Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0006 ✕ technique: T1083 ✕
Show ATT&CK heatmapA suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A suspicious process queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.Variations
A user suspiciously queried AD CS objects via LDAP
Low overridden
A user suspiciously queried AD CS objects via LDAP. overridden
A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A user queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.Variations
A user enumerated AD CS objects using suspicious LDAP query
Low overridden
A user enumerated AD CS objects using suspicious LDAP query. overridden
Uncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden