Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0004 ✕ technique: T1068 ✕
Show ATT&CK heatmapSudoedit Brute force attempt Medium
An unusual amount of sudoedit commands executed in a short period of time. This may indicate an attempt to exploit CVE-2021-3156.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Exploitation for Privilege Escalation (T1068)Required data: XDR AgentAttacker's goals: The attacker may gain higher privileges via exploitation of sudoedit.Investigative actions: Verify that the current version of sudo in not vulnerable to CVE-2021-3156.Windows Installer exploitation for local privilege escalation Medium
The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Exploitation for Privilege Escalation (T1068)Required data: XDR AgentAttacker's goals: An attacker is attempting to gain SYSTEM privileges.Investigative actions: Investigate the actor process SID and path and whether it's benign or normal for this host. This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.