Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Possible LDAP enumeration by unsigned process Informational 2 variations

    An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.

    Variations

    Possible LDAP enumeration by unsigned process

    Medium overridden

    An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden

    Possible LDAP enumeration by unsigned process

    Low overridden

    An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden

  • Possible Pass-the-Hash Low Identity Analytics

    An account was successfully logged on to with new credentials. This login type is rare and may be an attacker's attempt to pass-the-hash and move laterally within a network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.
    Investigative actions: Audit all login events and review for discrepancies. Look for LSASS process access, an indication of an attacker attempting to obtain password hashes. Check for the RunAs command with the /netonly option.
  • Possible Persistence via group policy Registry keys Medium

    Group Policy registry keys were read during system startup. This behavior may indicate a persistence mechanism that triggers on reboot to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Establish persistence on the host using Windows Group Policy mechanisms.
    Investigative actions: Inspect the registry keys and determine which process or command is configured to run. Verify whether the executing process is benign and expected as part of normal system behavior.
  • Possible Privilege Escalation using Delegated MSA account Informational Identity Analytics 1 variation

    An attacker might abuse dMSA account to escalate its privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may leverage dMSA account migration process to escalate privileges.
    Investigative actions: Confirm that the user is authorized to create and modify dMSA accounts in the domain. Verify the user should have permissions on the OU under which the dMSA account was created. Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID). Verify that the user superseded an account, with the dMSA account, that should have superseded. Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event). Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object. Investigate the host that initiated the dMSA account migration process for malicious activity.

    Variations

    Possible Privilege Escalation using Delegated MSA account attempt

    Medium overridden

    An attacker might abuse dMSA account to escalate its privileges. overridden

  • Possible RDP session hijacking using tscon.exe Medium

    The executable tscon.exe can be used to hijack other sessions on the same computer. The attacker may use another user's credentials to proceed with the lateral movement or disguise the activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Service Session Hijacking: RDP Hijacking (T1563.002)
    Required data: XDR Agent
    Attacker's goals: Attackers might hijack existing sessions on the same host to gain access to private data or leverage the logged-in user credentials to laterally move across the network.
    Investigative actions: Verify if the executing process is suspicious. Investigate if the interactive user did any more suspicious or malicious actions.
  • Possible SPN enumeration Informational Identity Analytics 1 variation

    A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Suspicious SPN enumeration via LDAP

    Low overridden

    A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Possible Search For Password Files Medium

    Attackers often search for files that have passwords in them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible TGT reuse from different hosts (pass the ticket) Informational Identity Analytics 1 variation

    We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Ticket (T1550.003)
    Required data: XDR Agent
    Attacker's goals: Lateral movement using stolen user-account credentials.
    Investigative actions: Check if the mentioned hosts are not the same, and investigate if the ticket was stolen from one of them.

    Variations

    TGT reuse from different hosts (pass the ticket)

    Low overridden

    We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host. overridden

  • Possible authentication coercion Informational Identity Analytics 2 variations

    An unusual Remote Procedure Call (RPC) was made to potentially cause authentication coercion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse Remote Procedure Calls to coerce authentication from servers.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from {actor_remote_ip} to other servers in the network. Check for logged-in users to {actor_remote_ip} and investigate their actions. Check for indicators of compromise on {actor_remote_ip}.

    Variations

    Possible authentication coercion from an unconstrained delegation server to a sensitive server

    Medium overridden

    An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden

    Possible authentication coercion to a sensitive server

    Low overridden

    An unusual Remote Procedure Call (RPC) was made towards a sensitive server, to potentially cause authentication coercion. overridden

  • Possible binary padding using dd Informational

    A suspicious dd command ran and added data to a binary. This may indicate binary padding to change the hash of a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Binary Padding (T1027.001)
    Required data: XDR Agent
    Attacker's goals: An adversary may use binary padding to avoid hash-based blacklists and static antivirus signatures.
    Investigative actions: Check the padded file and try to understand the impact of padding this specific binary.
  • Possible brute force on sudo user Informational 1 variation

    A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker may gain full privileges to the host.
    Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.

    Variations

    Possible brute force on sudo user

    Low overridden

    A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password. overridden

  • Possible brute force or configuration change attempt on cytool High

    An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.This may indicate an attempt to guess the Administrator password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker may disable the agent to perform malicious activities.
    Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.
  • Possible code downloading from a remote host by Regsvr32 Medium

    Regsvr32 may be used to fetch arbitrary code from a remote host and execute it without dropping the payload onto the disk. Known to be used for malicious purposes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Regsvr32 (T1218.010)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible collection of screen captures with Windows Problem Steps Recorder Medium

    Windows Problem Steps Recorder (psr.exe), can record screen and clicks. Adversaries may abuse psr.exe to create screen captures and collect them afterward.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Screen Capture (T1113)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and collecting screen captures of the desktop.
    Investigative actions: Check the causality of execution and if the TSS script was executed (Microsoft Troubleshooting Script). If output parameters in the command line are executed by the user. If the parent process is known in the organization as a support tool.
  • Possible compromised machine account Medium

    A Kerberos TGT for machine account has been used and does not match the hostname.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Gain a special user Kerberos ticket to move laterally.
    Investigative actions: Check the source host for possible credential dumping. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.
  • Possible data exfiltration over a USB storage device Informational Identity Threat Module

    A process generated massive file creation, renaming and write activity to a USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.
  • Possible data obfuscation Informational 1 variation

    A command that can be used for file obfuscation was executed with an uncommon command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use obfuscated files to cover their tracks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Possible data obfuscation in a Kubernetes pod

    Low overridden

    A command that can be used for file obfuscation was executed with an uncommon command line. overridden

  • Possible external RDP Brute-Force Low Identity Analytics 2 variations

    Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: If the source IP is an internal IP, adjust network IP ranges. Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.

    Variations

    Possible external RDP Brute-Force on a Honey User Account

    Medium overridden

    Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack. overridden

    Potential External Brute-Force via RDP on Sensitive User

    Medium overridden

    Multiple failed remote logins from an external IP with a sensitive user and at least one successful login.This may indicate a successful brute-force attack. overridden

  • Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation

    A user generated abnormal massive file activity to a connected USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.

    Variations

    Possible internal data exfiltration of over 500 MB via USB storage device

    Low overridden

    A user generated abnormal massive file activity to a connected USB storage device. overridden

  • Possible malicious .NET compilation started by a commonly abused process Medium

    Attackers may use csc.exe to compile payloads on a compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Compile After Delivery (T1027.004)
    Required data: XDR Agent
    Attacker's goals: Compile payloads on the host to evade detection.
    Investigative actions: Investigate the payload being compiled. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible multistage attack in Microsoft Teams Low Identity Threat Module 1 variation

    Possible multistage attack in Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Verify the suspicious activity to validate the legitimacy of the user's actions. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.

    Variations

    Malicious activity had been detected with strong indicators

    Medium overridden

    Malicious Microsoft Teams activity detected across multiple indicators, the activities have strong indications of a malicious action. overridden

  • Possible network service discovery via command-line tool Low

    An attacker may use command-line utilities to discover open ports and services on a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: Unavailable.
    Investigative actions: Unavailable.
  • Possible network sniffing attempt via tcpdump or tshark Low

    Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible new DHCP server Medium

    A DHCP response was sent from an unknown DHCP server.Attackers may send a DHCP response to a host in his LAN to inject a DNS server, route or WPAD server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Adversary-in-the-Middle (T1557)
    Required data: XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check if the source agent is a legitimate DHCP server. Check if the attacked host send DNS queries to an unusual IP. Check if the attacked host send WPAD HTTP/S requests to an unusual host.
  • Possible path traversal via HTTP request Low 3 variations

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.

    Variations

    Possible sensitive path traversal via HTTP request

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

    Possible path traversal via HTTP request from a TOR exit node

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

    Possible credential path traversal via HTTP request

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

  • Possible phishing attack via Microsoft Teams Low Identity Threat Module 3 variations

    An external tenant is possibly attempting a phishing attack via Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.

    Variations

    Potential phishing attack with post compromise stages had been detected

    High overridden

    Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login and post compromise actions. overridden

    Potential phishing attack via Microsoft Teams has been detected

    Medium overridden

    Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login. overridden

    Potential phishing attack with post compromise activities in Microsoft Teams has been detected

    Medium overridden

    Suspicious Microsoft Teams phishing activity detected across multiple indicators. overridden

  • Possible use of IPFS was detected Informational 1 variation

    The host produced traffic consistent with IPFS.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    Possible use of IPFS was detected

    Informational overridden

    The host produced traffic consistent with IPFS. overridden

  • Possible use of a networking driver for network sniffing Informational 2 variations

    A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.
    Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.

    Variations

    Possible use of a networking driver for network sniffing

    Medium overridden

    A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden

    Possible use of a networking driver for network sniffing

    Low overridden

    A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden

  • Possible webshell file written by a web server process Low 3 variations

    An uncommon file with a web file extension was created, written or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.

    Variations

    Possible webshell file written by a node web server process

    Informational overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process in an internet facing server

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

  • Potential DCSync by an unusual user Informational Identity Analytics 1 variation

    Attackers may leverage the domain replication process to extract sensitive information (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.

    Variations

    Possible DCSync by an unusual user

    Low overridden

    Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden

  • Potential NTLM Relay Attack Informational Identity Analytics 3 variations

    Multiple NTLM authentications were made to the same workstation and user from different IPs.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the workstation supports weak, outdated versions of NTLM. Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised. Check for process activity to and from the suspicious IP address to verify if it was compromised. Check for changes in the network configurations, including indicators of poisoning attacks. Monitor closely the actions of the potentially compromised user account for any anomalous behavior.

    Variations

    NTLM Relay Attack using a sensitive user and a vulnerable package

    Medium overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden

    Potential NTLM Relay Attack using a sensitive user

    Low overridden

    Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.This might indicate a potential NTLM Relay attack. overridden

  • Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server Informational Identity Analytics 1 variation

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs in a short period of time.This might indicate a potential NTLM Relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may coerce the SCCM site server to authenticate to a malicious host and relay it to escalate privileges and move laterally across site systems.
    Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack. Check for network activity to and from the suspicious IP address to verify if it is a compromised machine. Monitor closely the actions of the potentially compromised user account for any anomalous behavior, especially suspicious SCCM-related activity occurring near the time of the alert.

    Variations

    Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server using a vulnerable package

    Low overridden

    Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs using a vulnerable NTLM package in a short period of time.This might indicate a potential NTLM Relay attack. overridden

  • Potential Okta access limit breach Informational Identity Threat Module 1 variation

    A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)
    ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    A breach in access limits within Okta, accompanied by suspicious characteristics

    Low overridden

    The user exceeded the access threshold in Okta, triggering a violation alert. overridden

  • Potential Phishing has been detected Medium Email 4 variations

    This email contains multiple indicators consistent with a phishing attack. The message likely attempts to steal credentials, distribute malware, or trick recipients into performing actions that compromise security through deceptive content or suspicious technical characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Microsoft 365 Emails Office 365 Audit Okta Audit Log Salesforce Slack Audit Log
    Detector tags: Phishing
    Attacker's goals: Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.
    Investigative actions: Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming. Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk. Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.

    Variations

    Potential Brand Impersonation has been detected

    Medium overridden

    This email appears to impersonate a legitimate brand or service provider to deceive recipients. Attackers often mimic trusted companies like banks, cloud services, or popular brands to steal credentials, distribute malware, or conduct fraudulent activities. overridden

    Potential Spear Phishing has been detected

    Medium overridden

    This email represents a targeted spear phishing attack aimed at high-value personnel within your organization. These highly personalized attacks often target executives or privileged users to gain unauthorized access to sensitive systems or information. overridden

    Potential Business Email Compromise has been detected

    Medium overridden

    This email exhibits characteristics of a Business Email Compromise attack, where threat actors impersonate executives or trusted business partners to manipulate recipients into authorizing fraudulent financial transactions or wire transfers. overridden

    Potential Exfiltration has been detected

    Medium overridden

    This outbound email shows suspicious patterns consistent with data exfiltration attempts. The communication may involve unauthorized transmission of sensitive organizational data to external recipients through email channels. overridden

  • Potential SCCM credential harvesting using WMI detected Low 3 variations

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Obtain credentials used by the SCCM service.
    Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.

    Variations

    Potential SCCM credential harvesting using WMI detected from a remote machine

    Medium overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential SCCM inventory query using WMI detected

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential Enumeration of SCCM User, Device, and Deployment Data via WMI

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

  • Potential creation of persistent cloud credentials Informational Cloud

    A cloud identity invoked a credential-related persistence operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)
    Required data: AWS Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Potential denial of wallet abusing AI services Low Cloud 1 variation

    An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Endpoint Denial of Service: Application Exhaustion Flood (T1499.003) Resource Hijacking (T1496)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Disrupting or shutting down an ML service.
    Investigative actions: Investigate the impact on the ML service.

    Variations

    Possible denial of wallet abusing AI services

    Medium overridden

    An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption. overridden

  • Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager

    Medium overridden

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden

  • Potential kubelet impersonation attempt Low 1 variation

    A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Impersonate the node agent to gain control over the cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Potential kubelet impersonation attempt by an unusual process

    Medium overridden

    A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server. overridden

  • Potential spoofing of internal domain spotted Informational Email

    An external sender is possibly impersonating an employee by spoofing the company's internal address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.
    Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • PowerShell Initiates a Network Connection to GitHub Low 1 variation

    PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check for additional file/network operations by the same PowerShell instance.

    Variations

    PowerShell Initiates a Network Connection to GitHub from a sensitive server

    Medium overridden

    PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads. overridden

  • PowerShell pfx certificate extraction Informational 1 variation

    PowerShell was used to extract a pfx certificate file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may export certificates to .pfx files to use them for authentication, persistence or NTLM extraction.
    Investigative actions: Check if the pfx creation is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).

    Variations

    Suspicious PowerShell pfx certificate extraction

    Low overridden

    A user used PowerShell to extract a pfx certificate file. overridden

  • PowerShell runs suspicious base64-encoded commands Low 2 variations

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Run code to perform actions or download other malicious programs.
    Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.

    Variations

    PowerShell runs rare base64-encoded command via remote causality actor

    Medium overridden

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden

    PowerShell runs rare base64-encoded command by windows built-in scripting engine

    High overridden

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden

  • PowerShell suspicious flags Medium

    Abbreviated flags in PowerShell indicate malicious intent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Run code to perform actions or download other malicious programs.
    Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.
  • PowerShell used to export mailbox contents Medium

    An attacker may use PowerShell to export the contents of a mailbox as part of the data staging before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Export the content of a mailbox, preparing for data exfiltration.
    Investigative actions: Examine the PowerShell command to identify which mailbox has been exported. Verify that this command was executed by a trusted source.
  • PowerShell used to remove mailbox export request logs High

    An attacker may use PowerShell to remove evidence of an export request for a mailbox as part of the clean-up stage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Remove evidence for mailbox export commands.
    Investigative actions: Examine the PowerShell command to identify which mailbox has been compromised. Investigate the host that executes the command for potential further exploitation.
  • Privileged certificate request via certificate template Informational Identity Analytics 2 variations

    A privileged certificate was requested via certificate template.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller or privileged account.
    Investigative actions: Check if this is a legitimate certificate request. Check if the certificate issued was used to request a Kerberos ticket. Investigate actions done with the issued certificate and its owner. Check for possible NTLM relay alerts.

    Variations

    Suspicious privileged certificate request denied via certificate template

    Medium overridden

    A suspicious privileged certificate request was denied via certificate template. overridden

    Suspicious privileged certificate request via certificate template

    Low overridden

    A suspicious privileged certificate was requested via certificate template. overridden

  • Privileged role used by Azure application Informational Cloud 1 variation

    An Azure application with high-level API permissions invoked a request to the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Leverage high-level permissions to gain persistence and access to sensitive information.
    Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.

    Variations

    First-time privileged role is used by Azure application

    Low overridden

    An Azure application with high-level API permissions invoked a request to the Microsoft Graph API. overridden

  • Procdump executed from an atypical directory Medium

    Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • PsExec was executed with a suspicious command line Informational 4 variations

    PsExec.exe was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.
    Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.

    Variations

    PsExec was executed with a suspicious command line by a LOLBIN

    Low overridden

    PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden

    PsExec was executed with a suspicious command line by an unsigned actor

    Medium overridden

    PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with NT/System privilege level. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with plain-text credentials. overridden

  • Punycode characters detected in URL(s) Informational Email

    Punycode character(s) detected within URL(s) in email content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.
    Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Python HTTP server started Informational

    Python HTTP server started - possible exfiltration over HTTP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
    Required data: XDR Agent
    Attacker's goals: Attackers might use a Python server as a C&C or exfiltration channel.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it.
  • Quarantined email released to recipients Informational Email 3 variations

    This message was previously quarantined by vendor and has now been released and delivered to the intended recipients.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Repeated quarantine releases to mailbox from previously quarantined sender

    Low overridden

    This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the mailbox has received multiple quarantined messages and the sender has been quarantined several times over the past 30 days. overridden

    Repeated quarantine releases from previously quarantined sender

    Low overridden

    This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the sender has been quarantined multiple times over the past 30 days. overridden

    Repeated quarantine-released emails received by mailbox

    Low overridden

    This mailbox has repeatedly received messages over the past 30 days that were quarantined by vendor and later released and delivered to the recipient. overridden

  • RDP Connection to localhost Medium

    An RDP connection to localhost can be used for privilege escalation by leveraging Windows accessibility features.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: An attacker may initiate RDP tunneling for a more convenient and stable interface.
    Investigative actions: Identify the process/user performing RDP and check that it is authorized. Check whether the initiating process also connects to an external host.
  • RDP connections enabled remotely via Registry Low 2 variations

    An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Remotely enable RDP on the host for lateral movement.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Search for RDP sessions to this host and investigate them for malicious activities.

    Variations

    RDP connections enabled by a remote process via Registry

    Low overridden

    An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden

    RDP connections enabled remotely via Registry using WinRM

    Low overridden

    An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden

  • RDP from an unmanaged endpoint in a typically managed subnet Low 1 variation

    An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Lateral movement to critical assets from an unmanaged host.
    Investigative actions: Verify if the source endpoint is authorized to perform RDP connections. Validate that the source endpoint is managed or unmanaged. Investigate the user account used for the RDP connection.

    Variations

    RDP from an unmanaged endpoint in a typically managed subnet with a significantly higher number of managed endpoints in the subnet

    Low overridden

    An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement. The source subnet has a significantly higher number of managed endpoints compared to the unmanaged ones. overridden

  • Random-Looking Domain Names Medium

    The endpoint performed DNS lookups to an excessively large number of apparently random root domain names. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many unique, random-looking domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one, which may also trigger the Failed DNS alert.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network for controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.
    Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees many failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false positive for this alert. Ensure that the endpoint is configured properly for your DNS servers. Make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.
  • Rare AppID usage to a rare destination Informational 2 variations

    Rare AppID with port usage to rare destination.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.
    Investigative actions: Investigate the endpoints participating in the session.

    Variations

    Rare AppID usage to a rare destination using an unsigned process

    Low overridden

    Rare AppID with port usage to rare destination. overridden

    Rare AppID usage to a rare destination from an internet-facing server

    Low overridden

    Rare AppID with port usage to rare destination. overridden

  • Rare DCOM RPC activity Informational 1 variation

    The endpoint performed abnormal DCOM RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using the DCOM RPC interface. The DCOM RPC interface is used to remotely invoke registered COM applications on remote hosts.
    Investigative actions: Review the action of the initiated COM application on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare DCOM RPC activity

    Low overridden

    The endpoint performed abnormal DCOM RPC activity to a remote host. overridden

  • Rare DLP rule match by user Informational Identity Threat Module Email 1 variation

    A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to access sensitive information.
    Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.

    Variations

    DLP rule match by user for the first time

    Low overridden

    A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information. overridden

  • Rare LDAP enumeration Low

    Possible LDAP enumeration with a rare combination of queries.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Palo Alto Networks Firewall EAL Logs
    Detector tags: LDAP Analytics
    Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
    Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.
  • Rare LOLBIN Process Execution by User Informational Identity Analytics

    A user executed a living-off-the-land binary (LOLBIN) process that is unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare MS-Update Server was detected Informational 1 variation

    The endpoint requested an MS-Update operation from a rare update server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attackers may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.
    Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.

    Variations

    Rare MS-Update Server was detected

    Informational overridden

    The endpoint requested an MS-Update operation from a rare update server. overridden

  • Rare MS-Update traffic over HTTP Informational

    The endpoint requested an MS-Update operation with abnormal HTTP traffic characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Exploitation of Remote Services (T1210)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attacker may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.
    Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.
  • Rare NTLM Access By User To Host Informational Identity Analytics

    An unusual NTLM authentication attempt by a user to a host. This may indicate the use of stolen credentials or access tokens to access restricted hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may be attempting lateral movement within a compromised network.
    Investigative actions: Verify any successful authentication for the user account referenced by the alert, as this could indicate the attacker has used stolen credentials.
  • Rare NTLM Usage by User Informational Identity Analytics

    Rare authentication by user account to host via NTLM.The user has not authenticated with NTLM in the past 30 days.This may be indicative of downgrade attacks from Kerberos to NTLM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: The attacker is attempting to move laterally within a compromised network.
    Investigative actions: Verify any successful authentication for the user account referenced by the alert, as these can indicate the attacker managed to use the stolen credentials.
  • Rare RDP session to a remote host Low 1 variation

    The endpoint performed a rare RDP session to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics
    Attacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user who initiated the RDP session. Verify that this isn't routine IT activity.

    Variations

    Rare RDP session to a remote host

    Informational overridden

    The endpoint performed a rare RDP session to a remote host. overridden

  • Rare Remote Service (SVCCTL) RPC activity Informational 3 variations

    The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using services. The service control manager RPC interface is used to create and start services on a local or a remote host.
    Investigative actions: Review the action of services.exe on the remote host where possible. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare remote service creation and initiation via Remote Service (SVCCTL) RPC interface

    Medium overridden

    The endpoint performed abnormal service creation and initiation via Remote Service (SVCCTL) RPC interface to a remote host. overridden

    Rare remote service change or creation via Remote Service (SVCCTL) RPC interface

    Medium overridden

    The endpoint performed abnormal service creation via Remote Service (SVCCTL) RPC interface to a remote host. overridden

    Rare Remote Service (SVCCTL) RPC activity

    Low overridden

    The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host. overridden

  • Rare SMB session to a remote host Low 1 variation

    The endpoint performed a rare SMB activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use the SMB protocol in an attempt to move laterally in the network, and expand their foothold in the organization.
    Investigative actions: Check whether the username used in the SMB connection is legitimate. Verify that this isn't IT activity.

    Variations

    Rare SMB session to a remote host

    Informational overridden

    The endpoint performed a rare SMB activity to a remote host. overridden

  • Rare SMTP/S Session Informational

    The Simple Mail Transfer Protocol (SMTP) and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: SMTP and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.
  • Rare SSH Session Low

    Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent
    Attacker's goals: Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.
    Investigative actions: Verify that the process is allowed in the organization. Check if the user should access the destination and whether the session was successful or not.
  • Rare Scheduled Task RPC activity Informational 3 variations

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare remote task registration and creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden

    Rare remote task creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden

    Rare Scheduled Task RPC activity

    Low overridden

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden

  • Rare Scheduled Task RPC activity from a rarely seen host Low

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.
  • Rare Unix process divided files by size Informational

    A file was divided into sub-files by size limit by a rare process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Data Transfer Size Limits (T1030)
    Required data: XDR Agent
    Attacker's goals: This may assist an attacker to exfiltrate sensitive information.
    Investigative actions: Check if the user normally uses this capability. Check if this capability is used often on this endpoint.
  • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory Low

    Microsoft Office executed an unsigned process in a suspicious directory. This behavior is common with malicious macros.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Attackers execute commands after infiltrating by using phishing or exploiting a vulnerability in an office.
    Investigative actions: Investigate the executed process. Investigate the document/email that initiated it.
  • Rare WinRM Session Informational

    Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote system. WinRM sessions can be established using WinRM/WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent
    Attacker's goals: Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.
    Investigative actions: Investigate the endpoints participating in the session.
  • Rare Windows Remote Management (WinRM) HTTP Activity Low

    The endpoint performed unfamiliar WinRM HTTP activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use WinRM to execute code on remote hosts, in an attempt to gain persistence or move laterally in the network.
    Investigative actions: Correlate the WinRM HTTP request from the source host and understand which software initiated it. Verify that this isn't IT activity.
  • Rare access to known advertising domains Informational 2 variations

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)
    ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Causing the user to view excessive advertising content.
    Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.

    Variations

    Rare access to known advertising domains from a Rare User Agent

    Informational overridden

    The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden

    Suspicious Rare access to known advertising domains

    Low overridden

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden

  • Rare binary connected to a rare cloud resource Low 2 variations

    Rare binary connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Check the binary file. Get further details about the uncommon external cloud resource.

    Variations

    Software development tool connected to a rare cloud resource

    Informational overridden

    Software development tool connected to a rare cloud resource. overridden

    Recently downloaded rare binary connected to a rare cloud resource

    Medium overridden

    Recently downloaded rare binary connected to a rare cloud resource. overridden

  • Rare binary connected to a rare external host Low 2 variations

    Rare binary connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Check the rare binary file. Get further details about the rare external destination.

    Variations

    Rare unsigned binary connected to a globally rare external host

    Medium overridden

    Rare unsigned binary connected to a globally rare external host. overridden

    Rare binary connected to a globally rare external host

    Low overridden

    Rare binary connected to a globally rare external host. overridden

  • Rare communication over email ports to external email server by unsigned process Low

    These methods are used by malware and attackers to leak data and remain undetected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers might use well-known email ports as a C&C channel to evade detection and firewall rules.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.
  • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol Informational 4 variations

    A process made a connection to an external IP address or host that is rarely connected to by the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Connect to a server to retrieve commands or exfiltrate data.
    Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.

    Variations

    Rare connection to external IP address or host by a java application using LDAP protocol

    Medium overridden

    A Java Process that never created LDAP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using LDAP protocol

    Medium overridden

    A Java Process that never created RMI-IIOP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using LDAP protocol

    Low overridden

    A Java Process connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using RMI-IIOP protocol

    Low overridden

    A Java Process connected to an external IP address or host, which is rarely connected to from the organization using RMI-IIOP protocol. overridden

  • Rare file transfer over SMB protocol Low

    The endpoint performed an abnormal file transfer over SMB to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by dropping executable files and scripts on remote hosts using the SMB protocol.
    Investigative actions: Inspect the file that was transferred to the remote host. Verify that this isn't IT activity.
  • Rare machine account creation Informational Identity Analytics

    A user was observed creating a machine account for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Verify the activity of the user who created the account. Follow actions performed by the new machine account.
  • Rare process accessed a Keychain file Informational 5 variations

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Keychain (T1555.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to credentials stored in the Keychain file.
    Investigative actions: Determine whether it is legitimate for the process to access credential data directly. Analyze the process/application that touched the Keychain. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials stored on said Keychain.

    Variations

    Rare process accessed a Keychain file using the networksetup tool

    High overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file while installing a new certificate

    Medium overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file initiated by a causality actor with a rare path

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file initiated by an unsigned causality actor

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare unsigned process accessed a Keychain file

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

  • Rare process created an SSH session to an uncommon cloud resource Low

    A rare process created an SSH session to an uncommon cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers may use SSH or any similar utility as a Command and Control (C2) channel or to exfiltrate data to a remote host.
    Investigative actions: Investigate the actor process and its causality. Review the remote cloud asset, is it managed by the organization or a partner? Search for processes or files that were accessed by this SSH instance.
  • Rare process created an SSH session to an uncommon external host Low 3 variations

    Rare process created an SSH session to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.
    Investigative actions: Investigate the actor process and its causality. Review the external IP/domain using known intelligence tools. Search for processes or files that were accessed by this SSH instance.

    Variations

    Rare process created an SSH session to a domain with an uncommon TLD

    Medium overridden

    Rare process created an SSH session to a domain with an uncommon TLD. overridden

    Rare process created an SSH session to an globally uncommon external host

    Low overridden

    Rare process created an SSH session to an globally uncommon external host. overridden

    Rare process created an SSH session to an external host

    Informational overridden

    Rare process created an SSH session to an external host. overridden

  • Rare process executed by an AppleScript Low

    An uncommon process has been executed by the AppleScript interpreter process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Use the AppleScript interpreter to execute a second-stage payload.
    Investigative actions: Analyze the AppleScript and executed process to determine whether they perform any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the AppleScript was executed in an unusual way.
  • Rare process execution by user Informational Identity Analytics

    An unusual process was executed by a user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare process execution in organization Informational Identity Analytics

    An unusual process was executed in the organization. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.
  • Rare process spawned by srvany.exe Informational

    Unusual process spawned by srvany.exe, which allows applications to run as services with system privileges, this might be an indication of malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Attacker's goals: Execute malware on the host in a manner that doesn't leave event logs within the system.
    Investigative actions: Validate if the binary that srvany.exe executed is malicious. Track down the source of the srvany.exe binary and the executed process. Validate if this is a legitimate software installed by IT.
  • Rare process with VNC server capabilities started Low

    A rare process with VNC server capabilities was started.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.
  • Rare scheduled task created Informational 4 variations

    A new rare scheduled task was created with a rare path and a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics, Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled task.
    Investigative actions: Review the action of the created scheduled task. Investigate the execution chain of the process creating the scheduled task.

    Variations

    Rare scheduled task created by an injected actor

    High overridden

    A new rare scheduled task was created by an injected actor with a rare path and a rare command line. overridden

    Uncommon remote scheduled task created

    Medium overridden

    A new uncommon remote scheduled task was created with a rare path and a rare command line. overridden

    Uncommon local scheduled task created

    Low overridden

    A new uncommon local scheduled task was created with a rare path and a rare command line. overridden

    Highly rare scheduled task created

    Low overridden

    A new rare scheduled task was created with an highly rare path and a rare command line. overridden

  • Rare security product signed executable executed in the network Low

    Attackers may attempt to install a security product with a known vulnerability to bypass security features.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Exploitation for Defense Evasion (T1211)
    Required data: XDR Agent
    Attacker's goals: Adversaries may exploit the application vulnerability to bypass security features.
    Investigative actions: Check if the security product was installed by a legitimate user and intentionally.
  • Rare service DLL was added to the registry Low 2 variations

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.
    Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rare service DLL was added to the registry from an injected thread

    Medium overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

    Rare service DLL was added to the registry from a rare unsigned actor process

    High overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

  • Rare signature signed executable executed in the network Informational 4 variations

    Attackers may use signed executables by less known vendors to bypass security features.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Subvert Trust Controls: Code Signing (T1553.002)
    Required data: XDR Agent
    Attacker's goals: Adversaries may use signed binaries to bypass security features.
    Investigative actions: Check if this is legitimate software installed by a legitimate user and intentionally.

    Variations

    Rare signature signed forensic tool remotely executed in the network

    Medium overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

    Rare signature signed forensic tool executed in the network

    Low overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

    Rare signature signed executable extracted from an internet-downloaded archive and executed in the network

    Low overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

    Rare signature signed executable downloaded from an uncommon source and executed in the network

    Low overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

  • Rare unsigned process execution by scheduled task Low 3 variations

    Rare and unsigned process was executed by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Uncommon unsigned process execution by scheduled task

    Informational overridden

    Uncommon and unsigned process was executed by a scheduled task. overridden

    Rare unsigned process execution with high integrity level by scheduled task

    Medium overridden

    Rare and unsigned process was execution with high integrity level by a scheduled task. overridden

    Rare unsigned process execution by scheduled task on a sensitive server

    Medium overridden

    Rare and unsigned process was executed by a scheduled task. overridden

  • Rarely seen URL(s) within a well-known domain detected in your organization's email Informational Email

    We have identified unpopular URL(s) within this email.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rarely seen sender address in the organization Informational Email

    An email was received from a sender that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rarely seen sender domain in the organization Informational Email

    An email was received from a domain that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.