goals: Download a second stage payload for execution.Investigative actions: Check if the initiator process is malicious. Check for additional file/network operations by the same PowerShell instance.Variations
PowerShell Initiates a Network Connection to GitHub from a sensitive server
Medium overridden
PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads. overridden
PowerShell pfx certificate extraction Informational 1 variation
PowerShell was used to extract a pfx certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may export certificates to .pfx files to use them for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx creation is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Variations
Suspicious PowerShell pfx certificate extraction
Low overridden
A user used PowerShell to extract a pfx certificate file. overridden
PowerShell runs suspicious base64-encoded commands Low 2 variations
Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Run code to perform actions or download other malicious programs.Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.Variations
PowerShell runs rare base64-encoded command via remote causality actor
Medium overridden
Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden
PowerShell runs rare base64-encoded command by windows built-in scripting engine
High overridden
Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden
PowerShell suspicious flags Medium
Abbreviated flags in PowerShell indicate malicious intent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Run code to perform actions or download other malicious programs.Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.PowerShell used to export mailbox contents Medium
An attacker may use PowerShell to export the contents of a mailbox as part of the data staging before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Export the content of a mailbox, preparing for data exfiltration.Investigative actions: Examine the PowerShell command to identify which mailbox has been exported. Verify that this command was executed by a trusted source.PowerShell used to remove mailbox export request logs High
An attacker may use PowerShell to remove evidence of an export request for a mailbox as part of the clean-up stage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Remove evidence for mailbox export commands.Investigative actions: Examine the PowerShell command to identify which mailbox has been compromised. Investigate the host that executes the command for potential further exploitation.Privileged certificate request via certificate template Informational Identity Analytics 2 variations
A privileged certificate was requested via certificate template.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller or privileged account.Investigative actions: Check if this is a legitimate certificate request. Check if the certificate issued was used to request a Kerberos ticket. Investigate actions done with the issued certificate and its owner. Check for possible NTLM relay alerts.Variations
Suspicious privileged certificate request denied via certificate template
Medium overridden
A suspicious privileged certificate request was denied via certificate template. overridden
Suspicious privileged certificate request via certificate template
Low overridden
A suspicious privileged certificate was requested via certificate template. overridden
Privileged role used by Azure application Informational Cloud 1 variation
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Leverage high-level permissions to gain persistence and access to sensitive information.Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.Variations
First-time privileged role is used by Azure application
Low overridden
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API. overridden
Procdump executed from an atypical directory Medium
Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.PsExec was executed with a suspicious command line Informational 4 variations
PsExec.exe was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.Variations
PsExec was executed with a suspicious command line by a LOLBIN
Low overridden
PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden
PsExec was executed with a suspicious command line by an unsigned actor
Medium overridden
PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with NT/System privilege level. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with plain-text credentials. overridden
Punycode characters detected in URL(s) Informational Email
Punycode character(s) detected within URL(s) in email content.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading (T1036) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Python HTTP server started Informational
Python HTTP server started - possible exfiltration over HTTP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)Required data: XDR AgentAttacker's goals: Attackers might use a Python server as a C&C or exfiltration channel.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it.Quarantined email released to recipients Informational Email 3 variations
This message was previously quarantined by vendor and has now been released and delivered to the intended recipients.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Repeated quarantine releases to mailbox from previously quarantined sender
Low overridden
This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the mailbox has received multiple quarantined messages and the sender has been quarantined several times over the past 30 days. overridden
Repeated quarantine releases from previously quarantined sender
Low overridden
This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the sender has been quarantined multiple times over the past 30 days. overridden
Repeated quarantine-released emails received by mailbox
Low overridden
This mailbox has repeatedly received messages over the past 30 days that were quarantined by vendor and later released and delivered to the recipient. overridden
RDP Connection to localhost Medium
An RDP connection to localhost can be used for privilege escalation by leveraging Windows accessibility features.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: An attacker may initiate RDP tunneling for a more convenient and stable interface.Investigative actions: Identify the process/user performing RDP and check that it is authorized. Check whether the initiating process also connects to an external host.RDP connections enabled remotely via Registry Low 2 variations
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Enhanced RDP AnalyticsAttacker's goals: Remotely enable RDP on the host for lateral movement.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Search for RDP sessions to this host and investigate them for malicious activities.Variations
RDP connections enabled by a remote process via Registry
Low overridden
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden
RDP connections enabled remotely via Registry using WinRM
Low overridden
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden
RDP from an unmanaged endpoint in a typically managed subnet Low 1 variation
An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Lateral movement to critical assets from an unmanaged host.Investigative actions: Verify if the source endpoint is authorized to perform RDP connections. Validate that the source endpoint is managed or unmanaged. Investigate the user account used for the RDP connection.Variations
RDP from an unmanaged endpoint in a typically managed subnet with a significantly higher number of managed endpoints in the subnet
Low overridden
An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement. The source subnet has a significantly higher number of managed endpoints compared to the unmanaged ones. overridden
Random-Looking Domain Names Medium
The endpoint performed DNS lookups to an excessively large number of apparently random root domain names. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many unique, random-looking domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one, which may also trigger the Failed DNS alert.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network for controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees many failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false positive for this alert. Ensure that the endpoint is configured properly for your DNS servers. Make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.Rare AppID usage to a rare destination Informational 2 variations
Rare AppID with port usage to rare destination.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.Investigative actions: Investigate the endpoints participating in the session.Variations
Rare AppID usage to a rare destination using an unsigned process
Low overridden
Rare AppID with port usage to rare destination. overridden
Rare AppID usage to a rare destination from an internet-facing server
Low overridden
Rare AppID with port usage to rare destination. overridden
Rare DCOM RPC activity Informational 1 variation
The endpoint performed abnormal DCOM RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using the DCOM RPC interface. The DCOM RPC interface is used to remotely invoke registered COM applications on remote hosts.Investigative actions: Review the action of the initiated COM application on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare DCOM RPC activity
Low overridden
The endpoint performed abnormal DCOM RPC activity to a remote host. overridden
Rare DLP rule match by user Informational Identity Threat Module Email 1 variation
A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to access sensitive information.Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.Variations
DLP rule match by user for the first time
Low overridden
A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information. overridden
Rare LDAP enumeration Low
Possible LDAP enumeration with a rare combination of queries.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: LDAP AnalyticsAttacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.Rare LOLBIN Process Execution by User Informational Identity Analytics
A user executed a living-off-the-land binary (LOLBIN) process that is unusual for this user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.Rare MS-Update Server was detected Informational 1 variation
The endpoint requested an MS-Update operation from a rare update server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attackers may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.Variations
Rare MS-Update Server was detected
Informational overridden
The endpoint requested an MS-Update operation from a rare update server. overridden
Rare MS-Update traffic over HTTP Informational
The endpoint requested an MS-Update operation with abnormal HTTP traffic characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Exploitation of Remote Services (T1210)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attacker may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.Rare NTLM Access By User To Host Informational Identity Analytics
An unusual NTLM authentication attempt by a user to a host. This may indicate the use of stolen credentials or access tokens to access restricted hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may be attempting lateral movement within a compromised network.Investigative actions: Verify any successful authentication for the user account referenced by the alert, as this could indicate the attacker has used stolen credentials.Rare NTLM Usage by User Informational Identity Analytics
Rare authentication by user account to host via NTLM.The user has not authenticated with NTLM in the past 30 days.This may be indicative of downgrade attacks from Kerberos to NTLM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: The attacker is attempting to move laterally within a compromised network.Investigative actions: Verify any successful authentication for the user account referenced by the alert, as these can indicate the attacker managed to use the stolen credentials.Rare RDP session to a remote host Low 1 variation
The endpoint performed a rare RDP session to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement Analytics, Enhanced RDP AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.Investigative actions: Inspect the legitimacy of the user who initiated the RDP session. Verify that this isn't routine IT activity.Variations
Rare RDP session to a remote host
Informational overridden
The endpoint performed a rare RDP session to a remote host. overridden
Rare Remote Service (SVCCTL) RPC activity Informational 3 variations
The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using services. The service control manager RPC interface is used to create and start services on a local or a remote host.Investigative actions: Review the action of services.exe on the remote host where possible. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote service creation and initiation via Remote Service (SVCCTL) RPC interface
Medium overridden
The endpoint performed abnormal service creation and initiation via Remote Service (SVCCTL) RPC interface to a remote host. overridden
Rare remote service change or creation via Remote Service (SVCCTL) RPC interface
Medium overridden
The endpoint performed abnormal service creation via Remote Service (SVCCTL) RPC interface to a remote host. overridden
Rare Remote Service (SVCCTL) RPC activity
Low overridden
The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host. overridden
Rare SMB session to a remote host Low 1 variation
The endpoint performed a rare SMB activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use the SMB protocol in an attempt to move laterally in the network, and expand their foothold in the organization.Investigative actions: Check whether the username used in the SMB connection is legitimate. Verify that this isn't IT activity.Variations
Rare SMB session to a remote host
Informational overridden
The endpoint performed a rare SMB activity to a remote host. overridden
Rare SMTP/S Session Informational
The Simple Mail Transfer Protocol (SMTP) and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: SMTP and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.Rare SSH Session Low
Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentAttacker's goals: Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.Investigative actions: Verify that the process is allowed in the organization. Check if the user should access the destination and whether the session was successful or not.Rare Scheduled Task RPC activity Informational 3 variations
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote task registration and creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden
Rare remote task creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden
Rare Scheduled Task RPC activity
Low overridden
The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden
Rare Scheduled Task RPC activity from a rarely seen host Low
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Rare Unix process divided files by size Informational
A file was divided into sub-files by size limit by a rare process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Data Transfer Size Limits (T1030)Required data: XDR AgentAttacker's goals: This may assist an attacker to exfiltrate sensitive information.Investigative actions: Check if the user normally uses this capability. Check if this capability is used often on this endpoint.Rare Unsigned Process Spawned by Office Process Under Suspicious Directory Low
Microsoft Office executed an unsigned process in a suspicious directory. This behavior is common with malicious macros.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Attackers execute commands after infiltrating by using phishing or exploiting a vulnerability in an office.Investigative actions: Investigate the executed process. Investigate the document/email that initiated it.Rare WinRM Session Informational
Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote system. WinRM sessions can be established using WinRM/WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006)Required data: XDR AgentAttacker's goals: Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.Investigative actions: Investigate the endpoints participating in the session.Rare Windows Remote Management (WinRM) HTTP Activity Low
The endpoint performed unfamiliar WinRM HTTP activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use WinRM to execute code on remote hosts, in an attempt to gain persistence or move laterally in the network.Investigative actions: Correlate the WinRM HTTP request from the source host and understand which software initiated it. Verify that this isn't IT activity.Rare access to known advertising domains Informational 2 variations
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Causing the user to view excessive advertising content.Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.Variations
Rare access to known advertising domains from a Rare User Agent
Informational overridden
The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden
Suspicious Rare access to known advertising domains
Low overridden
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden
Rare binary connected to a rare cloud resource Low 2 variations
Rare binary connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Check the binary file. Get further details about the uncommon external cloud resource.Variations
Software development tool connected to a rare cloud resource
Informational overridden
Software development tool connected to a rare cloud resource. overridden
Recently downloaded rare binary connected to a rare cloud resource
Medium overridden
Recently downloaded rare binary connected to a rare cloud resource. overridden
Rare binary connected to a rare external host Low 2 variations
Rare binary connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Check the rare binary file. Get further details about the rare external destination.Variations
Rare unsigned binary connected to a globally rare external host
Medium overridden
Rare unsigned binary connected to a globally rare external host. overridden
Rare binary connected to a globally rare external host
Low overridden
Rare binary connected to a globally rare external host. overridden
Rare communication over email ports to external email server by unsigned process Low
These methods are used by malware and attackers to leak data and remain undetected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers might use well-known email ports as a C&C channel to evade detection and firewall rules.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol Informational 4 variations
A process made a connection to an external IP address or host that is rarely connected to by the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Url LogsAttacker's goals: Connect to a server to retrieve commands or exfiltrate data.Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.Variations
Rare connection to external IP address or host by a java application using LDAP protocol
Medium overridden
A Java Process that never created LDAP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using LDAP protocol
Medium overridden
A Java Process that never created RMI-IIOP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using LDAP protocol
Low overridden
A Java Process connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using RMI-IIOP protocol
Low overridden
A Java Process connected to an external IP address or host, which is rarely connected to from the organization using RMI-IIOP protocol. overridden
Rare file transfer over SMB protocol Low
The endpoint performed an abnormal file transfer over SMB to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by dropping executable files and scripts on remote hosts using the SMB protocol.Investigative actions: Inspect the file that was transferred to the remote host. Verify that this isn't IT activity.Rare machine account creation Informational Identity Analytics
A user was observed creating a machine account for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Verify the activity of the user who created the account. Follow actions performed by the new machine account.Rare process accessed a Keychain file Informational 5 variations
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Keychain (T1555.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to credentials stored in the Keychain file.Investigative actions: Determine whether it is legitimate for the process to access credential data directly. Analyze the process/application that touched the Keychain. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials stored on said Keychain.Variations
Rare process accessed a Keychain file using the networksetup tool
High overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file while installing a new certificate
Medium overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file initiated by a causality actor with a rare path
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file initiated by an unsigned causality actor
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare unsigned process accessed a Keychain file
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process created an SSH session to an uncommon cloud resource Low
A rare process created an SSH session to an uncommon cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers may use SSH or any similar utility as a Command and Control (C2) channel or to exfiltrate data to a remote host.Investigative actions: Investigate the actor process and its causality. Review the remote cloud asset, is it managed by the organization or a partner? Search for processes or files that were accessed by this SSH instance.Rare process created an SSH session to an uncommon external host Low 3 variations
Rare process created an SSH session to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.Investigative actions: Investigate the actor process and its causality. Review the external IP/domain using known intelligence tools. Search for processes or files that were accessed by this SSH instance.Variations
Rare process created an SSH session to a domain with an uncommon TLD
Medium overridden
Rare process created an SSH session to a domain with an uncommon TLD. overridden
Rare process created an SSH session to an globally uncommon external host
Low overridden
Rare process created an SSH session to an globally uncommon external host. overridden
Rare process created an SSH session to an external host
Informational overridden
Rare process created an SSH session to an external host. overridden
Rare process executed by an AppleScript Low
An uncommon process has been executed by the AppleScript interpreter process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)Required data: XDR AgentDetector tags: AppleScript AnalyticsAttacker's goals: Use the AppleScript interpreter to execute a second-stage payload.Investigative actions: Analyze the AppleScript and executed process to determine whether they perform any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the AppleScript was executed in an unusual way.Rare process execution by user Informational Identity Analytics
An unusual process was executed by a user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.Rare process execution in organization Informational Identity Analytics
An unusual process was executed in the organization. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.Rare process spawned by srvany.exe Informational
Unusual process spawned by srvany.exe, which allows applications to run as services with system privileges, this might be an indication of malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentAttacker's goals: Execute malware on the host in a manner that doesn't leave event logs within the system.Investigative actions: Validate if the binary that srvany.exe executed is malicious. Track down the source of the srvany.exe binary and the executed process. Validate if this is a legitimate software installed by IT.Rare process with VNC server capabilities started Low
A rare process with VNC server capabilities was started.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Rare scheduled task created Informational 4 variations
A new rare scheduled task was created with a rare path and a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket Analytics, Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled task.Investigative actions: Review the action of the created scheduled task. Investigate the execution chain of the process creating the scheduled task.Variations
Rare scheduled task created by an injected actor
High overridden
A new rare scheduled task was created by an injected actor with a rare path and a rare command line. overridden
Uncommon remote scheduled task created
Medium overridden
A new uncommon remote scheduled task was created with a rare path and a rare command line. overridden
Uncommon local scheduled task created
Low overridden
A new uncommon local scheduled task was created with a rare path and a rare command line. overridden
Highly rare scheduled task created
Low overridden
A new rare scheduled task was created with an highly rare path and a rare command line. overridden
Rare security product signed executable executed in the network Low
Attackers may attempt to install a security product with a known vulnerability to bypass security features.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Exploitation for Defense Evasion (T1211)Required data: XDR AgentAttacker's goals: Adversaries may exploit the application vulnerability to bypass security features.Investigative actions: Check if the security product was installed by a legitimate user and intentionally.Rare service DLL was added to the registry Low 2 variations
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Rare service DLL was added to the registry from an injected thread
Medium overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Rare service DLL was added to the registry from a rare unsigned actor process
High overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Rare signature signed executable executed in the network Informational 4 variations
Attackers may use signed executables by less known vendors to bypass security features.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Subvert Trust Controls: Code Signing (T1553.002)Required data: XDR AgentAttacker's goals: Adversaries may use signed binaries to bypass security features.Investigative actions: Check if this is legitimate software installed by a legitimate user and intentionally.Variations
Rare signature signed forensic tool remotely executed in the network
Medium overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Rare signature signed forensic tool executed in the network
Low overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Rare signature signed executable extracted from an internet-downloaded archive and executed in the network
Low overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Rare signature signed executable downloaded from an uncommon source and executed in the network
Low overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Rare unsigned process execution by scheduled task Low 3 variations
Rare and unsigned process was executed by a scheduled task.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.Variations
Uncommon unsigned process execution by scheduled task
Informational overridden
Uncommon and unsigned process was executed by a scheduled task. overridden
Rare unsigned process execution with high integrity level by scheduled task
Medium overridden
Rare and unsigned process was execution with high integrity level by a scheduled task. overridden
Rare unsigned process execution by scheduled task on a sensitive server
Medium overridden
Rare and unsigned process was executed by a scheduled task. overridden
Rarely seen URL(s) within a well-known domain detected in your organization's email Informational Email
We have identified unpopular URL(s) within this email.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rarely seen sender address in the organization Informational Email
An email was received from a sender that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rarely seen sender domain in the organization Informational Email
An email was received from a domain that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.