Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

130 alerts match the current filters. tactic: TA0004 ✕

Show ATT&CK heatmap
  • A GCP service account was delegated domain-wide authority in Google Workspace Low Identity Threat Module 1 variation

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious Apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account and granted him access to a sensitive scope

    Medium overridden

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account. overridden

  • A Google Workspace service was configured as unrestricted Informational Identity Threat Module 3 variations

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    A Google Workspace service was configured as unrestricted by a suspicious identity

    Low overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

    A Google Workspace service was configured as unrestricted from an unusual ASN

    Low overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

    A Google Workspace service was configured as unrestricted by a non-administrative identity

    Informational overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

  • A Kubernetes cluster role binding was created or deleted Informational Cloud

    A Kubernetes cluster role binding was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Escalate privileges to gain access to restricted resources in the Kubernetes cluster.
    Investigative actions: Check which changes were made to the Kubernetes cluster role binding.
  • A Kubernetes role binding was created or deleted Informational Cloud

    A Kubernetes role binding was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Obtain Kubernetes secrets to access restricted information.
    Investigative actions: Check which changes were made to the Kubernetes secret.
  • A Service Principal was created in Azure Informational Cloud

    A Service Principal was created in Azure. This could indicate a malicious actor attempting to gain access to a resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Access user data. Gain control of the Azure environment.
    Investigative actions: Check the Service Principal to ensure it has the correct access rights. Review the Azure Activity Log to determine the source of the Service Principal creation.
  • A WMI subscriber was created Informational

    A WMI subscriber was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • A cloud identity had escalated its permissions Informational Cloud 4 variations

    A cloud identity had updated its permissions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    A cloud identity with high administrative activity had escalated its permissions

    Informational overridden

    A cloud identity with high administrative activity had updated its permissions. overridden

    A cloud compute service had escalated its permissions

    Medium overridden

    A cloud compute service had updated its permissions. overridden

    A cloud non-human identity had escalated its permissions

    Low overridden

    A cloud non-human identity had updated its permissions. overridden

    A cloud identity escalated its permissions to a high privilege role/policy

    Low overridden

    A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden

  • A computer account was promoted to DC Low Identity Analytics

    A computer account was promoted to a domain controller via a User Account Control (UAC) change.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain domain administrator privileges.
    Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.
  • A contained executable from a mounted share initiated a suspicious outbound network connection Medium 1 variation

    A contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check if the requested IP address is known or malicious. Investigate the contained process and its process tree.

    Variations

    A contained executable from a mounted share initiated a suspicious outbound network connection

    Medium overridden

    A cloud machine contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical. overridden

  • A contained executable was executed by an unusual process Medium 3 variations

    A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.

    Variations

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by an unusual process

    Medium overridden

    A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden

  • A contained process attempted to escape using the 'notify on release' feature Medium 1 variation

    A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute arbitrary commands on the host and gain a larger foothold.
    Investigative actions: Check which commands were executed on the host afterward. Look for the root cause of the execution within the container. Examine the release_agent script content on the container.

    Variations

    A contained process attempted to escape using the 'notify on release' feature

    Medium overridden

    A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the cloud host. overridden

  • A machine certificate was issued with a mismatch Medium Identity Analytics

    A machine certificate was issued with a mismatch between the requester and the subject.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller machine account.
    Investigative actions: Check who owns the certificate requester account. Check if the requester DNS name attribute was changed recently. Investigate actions done by the requester and its owner. Check for possible DCSync alerts.
  • A new machine attempted Kerberos delegation Medium Identity Analytics

    A newly created machine attempted to perform a Kerberos delegation. This suspicious activity might indicate a Kerberos relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to system.
    Investigative actions: Check for any other suspicious activity related to the machine involved in the alert. Look for a new machine that was added to the domain.
  • A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

  • A rare file path was added to the AppInit_DLLs registry value Low 2 variations

    A rare file path was added to AppInit_DLLs registry value.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution (T1546)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.
    Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.

    Variations

    A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

    A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

  • A third-party application was authorized to access the Google Workspace APIs Informational Identity Threat Module

    A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.
    Investigative actions: Check which account was granted access to the Domain API. Identify the source IP address of the request. Verify the legitimacy of the request.
  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user was added to a Windows security group Informational Identity Analytics 4 variations

    A user was added to a Windows security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added a member to a Windows privileged group for the first time

    Medium overridden

    A user was added to a Windows security privileged group. overridden

    User added to a Windows privileged group

    Low overridden

    A user was added to a Windows security privileged group. overridden

    User removed from a Windows privileged group

    Informational overridden

    A user was removed from a Windows security privileged group. overridden

    A user was removed from a Windows security group

    Informational overridden

    A user was removed from a Windows security group. overridden

  • AWS support case creation Informational Cloud

    A cloud identity has created a new case in AWS support.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.
    Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .
  • Abnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.
    Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.

    Variations

    Suspicious File Activity in SCCMContentLib Shared Folder by user

    Low overridden

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden

  • Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.
    Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.

    Variations

    Rare RDP User Login to Domain Controller by an Abnormal Department

    Medium overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal RDP User Login to Domain Controller

    Low overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    RDP User Login to Domain Controller

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal User Login to Domain Controller by an Abnormal Department

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

  • Access to sensitive host files from within a Kubernetes pod Informational 2 variations

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Access to the host filesystem.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed files were used for malicious activity. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Access to sensitive host files from within a Kubernetes pod via an interactive shell

    Medium overridden

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden

    Unusual access to sensitive host files from within a Kubernetes pod

    Low overridden

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden

  • Admin privileges were granted to a Google Workspace user Informational Identity Threat Module

    Admin privileges were granted to a Google Workspace user. This user now has access to additional administrative functions and settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to sensitive data stored in Google Workspace. Manipulate or delete data stored in Google Workspace. Gain access to privileged features in Google Workspace.
    Investigative actions: Check which Google Workspace user was granted the admin privileges. Check if the user is authorized to be granted such privileges. Review the audit logs to determine the actions taken by the user.
  • An Azure Kubernetes Role or Cluster-Role was modified Informational Cloud

    An Azure Kubernetes Role or Cluster-Role was modified or deleted. This could indicate malicious activity and should be investigated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.
    Investigative actions: Review the role or ClusterRole changes made by the identity. Determine whether the identity is authorized to perform these actions.
  • An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted Informational Cloud

    An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted. This could indicate a security breach or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.
    Investigative actions: Investigate which actions were made by the identity and identify any suspicious activity. Review the Kubernetes configuration to identify any other changes.
  • An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations

    An identity attached an administrative policy to an IAM user or role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

    Variations

    An identity attached an administrative policy to itself

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    An identity failed to attach an administrative policy to an IAM user or role

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    A suspicious identity attached an administrative policy to an IAM user/role

    Low overridden

    An identity attached an administrative policy to an IAM user or role. overridden

  • An identity created or updated password for an IAM user Informational Cloud 1 variation

    An identity created or updated an AWS console password for an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges, maintain persistence in cloud environments.
    Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.

    Variations

    A suspicious identity created or updated password for an IAM user

    Low overridden

    An identity created or updated an AWS console password for an IAM user. overridden

  • An identity was granted permissions to manage user access to Azure resources Informational Cloud

    An identity was granted the User Access Administrator permission at the tenant scope.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)
    Required data: Azure Audit Log
    Attacker's goals: Elevate permission to gain access to all Azure Subscriptions.
    Investigative actions: Verify whether the identity should be making this action. Check what additional API calls were made by the identity.
  • An uncommon service was started Low 1 variation

    An uncommon service was started using systemctl or service processes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    An uncommon service was started in a Kubernetes pod

    Low overridden

    An uncommon service was started using systemctl or service processes. overridden

  • Azure AD PIM elevation request Informational Identity Threat Module

    An Azure AD PIM elevation request was denied/approved.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Getting elevated permissions to perform malicious actions.
    Investigative actions: Check if the elevation is authorized. Follow further actions or suspicious logins from the elevated account.
  • Azure AD PIM role settings change Low Identity Threat Module 1 variation

    An identity changed the PIM role settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.
    Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.

    Variations

    Suspicious Azure AD PIM role settings change

    Medium overridden

    An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden

  • Azure Privilege Escalation Using an Application Medium Identity Threat Module

    An Azure application was observed assigning an Azure administrator role to a user. This might indicate a privilege escalation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.
    Investigative actions: Check if the affected account is new to the organization. Check whether the application that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.
  • Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations

    An identity registered an Azure Temporary Access Pass (TAP) to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.
    Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.

    Variations

    Azure Temporary Access Pass (TAP) registered to a privileged account

    Medium overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

    Abnormal Azure Temporary Access Pass (TAP) account registration

    Low overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

  • Azure domain federation settings modification attempt Low Identity Threat Module 1 variation

    A user or application attempted to modify the federation settings of the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.

    Variations

    A successful Azure domain federation settings modification

    Medium overridden

    A user or application successfully modified the federation settings of the domain. overridden

  • Azure service principal assigned app role Informational Identity Threat Module

    An identity assigned an app role (permissions) to a service principal.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add roles to service principals that will allow them to access sensitive information and perform other actions.
    Investigative actions: Check if the added service principle is new to the organization. Check whether the account that added the app role is supposed to perform such actions. Check for possible logins and actions from the service principle with the role. Follow further actions done by the application and the assigner.
  • Azure storage account blob anonymous access is enabled Informational Cloud

    It is possible to configure anonymous access to blobs within the storage account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • Change of sudo caching configuration Low 1 variation

    Change of sudo caching configuration may have been intended to enable privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use the sudoers file to elevate privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Change of sudo caching configuration in a Kubernetes pod

    Low overridden

    Change of sudo caching configuration may have been intended to enable privilege escalation. overridden

  • Creation or modification of the default command executed when opening an application Informational 4 variations

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Check the registry data modified for a potentially malicious command line. Look for processes running matching the command line for malicious activity.

    Variations

    Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening an MMC application

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

  • Credentials were added to Azure application Informational Cloud

    Credentials were added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Elevation to SYSTEM via services Low 2 variations

    Services were affected by a non SYSTEM integrity level process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Escalate privileges to system and execute commands.
    Investigative actions: Investigate the service being spawned on the host for malicious activities.

    Variations

    Elevation to SYSTEM via service creation

    Low overridden

    A service was created from a non SYSTEM integrity level process. overridden

    Elevation to SYSTEM via service modification

    Low overridden

    An existing service was modified from a non SYSTEM integrity level process. overridden

  • Execution of command from within a Kubernetes pod using kubelet credentials Low 1 variation

    A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Access Token Manipulation (T1134)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual execution of command from within a Kubernetes pod using kubelet credentials

    Medium overridden

    A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API. overridden

  • External user invitation to Azure tenant Informational Cloud

    An external user was invited to Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain unauthorized access to the tenant.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Fodhelper.exe UAC bypass Medium

    Attackers may use Fodhelper.exe to bypass UAC (User Account Control) by having it spawn their malicious process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Search for a registry event that changes the key Software\Classes\ms-settings. Review the process that made the registry key. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • GCP administrative role granted to a cloud identity Informational Cloud

    A cloud identity granted an administrative IAM role to another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • GCP sensitive Cloud Run role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Cloud Run IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Cloud Run role granted

    Medium overridden

    A cloud identity granted itself a sensitive Cloud Run IAM role. overridden

  • GCP sensitive Deployment Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Deployment Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Deployment Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden

  • GCP sensitive Functions role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Functions IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Functions role granted

    Medium overridden

    A cloud identity granted itself a sensitive Functions IAM role. overridden

  • GCP sensitive IAM role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive IAM role granted

    Medium overridden

    A cloud identity granted itself a sensitive IAM role. overridden

  • GCP sensitive Secret Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Secret Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Secret Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Secret Manager IAM role. overridden

  • GCP sensitive compute role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive compute IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive compute role granted

    Medium overridden

    A cloud identity granted itself a sensitive compute IAM role. overridden

  • GCP sensitive role granted to group Low Cloud 1 variation

    A cloud identity granted a sensitive role to a group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the group.

    Variations

    GCP sensitive role granted to group

    Medium overridden

    A cloud identity granted a sensitive role to a group. overridden

  • GCP sensitive storage role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive storage IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive storage role granted

    Medium overridden

    A cloud identity granted itself a sensitive storage IAM role. overridden

  • GCP service account impersonation attempt Informational Cloud

    An attempt to impersonate the GCP service account failed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: Gcp Audit Log
    Attacker's goals: Escalate privileges to gain elevated access to cloud resources.
    Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.
  • GCP set IAM policy activity Informational Cloud

    A cloud identity had modified a resource policy bindings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • Gmail delegation was turned on for the organization Informational Identity Threat Module

    A Google Workspace admin turned on Gmail delegation for all the organization's users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Email Collection.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if any user in the organization granted other users access to their mail inbox. Follow further actions done by the account.
  • Google Marketplace restrictions were modified Informational Identity Threat Module 3 variations

    An identity modified Google Marketplace Restrictions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious Apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    Google Marketplace restrictions were modified by a suspicious identity

    Low overridden

    An identity modified Google Marketplace Restrictions. overridden

    Google Marketplace restrictions were modified from an unusual ASN

    Low overridden

    An identity modified Google Marketplace Restrictions. overridden

    Google Marketplace restrictions were modified by a non Google Workspace administrative user

    Informational overridden

    An identity modified Google Marketplace Restrictions. overridden

  • Google Workspace third-party application's security settings were changed Informational Identity Threat Module 3 variations

    An identity changed Google Workspace third-party application's security settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    Google Workspace third-party application's security settings were changed by a suspicious identity

    Low overridden

    An identity changed Google Workspace third-party application's security settings. overridden

    Google Workspace third-party application's security settings were changed from an unusual ASN

    Low overridden

    An identity changed Google Workspace third-party application's security settings. overridden

    Google Workspace third-party application's security settings were changed by a non Google Workspace administrative user

    Informational overridden

    An identity changed Google Workspace third-party application's security settings. overridden

  • IAM User added to an IAM group Informational Cloud

    An IAM user was added to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.
    Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.
  • IAM inline policy was added to group Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to role Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to user Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM instance profile was associated with EC2 instance Informational Cloud

    An AWS IAM instance profile was associated with EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was created Informational Cloud

    An AWS IAM instance profile was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was replaced for EC2 instance Informational Cloud

    An AWS IAM instance profile was replaced for EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM policy default version was changed Informational Cloud

    A cloud identity set the specified version of an AWS IAM policy as the policy's default.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy version was created Informational Cloud

    A cloud identity created an AWS-managed IAM policy version.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to group Informational Cloud

    A cloud identity attached an AWS IAM policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to role Informational Cloud 1 variation

    An AWS IAM policy was attached to this role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.

    Variations

    Administrative IAM policy was attached to role

    Informational overridden

    An AWS IAM policy was attached to this role. overridden

  • IAM role trust policy modification Informational Cloud

    A cloud identity updated the trust policy of an AWS IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM role was created Informational Cloud

    An IAM role was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity or role.
  • Image file execution options (IFEO) registry key set Low 3 variations

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.

    Variations

    Image file execution options (IFEO) registry key set to execute a shell or scripting engine process

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

    Image file execution options (IFEO) registry key set to activate Windows licenses illegally

    Medium overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden

    Image file execution options (IFEO) registry key set using reg.exe

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

  • Installation of a new System-V service Low 1 variation

    Installation of a new System-V service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Installation of a new System-V service in a Kubernetes pod

    Low overridden

    Installation of a new System-V service. overridden

  • Interactive at.exe privilege escalation method Low

    Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Kubelet server communication from a pod Informational 1 variation

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)
    ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.
    Investigative actions: Examine the process on the pod to understand its purpose.

    Variations

    Kubelet server communication from a pod by a first seen process

    Low overridden

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden

  • Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod Created With Sensitive Volume for the first time in the cluster

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time in the namespace

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time by the identity

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

  • Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access data used by other pods that use the host's IPC namespace.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.

    Variations

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

  • Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

  • Kubernetes Privileged Pod Creation Informational Cloud 3 variations

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Privileged Pod Creation for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

  • Kubernetes nsenter container escape Informational 2 variations

    The nsenter command was used to execute a process in the context of the initialization process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may break out of a container to run commands on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Kubernetes nsenter container escape from a new Pod

    Medium overridden

    The nsenter command was used to execute a process in the context of the initialization process. overridden

    Kubernetes nsenter container escape from a Pod

    Low overridden

    The nsenter command was used to execute a process in the context of the initialization process. overridden

  • Kubernetes pod creation with host network Informational Cloud 3 variations

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.

    Variations

    Kubernetes pod creation with host network for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

  • LOLBIN process executed with a high integrity level Low 1 variation

    A process spawned a suspicious LOLBIN process with a higher/system integrity level.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it.Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.

    Variations

    LOLBIN process executed with a high integrity level by a web server process or CGO

    Medium overridden

    A process spawned a suspicious LOLBIN process with a higher/system integrity level by a web server process or CGO.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges. overridden

  • Machine account was added to a domain admins group Medium Identity Analytics

    A machine account was added to a domain admins group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.
  • Member added to a Windows local security group Informational Identity Analytics 2 variations

    A member was added to a Windows local security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added to the Windows local Administrator group

    Low overridden

    A member was added to a Windows local security group. overridden

    Member added to the Windows local Administrator group

    Informational overridden

    A member was added to a Windows local security group. overridden

  • Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation

    A user registered a device and requested a Microsoft Configuration Manager policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious Microsoft Configuration Manager device registration and policy request

    Low overridden

    A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden

  • Mount command was executed from within a Kubernetes pod to list all the attached filesystems Low 1 variation

    The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Access to the host filesystem.
    Investigative actions: Look for additional suspicious activities. Verify if there was an attempt to access the host system.

    Variations

    Unusual mount command was executed from within a Kubernetes pod to list all the attached filesystems

    Medium overridden

    The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access. overridden

  • Multiple failed AWS assume role attempts Informational Cloud 1 variation

    An AWS identity performed an unusual high number of failed assume role attempts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.
    Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.

    Variations

    Suspicious multiple failed AWS assume role attempts

    Medium overridden

    An AWS identity performed an unusual high number of failed assume role attempts. overridden

  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • Okta admin privilege assignment Informational Identity Threat Module 1 variation

    A user assigned admin privileges to a new user or group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Analyze the actions carried out by the user responsible for granting permission.

    Variations

    Abnormal Okta admin privilege assignment with suspicious characteristics

    Low overridden

    A suspicious user assignment of admin privileges to a new user or group. overridden

  • Owner was added to Azure application Informational Cloud

    An Owner was added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain administrative control and manipulate the application's permissions and settings.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • PKINIT TGT authentication request Informational Identity Analytics 2 variations

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)
    ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.
    Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.

    Variations

    Suspicious PKINIT TGT authentication request

    Medium overridden

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden

    Abnormal PKINIT TGT authentication request

    Low overridden

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden

  • Possible DLL Hijack into a Microsoft process Informational 6 variations

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Hijack of a low entropy DLL into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Side-Loading into a Microsoft process from a suspicious folder

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    DLL Hijack into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft development or framework related process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

  • Possible DLL Search Order Hijacking Low 3 variations

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Search Order Hijacking by DLL Substitution

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

  • Possible Kerberos relay attack Low

    A suspicious local network login was observed, which might indicate on Kerberos relay attack. This attack can lead to privilege escalation by obtaining system privileges on the target.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Windows Event Collector XDR Agent
    Attacker's goals: An attacker is attempting to elevate its privileges on the machine.
    Investigative actions: Check for any other suspicious activity related to the host involved in the alert. Look for a new machine that was added to the domain.
  • Possible Privilege Escalation using Delegated MSA account Informational Identity Analytics 1 variation

    An attacker might abuse dMSA account to escalate its privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may leverage dMSA account migration process to escalate privileges.
    Investigative actions: Confirm that the user is authorized to create and modify dMSA accounts in the domain. Verify the user should have permissions on the OU under which the dMSA account was created. Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID). Verify that the user superseded an account, with the dMSA account, that should have superseded. Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event). Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object. Investigate the host that initiated the dMSA account migration process for malicious activity.

    Variations

    Possible Privilege Escalation using Delegated MSA account attempt

    Medium overridden

    An attacker might abuse dMSA account to escalate its privileges. overridden

  • Privileged certificate request via certificate template Informational Identity Analytics 2 variations

    A privileged certificate was requested via certificate template.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller or privileged account.
    Investigative actions: Check if this is a legitimate certificate request. Check if the certificate issued was used to request a Kerberos ticket. Investigate actions done with the issued certificate and its owner. Check for possible NTLM relay alerts.

    Variations

    Suspicious privileged certificate request denied via certificate template

    Medium overridden

    A suspicious privileged certificate request was denied via certificate template. overridden

    Suspicious privileged certificate request via certificate template

    Low overridden

    A suspicious privileged certificate was requested via certificate template. overridden

  • Privileged role used by Azure application Informational Cloud 1 variation

    An Azure application with high-level API permissions invoked a request to the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Leverage high-level permissions to gain persistence and access to sensitive information.
    Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.

    Variations

    First-time privileged role is used by Azure application

    Low overridden

    An Azure application with high-level API permissions invoked a request to the Microsoft Graph API. overridden

  • PsExec was executed with a suspicious command line Informational 4 variations

    PsExec.exe was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.
    Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.

    Variations

    PsExec was executed with a suspicious command line by a LOLBIN

    Low overridden

    PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden

    PsExec was executed with a suspicious command line by an unsigned actor

    Medium overridden

    PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with NT/System privilege level. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with plain-text credentials. overridden

  • SPNs cleared from a machine account Low Identity Analytics 1 variation

    Service principal names were cleared from a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.

    Variations

    SPNs cleared from a machine account for the first time

    Medium overridden

    Service principal names were cleared from a machine account. overridden