Analytics Alerts
Browse the Cortex analytics alert reference.
8 alerts match the current filters. tactic: TA0001 ✕ technique: T1528 ✕
Show ATT&CK heatmapA Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service
Informational overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service
Medium overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations
A compute-attached identity performed actions outside the compute instance region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.Variations
A compute-attached identity executed API calls outside the Lambda function's region
Informational overridden
A compute-attached identity performed actions outside the Lambda function region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN
High overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation
Medium overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual ASN
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity failed to execute API calls outside the instance's region
Informational overridden
A compute-attached identity performed actions outside the compute instance region. overridden
Azure application consent Informational Identity Threat Module 1 variation
An identity consented permissions to an application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)Required data: AzureAD Audit LogAttacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.Variations
First seen Azure admin consent to an application
Low overridden
An administrative identity consented permissions to an application. overridden
Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)Required data: AzureADAttacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.Variations
OAuth Token Theft - Potential Session Hijacking Detected from new ASN
Low overridden
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden
Remote usage of AWS Lambda's role Informational Cloud 5 variations
An AWS Lambda's role was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.Variations
Remote command line usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Medium overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Low overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Usage of AWS Lambda's role from a known ASN
Informational overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden
Suspicious usage of EC2 token Low Cloud 1 variation
An AWS EC2 STS token was used externally from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.Variations
Suspicious usage of EC2 token
Medium overridden
An AWS EC2 STS token was used externally from an EC2 instance. overridden