Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. tactic: TA0005 ✕ technique: T1548 ✕
Show ATT&CK heatmapAzure AD PIM role settings change Low Identity Threat Module 1 variation
An identity changed the PIM role settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.Variations
Suspicious Azure AD PIM role settings change
Medium overridden
An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden
BitLocker key retrieval Informational Identity Threat Module
An identity retrieved a BitLocker Key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.Change of sudo caching configuration Low 1 variation
Change of sudo caching configuration may have been intended to enable privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use the sudoers file to elevate privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Change of sudo caching configuration in a Kubernetes pod
Low overridden
Change of sudo caching configuration may have been intended to enable privilege escalation. overridden
Conditional Access policy removed Low Identity Threat Module
An identity removed a Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.Device Registration Policy modification Informational Identity Threat Module 1 variation
An identity changed the Device Registration policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.Variations
A user modified the Device Registration Policy for the first time
Low overridden
An identity changed the Device Registration policy. overridden
Setuid and Setgid file bit manipulation Low 1 variation
The setuid or setgid bits were set on a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application as a different user.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Setuid and Setgid file bit manipulation in a Kubernetes pod
Low overridden
The setuid or setgid bits were set on a file. overridden
Tampering with the Windows User Account Controls (UAC) configuration Informational 3 variations
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Tampering with the Windows User Account Controls (UAC) configuration by a remote host
Medium overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation
An identity attempted to add or update an Azure AD Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.Variations
Suspicious Conditional Access operation for an identity
Low overridden
An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden
Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden