Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

9 alerts match the current filters. tactic: TA0001 ✕ technique: T1552 ✕

Show ATT&CK heatmap
  • A Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Informational overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    A Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Medium overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations

    A compute-attached identity performed actions outside the compute instance region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.

    Variations

    A compute-attached identity executed API calls outside the Lambda function's region

    Informational overridden

    A compute-attached identity performed actions outside the Lambda function region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN

    High overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation

    Medium overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual ASN

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity failed to execute API calls outside the instance's region

    Informational overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

  • An unusual process in ingress-nginx has accessed a service-account token file High Cloud

    An unusual process in ingress-nginx has read a service-account token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.
    Investigative actions: Check if the process is intended to preform these actions.
  • Cloud IMDS access followed by remote token usage Medium Cloud

    A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: AWS Audit Log XDR Agent
    Attacker's goals: Gain unauthorized access by leveraging valid cloud credentials.
    Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.
  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • Remote usage of AWS Lambda's role Informational Cloud 5 variations

    An AWS Lambda's role was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.

    Variations

    Remote command line usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Medium overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Low overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Usage of AWS Lambda's role from a known ASN

    Informational overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

  • Remote usage of an AWS service token Low Cloud 1 variation

    An AWS service token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate a token and abuse it remotely.
    Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.

    Variations

    Suspicious usage of AWS service token

    Medium overridden

    An AWS service token was used externally of the cloud environment. overridden

  • Suspicious usage of EC2 token Low Cloud 1 variation

    An AWS EC2 STS token was used externally from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.

    Variations

    Suspicious usage of EC2 token

    Medium overridden

    An AWS EC2 STS token was used externally from an EC2 instance. overridden