Analytics Alerts
Browse the Cortex analytics alert reference.
207 alerts match the current filters. tactic: TA0003 ✕
Show ATT&CK heatmapA Google Workspace identity created, assigned or modified a role Informational Identity Threat Module 3 variations
A Google Workspace identity created, assigned or modified a delegated admin role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may create, assign or modify a role to elevate the permissions of other user accounts and persist in their target's environment.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the identity's role designation in the organization. Follow further actions done by the account.Variations
A non-administrative Google Workspace identity created, assigned or modified a role from an unusual ASN
Low overridden
A Google Workspace identity created, assigned or modified a delegated admin role. overridden
A non-administrative Google Workspace identity created, assigned or modified a role
Low overridden
A Google Workspace identity created, assigned or modified a delegated admin role. overridden
A Google Workspace identity created, assigned or modified a role from an unusual ASN
Low overridden
A Google Workspace identity created, assigned or modified a delegated admin role. overridden
A Google Workspace identity performed an unusual admin console activity Informational Identity Threat Module 1 variation
A Google Workspace identity performed an admin console activity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: To do.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the changes that were made look suspicious. Follow further actions done by the account.Variations
A non-administrative Google Workspace identity performed an unusual admin console activity
Informational overridden
A Google Workspace identity performed an admin console activity for the first time. overridden
A Google Workspace user was added to a group Informational Identity Threat Module
A user added another user to a Google Workspace group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate accounts and groups to maintain access to victim systems.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user was added to a sensitive group. Follow further actions done by the account.A Kubernetes ConfigMap was created or deleted Informational Cloud
A Kubernetes ConfigMap was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Maintain persistence using valid credentials.Investigative actions: Check which changes were made to the Kubernetes ConfigMap.A Kubernetes Cronjob was created Informational Cloud
A Kubernetes CronJob was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Maintain persistence by scheduling deployment of containers configured to execute malicious code.Investigative actions: Check which changes were made to the Kubernetes CronJob.A Kubernetes service account was created or deleted Informational Cloud 1 variation
A Kubernetes service account was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Maintain persistence using a valid service account.Investigative actions: Check which changes were made to the Kubernetes service account.Variations
A Kubernetes service account was created or deleted in a default namespace
Informational overridden
A Kubernetes service account was created or deleted. overridden
A Microsoft Teams application was installed Informational Identity Threat Module 1 variation
A Microsoft Teams application was installed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to install this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.Variations
A Microsoft Teams application was installed with special parameters
Low overridden
A Microsoft Teams application was installed. overridden
A Microsoft Teams bot was added to a team Informational Identity Threat Module
A user added a bot to a team in Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams bots to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the bot was created by a certified and trusted entity. Evaluate the permissions requested by the bot to determine if they are excessive or unusual. Determine if it is within the user's role to add bots to teams. Follow further actions done by the account.A WMI subscriber was created Informational
A WMI subscriber was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.A browser extension was installed or loaded in an uncommon way Informational 3 variations
A browser extension was installed or loaded in an uncommon way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Gain persistency on a machine and steal sensitive browsing data.Investigative actions: Investigate the extension files and the process that installed them. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.Variations
A browser was forced to load an extension using a special command line argument
Low overridden
A browser was forced to load an extension using a special command line argument, an uncommon method. overridden
A browser extension was installed or loaded in an uncommon way by a LOLBIN process
Low overridden
A browser extension was installed or loaded in an uncommon way. overridden
A browser extension was installed or loaded in an uncommon way by an uncommon process
Low overridden
A browser extension was installed or loaded in an uncommon way. overridden
A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations
A cloud identity invoked IAM related persistence operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.Variations
A cloud identity invoked compute instance related persistence operations
Informational overridden
A cloud identity invoked compute instance related persistence operations. overridden
A cloud identity invoked compute function related persistence operations
Informational overridden
A cloud identity invoked compute function related persistence operations. overridden
A computer account was promoted to DC Low Identity Analytics
A computer account was promoted to a domain controller via a User Account Control (UAC) change.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain domain administrator privileges.Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.A contained executable was executed by an unusual process Medium 3 variations
A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.Variations
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by an unusual process
Medium overridden
A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden
A process modified an SSH authorized_keys file Informational 3 variations
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Containers, Generic Persistence AnalyticsAttacker's goals: Adversaries use this to ensure that they possess the corresponding private key and may log in as an existing user via SSH.Investigative actions: Check the file modification, try to understand the impact of the related processes and network connections.Variations
A process modified an SSH authorized_keys2 file
Low overridden
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden
A process modified an SSH authorized_keys file from within a Kubernetes Pod
Low overridden
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden
Unpopular process modified the SSH authorized_keys file
Low overridden
An unpopular process modified the SSH authorized_keys file. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare file path was added to the AppInit_DLLs registry value Low 2 variations
A rare file path was added to AppInit_DLLs registry value.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution (T1546)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.Variations
A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A user accessed Okta's admin application Informational Identity Threat Module 1 variation
An attempt to access Okta's admin management application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
Suspicious Okta Admin App Access Attempt
Low overridden
A user attempted to access the Okta Admin Application in a suspicious way. overridden
A user certificate was issued with a mismatch Informational Identity Analytics 1 variation
A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.Variations
Suspicious certificate issuance with a mismatch
Low overridden
A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden
A user enabled a default local account Informational Identity Analytics 2 variations
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.Variations
A user enabled the Windows DefaultAccount
Low overridden
A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user enabled the Windows default Guest account
Low overridden
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations
A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.Variations
Rare user authentication with a certificate via Schannel
Low overridden
A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
Abnormal authentication with a certificate via Schannel
Informational overridden
An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
A user modified an Okta MFA factor Informational Identity Threat Module 1 variation
An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.Variations
Abnormal Okta MFA Factor Authentication Modification
Low overridden
An OKTA MFA factor was modified by a user with suspicious conditions. overridden
A user modified an Okta policy rule Informational Identity Threat Module 1 variation
An Okta policy rule was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.Variations
A user modified an Okta policy rule with suspicious characteristics
Low overridden
An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden
A user was added to a Windows security group Informational Identity Analytics 4 variations
A user was added to a Windows security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added a member to a Windows privileged group for the first time
Medium overridden
A user was added to a Windows security privileged group. overridden
User added to a Windows privileged group
Low overridden
A user was added to a Windows security privileged group. overridden
User removed from a Windows privileged group
Informational overridden
A user was removed from a Windows security privileged group. overridden
A user was removed from a Windows security group
Informational overridden
A user was removed from a Windows security group. overridden
AWS SES account sending settings modified Informational Cloud
AWS SES account sending settings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit LogAttacker's goals: Gain access to confidential emails of an organization. Compromise the organization's cloud Email infrastructure.Investigative actions: Check whether the SES Email sending setting modification was intentional.AWS STS temporary credentials were generated Informational Cloud
AWS STS temporary credentials were generated for an AWS identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)Required data: AWS Audit LogAttacker's goals: Gain access and persistence to AWS account.Investigative actions: Check which operation executed with the new credentials.AWS console login without MFA Informational Cloud
An identity logged in to the AWS console without MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)Required data: AWS Audit LogAttacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.AWS network ACL rule creation Informational Cloud
An AWS network ACL rule was created with a specific rule number.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.AWS user creation Informational Cloud
A new AWS user was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Cloud Account (T1136.003)Required data: AWS Audit LogAttacker's goals: Maintaining persistence by creating backdoor users or malicious resources, ensuring ongoing access even if their initial entry is detected.Investigative actions: Check which user was created. Investigate the created user role and permissions. Verify the user who created the new identity is aware of this action. Be aware of any suspicious activity originating from the new user.An AWS Lambda Function was created Informational Cloud
An AWS Lambda Function was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)Required data: AWS Audit LogAttacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.An AWS database service master user password was changed Informational Cloud 2 variations
An AWS database service master user password was changed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Gain access and control of the database.Investigative actions: Confirm the identity intended to perform this action. Follow further actions done by the identity. Check what other changes were made to the AWS Database instance or cluster.Variations
An AWS Database Service master user password was changed from an unusual country
Low overridden
An AWS database service master user password was changed. overridden
An AWS Database Service master user password was changed by a non-DevOps identity
Low overridden
An AWS database service master user password was changed. overridden
An Email address was added to AWS SES Informational Cloud
An Email address was added to AWS SES.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit LogAttacker's goals: Gain access to SES account. Abuse the new identity as a spambot.Investigative actions: Check which identity was added to the service.An IAM group was created Informational Cloud
An IAM group was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: AWS Audit LogAttacker's goals: Gain persistence through an IAM user who may be a member of the newly created group.Investigative actions: Review the group's permissions. Identify which users were added to the group.An executable was written and executed by a web server Low
Web server process had written an executable file that was executed shortly after.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations
An identity attached an administrative policy to an IAM user or role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.Variations
An identity attached an administrative policy to itself
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity failed to attach an administrative policy to an IAM user or role
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
A suspicious identity attached an administrative policy to an IAM user/role
Low overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity created or updated password for an IAM user Informational Cloud 1 variation
An identity created or updated an AWS console password for an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit LogAttacker's goals: Escalate privileges, maintain persistence in cloud environments.Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.Variations
A suspicious identity created or updated password for an IAM user
Low overridden
An identity created or updated an AWS console password for an IAM user. overridden
An uncommon file added to startup-related Registry keys Informational 5 variations
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes files or scripts on user login or computer boot.Investigative actions: Verify if the registered file is malicious. Check if the installing software is a malicious binary or script.Variations
An uncommon file added to startup-related Registry keys by an unsigned and unpopular CGO process
Low overridden
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon script added to startup-related Registry keys
Low overridden
An attacker may add a script to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file added to startup-related Registry keys by a commonly known and signed application
Low overridden
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon LOLBIN added to startup-related Registry keys
Low overridden
An attacker may add a LOLBIN to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file added to startup-related Registry keys by a remote actor
Low overridden
A remote attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file was created in the startup folder Informational 4 variations
An uncommon file was created in the startup folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Maintain persistence on the host through automatic execution at startup.Investigative actions: Determine if the file was created as part of a legitimate application installation, and check other files written by the same process. Identify which program opens this file based on its extension. Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.Variations
An executable file with a non-default extension was added to the startup folder
Medium overridden
An executable file with a non-default extension was added to the startup folder. overridden
An executable or script was added to the startup folder
Low overridden
An executable or script was added to the startup folder. This may occur during a legitimate program installation but could also indicate a malicious program persisting on the system. overridden
A file with an uncommon extension was added to the startup folder
Low overridden
A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden
A new shortcut (lnk) was added to the startup folder
Low overridden
A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden
An uncommon lolbin execution by scheduled task Informational 2 variations
A lolbin was executed with uncommon commandline by a scheduled task.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.Investigative actions: Review the lolbin's command line executed by the schedule task. Investigate the specific scheduled task execution chain. Investigate how the scheduled task was created and the actor who created it.Variations
An uncommon lolbin execution by scheduled task on a sensitive server
Informational overridden
A lolbin was executed with uncommon commandline by a scheduled task. overridden
A rare and commonly-abused lolbin execution by scheduled task
Informational overridden
A commonly abused lolbin was executed with uncommon commandline by a scheduled task. overridden
An uncommon service was started Low 1 variation
An uncommon service was started using systemctl or service processes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
An uncommon service was started in a Kubernetes pod
Low overridden
An uncommon service was started using systemctl or service processes. overridden
An unknown account was invited to the AWS organization Informational Cloud
An unknown account was invited to your AWS organization.The target account was not seen in your tenant for the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Establish persistent access to the compromised cloud account.Investigative actions: Identify the invited account ID and ownership. Review additional actions performed by the identity and role.An unsigned process created scheduled task and performed an injection Medium 1 variation
An unsigned process created scheduled task and performed an injection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.Variations
Possible an unsigned installer created scheduled task and performed an injection
Low overridden
Possible an unsigned installer created scheduled task and performed an injection. overridden
Authentication method added to an Azure account Informational Identity Threat Module 2 variations
An identity attempted to add an Azure authentication method.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can add an authentication method to an account, so they can have later access to the tenant and resources.Investigative actions: Check if the authentication method is legitimate in the organization. Check whether the identity is permitted to perform such actions. Follow the account for possible suspicious or unusual logins.Variations
Suspicious authentication method addition to privileged Azure account
Medium overridden
A privileged user added an Azure authentication method. overridden
Suspicious authentication method addition to Azure account
Low overridden
An identity added an Azure authentication method. overridden
Authentication method was added to Azure account Informational Cloud
A new authentication method was added to an Azure AD user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Establish a backdoor for persistent access.Investigative actions: Review recent authentication attempts and access logs to detect any unauthorized activities or potential misuse of the newly added authentication method. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Autorun.inf created in root C drive Medium
An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)Required data: XDR AgentAttacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).Azure AD account unlock/password reset attempt Informational Identity Threat Module 1 variation
An attempt to unlock an Azure AD identity or reset its password has occurred.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker may switch a valid account's password for persistence.Investigative actions: Check if the password reset is authorized. Check whether the user who reset the password is permitted to perform such actions. Check if the account is in the password reset group or is acting out of scope. Check whether the user has not completed the password reset and cancelled before successfully passing authentication methods. Follow further actions or suspicious logins from the target account.Variations
Azure AD account unlock/successful password reset
Low overridden
An identity successfully reset or changed Azure AD password. overridden
Azure Automation Account Creation Informational Cloud
Azure Automation account was created. An attacker might create an account for persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Persistence using a valid account.Investigative actions: Check the identity that created the account and verify its activity.Azure Automation Runbook Creation/Modification Informational Cloud
An Azure Automation Runbook was being modified or created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Persistence using a valid account.Investigative actions: Check the identity and its actions after the modify/create action.Azure Automation Webhook creation Informational Cloud
Azure Automation Webhook can be used to pass a payload with specific attributes to run a malicious Runbook.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit LogAttacker's goals: Persistence using a valid account.Investigative actions: Check the identity actions prior/after the webhook creation. Find which Runbook was executed using the webhook.Azure Event Hub Authorization rule creation/modification Informational Cloud
An authorization rule is bound with specific rights, once created within a namespace, which has management permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133)Required data: Azure Audit LogAttacker's goals: Persistence using the created/updated rule.Investigative actions: Check the identity that created/updated the authorization rule. What actions were taken using the rule.Azure Service principal/Application creation Informational Cloud
An Azure Service principal/Application was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To gain persistent access and elevate privileges within the environment.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure account creation by a non-standard account Informational Identity Threat Module 1 variation
An Azure AD account creation was performed by a user that doesn't typically create users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)Required data: AzureAD Audit LogAttacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.Variations
Unusual Azure account creation by a non-standard account
Low overridden
An Azure AD account creation was performed by a user that doesn't typically create users. overridden
Azure application URI modification Informational Identity Threat Module 1 variation
An identity added or updated an Azure application's URI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.Variations
Suspicious Azure application URI modification
Low overridden
An identity added or updated an Azure application's URI. overridden
Azure application credentials added Informational Identity Threat Module 2 variations
An identity added credentials to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.Variations
Suspicious credential operation on an Azure application
Medium overridden
An identity added a certificate to an Azure application in a suspicious way. overridden
Unusual certificate operation on an Azure application
Low overridden
An identity added a certificate to an Azure application with some unusual parameters. overridden
Azure device code authentication flow used Informational Identity Analytics 3 variations
An Azure AD login was performed with device code flow.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: Azure Audit LogAttacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.Variations
Suspicious Azure device code authentication flow used by an Azure AD privileged user
Medium overridden
An Azure AD login was performed with device code flow. overridden
Suspicious Azure device code authentication flow used
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure device code authentication flow used by an Azure AD privileged user
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure domain federation settings modification attempt Low Identity Threat Module 1 variation
A user or application attempted to modify the federation settings of the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.Variations
A successful Azure domain federation settings modification
Medium overridden
A user or application successfully modified the federation settings of the domain. overridden
Azure group creation/deletion Informational Cloud
A group in Azure was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain persistence to the environment.Investigative actions: Check group's assigned roles. Check which members were added to the group.Azure permission delegation granted Informational Cloud 1 variation
An identity delegated permissions to access a certain resource or application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit LogAttacker's goals: Gain control over user accounts.Investigative actions: Check the user access logs for any suspicious activity. Review the permissions granted and the scope of the permissions.Variations
Azure permission delegation granted by an Azure AD privileged user
Low overridden
An identity delegated permissions to access a certain resource or application. overridden
Azure user creation/deletion Informational Cloud
A user in Azure was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain persistence into the account.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure user password reset Informational Cloud
The password of an Azure AD user was reset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker may attempt to gain access to the account.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Bitsadmin.exe persistence using command-line callback Medium
BITSAdmin.exe was used with a command-line that may indicate malware trying to gain persistence on the machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: BITS Jobs (T1197)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate bitsadmin 'setnotifycmdline' mechanism, which triggers process executions once a Bits job is done or fails.Investigative actions: Check if the command line contains any malicious indicators. Check if the parent process is suspicious. Check if the command-line used to persist is malicious or references a malicious binary.Browser Extension Installed Informational 1 variation
Uncommon browser extension installed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Establish persistent access to victim systems through Chromium-based browser, steal sensitive data such credentials, cookies hijacking and financial data.Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.Variations
Uncommon Browser Extension Installed
Low overridden
Uncommon browser extension installed. overridden
Chrome Extension Installed By User Informational Identity Threat Module
A Chrome extension was installed or updated by a Google Workspace user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.Cloud access key creation Informational Cloud 2 variations
Cloud access key creation by a cloud identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Persist in the environment.Investigative actions: investigate the identity who created the access keys. Check the access key activity in the organization.Variations
Successful access key creation by an unusual identity type
Informational overridden
Cloud access key creation by a cloud identity. overridden
Unusual successful cloud access key creation
Informational overridden
Cloud access key creation by a cloud identity. overridden
Credentials were added to Azure application Informational Cloud
Credentials were added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Exchange mailbox delegation permissions added Informational Identity Threat Module Email 1 variation
A user added delegation permissions to an Exchange mailbox.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)Required data: Office 365 AuditAttacker's goals: Add delegation permissions to a mailbox for persistence reasons.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).Variations
Addition of Exchange mailbox delegation permissions with suspicious characteristics
Low overridden
A user added delegation permissions to an Exchange mailbox. overridden
Exchange mailbox folder permission modification Informational Identity Threat Module Email 1 variation
A user modified permissions to an Exchange mailbox folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)Required data: Office 365 AuditAttacker's goals: An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Check for abnormal Azure AD non-interactive logins by the user. Monitor for changes that may indicate excessively broad permissions.Variations
Exchange mailbox folder permission modification for a default user
Low overridden
A user modified permissions to an Exchange mailbox folder. The user granted the permission is a default user, which effectively grants the permission to any user. overridden
Executable or Script file written by a web server process Low 3 variations
An uncommon executable or script file was created, written, or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gain the ability to execute commands on the host and establish persistence.Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.Variations
A driver was written by a web server process
Low overridden
An uncommon driver file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process in an internet facing server
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Execution of an uncommon process at an early startup stage Informational 2 variations
Uncommon execution of an executable found in an early startup stage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup. Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.Variations
Execution of an uncommon process at an early startup stage with suspicious characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage. overridden
Execution of an uncommon process at an early startup stage with uncommon characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage. overridden
Execution of an uncommon process at an early startup stage by Windows system binary Low 2 variations
Uncommon execution of an executable found in an early startup stage by Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.Variations
Execution of an uncommon process at an early startup stage by Windows system binary with suspicious characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden
Execution of an uncommon process at an early startup stage by Windows system binary with uncommon characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage Informational 2 variations
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the CGO (causality group owner) is familiar and if any configuration, parameters, or registry keys have been modified.Variations
Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with uncommon characteristics
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary Low 3 variations
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.Variations
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary - Explorer CGO
Informational overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with a suspicious characteristics by Windows system binary
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with an uncommon characteristics by Windows system binary
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
External user invitation to Azure tenant Informational Cloud
An external user was invited to Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain unauthorized access to the tenant.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.First-time directory sync of an on-premises domain user to an existing cloud account Informational Identity Threat Module
First-time synchronization of an on-premises domain user with an existing cloud account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Attackers may leverage DirectorySync to move laterally from a compromised on-premise environment into the cloud tenant, allowing them to bypass the cloud's security boundaries and take over high-value cloud identities.Investigative actions: Check if the cloud account was an administrator (Global Admin, etc.) before this sync. Determine if the on-premise user was recently created or if its 'proxyAddress' attribute was recently modified. Confirm if the organization intended to transition this account from Cloud-Only to Hybrid. Verify the consistency between the on-premises 'ObjectGUID' and the newly assigned 'ImmutableID' in Azure AD.GCP Service Account creation Informational Cloud
A GCP service account was created. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: Gcp Audit LogAttacker's goals: Persistence with service account. An attacker might use this technique to evade detection.Investigative actions: Check the identity that created the account and its actions.GCP Service Account key creation Informational Cloud
A GCP service account key was created. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Gcp Audit LogAttacker's goals: Persistence using the created key.Investigative actions: Check what actions were taken using the newly created service account key. Check what other actions were taken by the identity that created the key.GCP administrative role granted to a cloud identity Informational Cloud
A cloud identity granted an administrative IAM role to another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.GCP sensitive Cloud Run role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Cloud Run IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Cloud Run role granted
Medium overridden
A cloud identity granted itself a sensitive Cloud Run IAM role. overridden
GCP sensitive Deployment Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Deployment Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Deployment Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden
GCP sensitive Functions role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Functions IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Functions role granted
Medium overridden
A cloud identity granted itself a sensitive Functions IAM role. overridden
GCP sensitive IAM role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive IAM role granted
Medium overridden
A cloud identity granted itself a sensitive IAM role. overridden
GCP sensitive Secret Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Secret Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Secret Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Secret Manager IAM role. overridden
GCP sensitive compute role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive compute IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive compute role granted
Medium overridden
A cloud identity granted itself a sensitive compute IAM role. overridden
GCP sensitive role granted to group Low Cloud 1 variation
A cloud identity granted a sensitive role to a group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the group.Variations
GCP sensitive role granted to group
Medium overridden
A cloud identity granted a sensitive role to a group. overridden
GCP sensitive storage role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive storage IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive storage role granted
Medium overridden
A cloud identity granted itself a sensitive storage IAM role. overridden
GCP set IAM policy activity Informational Cloud
A cloud identity had modified a resource policy bindings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Globally uncommon injection from a signed process Informational 3 variations
A signed process injected into another process that it does not normally target at a global level.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)Required data: XDR AgentDetector tags: Injection Analytics, Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon suspicious injection from a signed process
Medium overridden
A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process which was executed by a scheduled task
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Google Workspace automation was created Informational Identity Threat Module 1 variation
Google Workspace automation was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.Variations
Google Workspace automation was created for a public document
Low overridden
The document that the automation was created for is publicly shared. overridden
Google Workspace organizational unit was modified Informational Identity Threat Module
A Google Workspace admin modified an organizational unit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Google Workspace user authentication information changed Informational Identity Threat Module 2 variations
Google Workspace authentication information was changed for a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.Variations
Google Workspace administrative user authentication information changed
Low overridden
Google Workspace authentication information was changed for a user. overridden
Google Workspace user authentication information changed by another account
Low overridden
Google Workspace authentication information was changed for a user. overridden
IAM User added to an IAM group Informational Cloud
An IAM user was added to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.IAM inline policy was added to group Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to role Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to user Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM instance profile was associated with EC2 instance Informational Cloud
An AWS IAM instance profile was associated with EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was created Informational Cloud
An AWS IAM instance profile was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was replaced for EC2 instance Informational Cloud
An AWS IAM instance profile was replaced for EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM policy default version was changed Informational Cloud
A cloud identity set the specified version of an AWS IAM policy as the policy's default.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy version was created Informational Cloud
A cloud identity created an AWS-managed IAM policy version.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to group Informational Cloud
A cloud identity attached an AWS IAM policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.