Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

21 alerts match the current filters. tactic: TA0006 ✕ technique: T1003 ✕

Show ATT&CK heatmap
  • Cached credentials discovery with cmdkey Low 2 variations

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)
    Required data: XDR Agent
    Attacker's goals: Access cached user credentials.
    Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.

    Variations

    The process cmdkey runs with modified name and extract cached credentials

    High overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

    Transfer cached credentials with cmdkey to other standard output

    Medium overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

  • Copy a process memory file High 1 variation

    Copy a process memory file using the dd utility.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: Proc Filesystem (T1003.007)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Read another process memory, mainly for credential access.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Copy a process memory file from a Kubernetes pod

    High overridden

    Copy a process memory file using the dd utility. overridden

  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • LSASS dump file written to disk Medium

    Dumping Lsass.exe (Local Security Authority Subsystem Service) memory to file allows attackers to later extract credentials from the memory dump.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to extract OS credentials from the dumped Lsass.exe file.
    Investigative actions: Check the dumping process for more suspicious activity.
  • Memory dumping with comsvcs.dll High

    A process memory dump was performed using comsvcs.dll MiniDump. This method is commonly used by attackers to dump Lsass.exe (Local Security Authority Subsystem Service) process memory to a file, so they could later extract credentials from the memory dump.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Mimikatz command-line arguments High

    These command-line arguments are often used by Mimikatz to dump and harvest credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to use Mimikatz, a known credential theft tool, to dump and harvest credentials.
    Investigative actions: Investigate the executed process to verify if it is malicious. Investigate the command line purpose.
  • Modification of NTLM restrictions in the Registry Low

    Allowing the transmission of NTLM could be part of an NTLM downgrade or an Internal Monologue attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Downgrading to a lower NTLM version gives the attacker an easy way to retrieve NTLM hashes from a Windows machine.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • NTDS.dit file written by an uncommon executable Low 3 variations

    The Active Directory database file was written by an uncommon process to a non-default location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: NTDS (T1003.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Dump the sensitive contents of the database to masquerade as legitimate domain users.
    Investigative actions: Investigate the nature of the process writing the sensitive file. Is it a standard backup procedure? Check the path the file was written to. Is it local? Are there other relevant artifacts in this location?

    Variations

    NTDS.dit file written by a remote actor

    High overridden

    The Active Directory database file was written to the disk by a remote actor. overridden

    NTDS.dit file written by a rare executable to a suspicious path

    High overridden

    The Active Directory database file was written by a rare process to a suspicious path. overridden

    NTDS.dit file written by a rare executable

    Medium overridden

    The Active Directory database file was written by a rare process to a non-default location. overridden

  • NTLM Hash Harvesting Medium Identity Analytics

    An unusual number of users has sent NTLM to a target in the last hour. This may be indicative of poisoning and NTLM hash harvesting.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to extract NTLM hashes for credential access.
    Investigative actions: Check that the destination is not a server. Verify that the destination is not external to the organization.
  • Possible DCSync from a non domain controller Low 5 variations

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check whether one of the machines is a new domain controller.

    Variations

    DCSync from a non domain controller from a non-standard process

    High overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller by AppID

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Possible DCSync from an internet-facing server

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    DCSync from a non domain controller

    Low overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

  • Potential DCSync by an unusual user Informational Identity Analytics 1 variation

    Attackers may leverage the domain replication process to extract sensitive information (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.

    Variations

    Possible DCSync by an unusual user

    Low overridden

    Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden

  • Procdump executed from an atypical directory Medium

    Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious access to shadow file Informational 4 variations

    An unpopular process accessed the shadow file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.
    Investigative actions: Check the process for more suspicious activity. Check whether this was a legitimate action.

    Variations

    Suspicious access to shadow file in a Kubernetes Pod using a known text editor

    Medium overridden

    An unpopular process accessed the shadow file in a Kubernetes Pod. overridden

    Suspicious access to shadow file using a known text editor

    Medium overridden

    An unpopular process accessed the shadow file. overridden

    Suspicious access to shadow file in a Kubernetes Pod

    Low overridden

    An unpopular process accessed the shadow file. overridden

    Suspicious access to shadow file

    Low overridden

    An unpopular process accessed the shadow file. overridden

  • Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin High

    Attackers may attempt to dump the ntds.dit file, which stores all Active Directory account information, to later extract passwords and hashes from it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: NTDS (T1003.003)
    Required data: XDR Agent
    Attacker's goals: Retrieve Active Directory data, to perform malicious activities such as lateral movement.
    Investigative actions: Check the initiator process for additional suspicious activity.
  • Uncommon access to /etc/passwd Informational 11 variations

    A process made an uncommon attempt to access /etc/passwd.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics, Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon access to /etc/passwd by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potential Webshell

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon link creation to /etc/passwd

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd, involving a network utility

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with additional sensitive files in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd via a new inline bash script

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive binary

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive shell

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

  • Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool

    High overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from an SSH private key

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

  • Uncommon creation or access operation of sensitive shadow copy Low 2 variations

    An uncommon creation or access of a sensitive Shadow Copy volume path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.
    Investigative actions: Verify if the shadow copy operation is part of an IT activity. Look for other hosts performing the same shadow copy event with similar causality process behavior. Inspect the causality process and its characteristics as they appear on other hosts.

    Variations

    Uncommon creation or access operation of sensitive shadow copy by a remote actor

    Low overridden

    An uncommon creation or access of a sensitive Shadow Copy volume path. overridden

    Uncommon creation or access operation of sensitive shadow copy by a high-risk process

    High overridden

    An uncommon creation or access of a sensitive Shadow Copy volume path by a high-risk process. overridden

  • Uncommon sensitive filesystem registry hive access Informational 4 variations

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: Security Account Manager (T1003.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.
    Investigative actions: Investigate the process that tried to access the registry hive file. Investigate the actions of the user, for which his credentials were stored in the registry hive file.

    Variations

    Uncommon filesystem registry SAM hive access by a lolbin actor in a shadow copy folder

    High overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a lolbin actor in a shadow copy folder

    Medium overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a rare unsigned actor in a shadow copy folder

    Medium overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a rare unsigned actor

    Low overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

  • Uncommon sensitive registry hive dump Low 4 variations

    A sensitive registry hive was extracted, which is used for accessing credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.
    Investigative actions: Investigate the process that tried to access the registry hive. Investigate the actions of the user for which his credentials were stored in the registry hive.

    Variations

    Uncommon sensitive registry hive dump by unsigned and rare process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by injected process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by reg.exe lolbin process which was executed by rare causality process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by reg.exe lolbin process

    Medium overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

  • Unusual Azure AD sync module load Low Identity Threat Module 1 variation

    A process that does not usually load the Azure AD Sync mcrypt.dll loaded the module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent
    Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.
    Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.

    Variations

    Unusual Azure AD sync module load by suspicious process

    Medium overridden

    A suspicious process that does not usually load the Azure AD Sync mcrypt.dll loaded the module. overridden

  • Unusual CIM repository file access Low 1 variation

    An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2). If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems. Determine whether this was a legitimate action.
    Investigative actions: Follow process, user, and host activities. Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources. Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption. Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.

    Variations

    Suspicious CIM repository file access

    Medium overridden

    An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious. overridden