Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0003 ✕ technique: T1649 ✕

Show ATT&CK heatmap
  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden