Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0005 ✕ technique: T1207 ✕
Show ATT&CK heatmapPossible DCSync from a non domain controller Low 5 variations
Attackers may pose a compromised host as a DC to replicate data to it (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check whether one of the machines is a new domain controller.Variations
DCSync from a non domain controller from a non-standard process
High overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller by AppID
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible DCSync from an internet-facing server
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
DCSync from a non domain controller
Low overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Potential DCSync by an unusual user Informational Identity Analytics 1 variation
Attackers may leverage the domain replication process to extract sensitive information (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.Variations
Possible DCSync by an unusual user
Low overridden
Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden