Analytics Alerts
Browse the Cortex analytics alert reference.
21 alerts match the current filters. tactic: TA0006 ✕ technique: T1003 ✕
Show ATT&CK heatmapCached credentials discovery with cmdkey Low 2 variations
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)Required data: XDR AgentAttacker's goals: Access cached user credentials.Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.Variations
The process cmdkey runs with modified name and extract cached credentials
High overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Transfer cached credentials with cmdkey to other standard output
Medium overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Copy a process memory file High 1 variation
Copy a process memory file using the dd utility.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: Proc Filesystem (T1003.007)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Read another process memory, mainly for credential access.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Copy a process memory file from a Kubernetes pod
High overridden
Copy a process memory file using the dd utility. overridden
Granting Access to an Account Informational Cloud
Azure access has been granted to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)Required data: Azure Audit LogAttacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.LSASS dump file written to disk Medium
Dumping Lsass.exe (Local Security Authority Subsystem Service) memory to file allows attackers to later extract credentials from the memory dump.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to extract OS credentials from the dumped Lsass.exe file.Investigative actions: Check the dumping process for more suspicious activity.Memory dumping with comsvcs.dll High
A process memory dump was performed using comsvcs.dll MiniDump. This method is commonly used by attackers to dump Lsass.exe (Local Security Authority Subsystem Service) process memory to a file, so they could later extract credentials from the memory dump.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Mimikatz command-line arguments High
These command-line arguments are often used by Mimikatz to dump and harvest credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR AgentAttacker's goals: An attacker is attempting to use Mimikatz, a known credential theft tool, to dump and harvest credentials.Investigative actions: Investigate the executed process to verify if it is malicious. Investigate the command line purpose.Modification of NTLM restrictions in the Registry Low
Allowing the transmission of NTLM could be part of an NTLM downgrade or an Internal Monologue attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Downgrading to a lower NTLM version gives the attacker an easy way to retrieve NTLM hashes from a Windows machine.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.NTDS.dit file written by an uncommon executable Low 3 variations
The Active Directory database file was written by an uncommon process to a non-default location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: NTDS (T1003.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Dump the sensitive contents of the database to masquerade as legitimate domain users.Investigative actions: Investigate the nature of the process writing the sensitive file. Is it a standard backup procedure? Check the path the file was written to. Is it local? Are there other relevant artifacts in this location?Variations
NTDS.dit file written by a remote actor
High overridden
The Active Directory database file was written to the disk by a remote actor. overridden
NTDS.dit file written by a rare executable to a suspicious path
High overridden
The Active Directory database file was written by a rare process to a suspicious path. overridden
NTDS.dit file written by a rare executable
Medium overridden
The Active Directory database file was written by a rare process to a non-default location. overridden
NTLM Hash Harvesting Medium Identity Analytics
An unusual number of users has sent NTLM to a target in the last hour. This may be indicative of poisoning and NTLM hash harvesting.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to extract NTLM hashes for credential access.Investigative actions: Check that the destination is not a server. Verify that the destination is not external to the organization.Possible DCSync from a non domain controller Low 5 variations
Attackers may pose a compromised host as a DC to replicate data to it (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check whether one of the machines is a new domain controller.Variations
DCSync from a non domain controller from a non-standard process
High overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller by AppID
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible DCSync from an internet-facing server
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
DCSync from a non domain controller
Low overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Potential DCSync by an unusual user Informational Identity Analytics 1 variation
Attackers may leverage the domain replication process to extract sensitive information (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.Variations
Possible DCSync by an unusual user
Low overridden
Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden
Procdump executed from an atypical directory Medium
Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious access to shadow file Informational 4 variations
An unpopular process accessed the shadow file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.Investigative actions: Check the process for more suspicious activity. Check whether this was a legitimate action.Variations
Suspicious access to shadow file in a Kubernetes Pod using a known text editor
Medium overridden
An unpopular process accessed the shadow file in a Kubernetes Pod. overridden
Suspicious access to shadow file using a known text editor
Medium overridden
An unpopular process accessed the shadow file. overridden
Suspicious access to shadow file in a Kubernetes Pod
Low overridden
An unpopular process accessed the shadow file. overridden
Suspicious access to shadow file
Low overridden
An unpopular process accessed the shadow file. overridden
Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin High
Attackers may attempt to dump the ntds.dit file, which stores all Active Directory account information, to later extract passwords and hashes from it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: NTDS (T1003.003)Required data: XDR AgentAttacker's goals: Retrieve Active Directory data, to perform malicious activities such as lateral movement.Investigative actions: Check the initiator process for additional suspicious activity.Uncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon creation or access operation of sensitive shadow copy Low 2 variations
An uncommon creation or access of a sensitive Shadow Copy volume path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.Investigative actions: Verify if the shadow copy operation is part of an IT activity. Look for other hosts performing the same shadow copy event with similar causality process behavior. Inspect the causality process and its characteristics as they appear on other hosts.Variations
Uncommon creation or access operation of sensitive shadow copy by a remote actor
Low overridden
An uncommon creation or access of a sensitive Shadow Copy volume path. overridden
Uncommon creation or access operation of sensitive shadow copy by a high-risk process
High overridden
An uncommon creation or access of a sensitive Shadow Copy volume path by a high-risk process. overridden
Uncommon sensitive filesystem registry hive access Informational 4 variations
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: Security Account Manager (T1003.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.Investigative actions: Investigate the process that tried to access the registry hive file. Investigate the actions of the user, for which his credentials were stored in the registry hive file.Variations
Uncommon filesystem registry SAM hive access by a lolbin actor in a shadow copy folder
High overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a lolbin actor in a shadow copy folder
Medium overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a rare unsigned actor in a shadow copy folder
Medium overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a rare unsigned actor
Low overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive registry hive dump Low 4 variations
A sensitive registry hive was extracted, which is used for accessing credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.Investigative actions: Investigate the process that tried to access the registry hive. Investigate the actions of the user for which his credentials were stored in the registry hive.Variations
Uncommon sensitive registry hive dump by unsigned and rare process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by injected process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by reg.exe lolbin process which was executed by rare causality process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by reg.exe lolbin process
Medium overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Unusual Azure AD sync module load Low Identity Threat Module 1 variation
A process that does not usually load the Azure AD Sync mcrypt.dll loaded the module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR AgentAttacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.Variations
Unusual Azure AD sync module load by suspicious process
Medium overridden
A suspicious process that does not usually load the Azure AD Sync mcrypt.dll loaded the module. overridden
Unusual CIM repository file access Low 1 variation
An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2). If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems. Determine whether this was a legitimate action.Investigative actions: Follow process, user, and host activities. Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources. Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption. Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.Variations
Suspicious CIM repository file access
Medium overridden
An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious. overridden