Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

9 alerts match the current filters. tactic: TA0005 ✕ technique: T1548 ✕

Show ATT&CK heatmap
  • Azure AD PIM role settings change Low Identity Threat Module 1 variation

    An identity changed the PIM role settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.
    Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.

    Variations

    Suspicious Azure AD PIM role settings change

    Medium overridden

    An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden

  • BitLocker key retrieval Informational Identity Threat Module

    An identity retrieved a BitLocker Key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.
    Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.
  • Change of sudo caching configuration Low 1 variation

    Change of sudo caching configuration may have been intended to enable privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use the sudoers file to elevate privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Change of sudo caching configuration in a Kubernetes pod

    Low overridden

    Change of sudo caching configuration may have been intended to enable privilege escalation. overridden

  • Conditional Access policy removed Low Identity Threat Module

    An identity removed a Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.
  • Device Registration Policy modification Informational Identity Threat Module 1 variation

    An identity changed the Device Registration policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    A user modified the Device Registration Policy for the first time

    Low overridden

    An identity changed the Device Registration policy. overridden

  • Setuid and Setgid file bit manipulation Low 1 variation

    The setuid or setgid bits were set on a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to run the executable application as a different user.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Setuid and Setgid file bit manipulation in a Kubernetes pod

    Low overridden

    The setuid or setgid bits were set on a file. overridden

  • Tampering with the Windows User Account Controls (UAC) configuration Informational 3 variations

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Tampering with the Windows User Account Controls (UAC) configuration by a remote host

    Medium overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

    Tampering with the Windows User Account Controls (UAC) configuration

    Low overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

    Tampering with the Windows User Account Controls (UAC) configuration

    Low overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

  • Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation

    An identity attempted to add or update an Azure AD Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    Suspicious Conditional Access operation for an identity

    Low overridden

    An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden

  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden