Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0002 ✕ technique: T1078 ✕
Show ATT&CK heatmapA Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
PsExec was executed with a suspicious command line Informational 4 variations
PsExec.exe was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.Variations
PsExec was executed with a suspicious command line by a LOLBIN
Low overridden
PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden
PsExec was executed with a suspicious command line by an unsigned actor
Medium overridden
PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with NT/System privilege level. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with plain-text credentials. overridden