Analytics Alerts
Browse the Cortex analytics alert reference.
53 alerts match the current filters. tactic: TA0004 ✕ technique: T1098 ✕
Show ATT&CK heatmapA Kubernetes cluster role binding was created or deleted Informational Cloud
A Kubernetes cluster role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Escalate privileges to gain access to restricted resources in the Kubernetes cluster.Investigative actions: Check which changes were made to the Kubernetes cluster role binding.A Kubernetes role binding was created or deleted Informational Cloud
A Kubernetes role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Obtain Kubernetes secrets to access restricted information.Investigative actions: Check which changes were made to the Kubernetes secret.A cloud identity had escalated its permissions Informational Cloud 4 variations
A cloud identity had updated its permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Escalate privileges.Investigative actions: Verify which permissions were granted to the identity.Variations
A cloud identity with high administrative activity had escalated its permissions
Informational overridden
A cloud identity with high administrative activity had updated its permissions. overridden
A cloud compute service had escalated its permissions
Medium overridden
A cloud compute service had updated its permissions. overridden
A cloud non-human identity had escalated its permissions
Low overridden
A cloud non-human identity had updated its permissions. overridden
A cloud identity escalated its permissions to a high privilege role/policy
Low overridden
A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden
A computer account was promoted to DC Low Identity Analytics
A computer account was promoted to a domain controller via a User Account Control (UAC) change.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain domain administrator privileges.Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.A user accessed Okta's admin application Informational Identity Threat Module 1 variation
An attempt to access Okta's admin management application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
Suspicious Okta Admin App Access Attempt
Low overridden
A user attempted to access the Okta Admin Application in a suspicious way. overridden
A user certificate was issued with a mismatch Informational Identity Analytics 1 variation
A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.Variations
Suspicious certificate issuance with a mismatch
Low overridden
A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden
A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations
A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.Variations
Rare user authentication with a certificate via Schannel
Low overridden
A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
Abnormal authentication with a certificate via Schannel
Informational overridden
An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
A user was added to a Windows security group Informational Identity Analytics 4 variations
A user was added to a Windows security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added a member to a Windows privileged group for the first time
Medium overridden
A user was added to a Windows security privileged group. overridden
User added to a Windows privileged group
Low overridden
A user was added to a Windows security privileged group. overridden
User removed from a Windows privileged group
Informational overridden
A user was removed from a Windows security privileged group. overridden
A user was removed from a Windows security group
Informational overridden
A user was removed from a Windows security group. overridden
AWS support case creation Informational Cloud
A cloud identity has created a new case in AWS support.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations
An identity attached an administrative policy to an IAM user or role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.Variations
An identity attached an administrative policy to itself
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity failed to attach an administrative policy to an IAM user or role
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
A suspicious identity attached an administrative policy to an IAM user/role
Low overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity created or updated password for an IAM user Informational Cloud 1 variation
An identity created or updated an AWS console password for an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit LogAttacker's goals: Escalate privileges, maintain persistence in cloud environments.Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.Variations
A suspicious identity created or updated password for an IAM user
Low overridden
An identity created or updated an AWS console password for an IAM user. overridden
Azure domain federation settings modification attempt Low Identity Threat Module 1 variation
A user or application attempted to modify the federation settings of the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.Variations
A successful Azure domain federation settings modification
Medium overridden
A user or application successfully modified the federation settings of the domain. overridden
Credentials were added to Azure application Informational Cloud
Credentials were added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.External user invitation to Azure tenant Informational Cloud
An external user was invited to Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain unauthorized access to the tenant.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.GCP administrative role granted to a cloud identity Informational Cloud
A cloud identity granted an administrative IAM role to another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.GCP sensitive Cloud Run role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Cloud Run IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Cloud Run role granted
Medium overridden
A cloud identity granted itself a sensitive Cloud Run IAM role. overridden
GCP sensitive Deployment Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Deployment Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Deployment Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden
GCP sensitive Functions role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Functions IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Functions role granted
Medium overridden
A cloud identity granted itself a sensitive Functions IAM role. overridden
GCP sensitive IAM role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive IAM role granted
Medium overridden
A cloud identity granted itself a sensitive IAM role. overridden
GCP sensitive Secret Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Secret Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Secret Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Secret Manager IAM role. overridden
GCP sensitive compute role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive compute IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive compute role granted
Medium overridden
A cloud identity granted itself a sensitive compute IAM role. overridden
GCP sensitive role granted to group Low Cloud 1 variation
A cloud identity granted a sensitive role to a group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the group.Variations
GCP sensitive role granted to group
Medium overridden
A cloud identity granted a sensitive role to a group. overridden
GCP sensitive storage role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive storage IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive storage role granted
Medium overridden
A cloud identity granted itself a sensitive storage IAM role. overridden
GCP set IAM policy activity Informational Cloud
A cloud identity had modified a resource policy bindings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.IAM User added to an IAM group Informational Cloud
An IAM user was added to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.IAM inline policy was added to group Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to role Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to user Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM instance profile was associated with EC2 instance Informational Cloud
An AWS IAM instance profile was associated with EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was created Informational Cloud
An AWS IAM instance profile was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was replaced for EC2 instance Informational Cloud
An AWS IAM instance profile was replaced for EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM policy default version was changed Informational Cloud
A cloud identity set the specified version of an AWS IAM policy as the policy's default.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy version was created Informational Cloud
A cloud identity created an AWS-managed IAM policy version.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to group Informational Cloud
A cloud identity attached an AWS IAM policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to role Informational Cloud 1 variation
An AWS IAM policy was attached to this role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.Variations
Administrative IAM policy was attached to role
Informational overridden
An AWS IAM policy was attached to this role. overridden
IAM role trust policy modification Informational Cloud
A cloud identity updated the trust policy of an AWS IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM role was created Informational Cloud
An IAM role was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity or role.Member added to a Windows local security group Informational Identity Analytics 2 variations
A member was added to a Windows local security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added to the Windows local Administrator group
Low overridden
A member was added to a Windows local security group. overridden
Member added to the Windows local Administrator group
Informational overridden
A member was added to a Windows local security group. overridden
Okta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden
Okta admin privilege assignment Informational Identity Threat Module 1 variation
A user assigned admin privileges to a new user or group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Analyze the actions carried out by the user responsible for granting permission.Variations
Abnormal Okta admin privilege assignment with suspicious characteristics
Low overridden
A suspicious user assignment of admin privileges to a new user or group. overridden
Owner was added to Azure application Informational Cloud
An Owner was added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain administrative control and manipulate the application's permissions and settings.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Possible Privilege Escalation using Delegated MSA account Informational Identity Analytics 1 variation
An attacker might abuse dMSA account to escalate its privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may leverage dMSA account migration process to escalate privileges.Investigative actions: Confirm that the user is authorized to create and modify dMSA accounts in the domain. Verify the user should have permissions on the OU under which the dMSA account was created. Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID). Verify that the user superseded an account, with the dMSA account, that should have superseded. Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event). Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object. Investigate the host that initiated the dMSA account migration process for malicious activity.Variations
Possible Privilege Escalation using Delegated MSA account attempt
Medium overridden
An attacker might abuse dMSA account to escalate its privileges. overridden
Privileged role used by Azure application Informational Cloud 1 variation
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Leverage high-level permissions to gain persistence and access to sensitive information.Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.Variations
First-time privileged role is used by Azure application
Low overridden
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API. overridden
SPNs cleared from a machine account Low Identity Analytics 1 variation
Service principal names were cleared from a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.Variations
SPNs cleared from a machine account for the first time
Medium overridden
Service principal names were cleared from a machine account. overridden
Service ticket request with a spoofed sAMAccountName Medium Identity Analytics
A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation
Suspicious account attribute modification that matches that of another account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.Variations
Suspicious account attribute modification that matches that of a sensitive machine account
Medium overridden
Suspicious account attribute modification that matches that of another account. overridden
Suspicious dNSHostName attribute change to DC name Medium Identity Analytics
The dNSHostName attribute of a machine account was changed to a Domain Controller server name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Suspicious sAMAccountName change Low Identity Analytics 1 variation
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Variations
Suspicious sAMAccountName change to DC hostname
Medium overridden
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden
TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations
A cloud identity performed an unusual IAM operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.Variations
Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance
Medium overridden
A cloud Internet facing instance performed an unusual IAM operation. overridden
Unusual Identity and Access Management (IAM) activity
Low overridden
A cloud non-user identity performed an unusual IAM operation. overridden
User added to a group and removed Informational Identity Analytics 2 variations
A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.Variations
Rare privileged group addition and removal
Medium overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to a privileged group and removed
Low overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to the SMS Admins local group Low Identity Analytics 1 variation
A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.Variations
User added to the SMS Admins group and removed
Medium overridden
A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden