Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

15 alerts match the current filters. tactic: TA0006 ✕ technique: T1528 ✕

Show ATT&CK heatmap
  • A Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Informational overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    A Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Medium overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations

    A compute-attached identity performed actions outside the compute instance region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.

    Variations

    A compute-attached identity executed API calls outside the Lambda function's region

    Informational overridden

    A compute-attached identity performed actions outside the Lambda function region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN

    High overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation

    Medium overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual ASN

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity failed to execute API calls outside the instance's region

    Informational overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

  • Azure Storage Account key generated Informational Cloud

    Azure storage access keys rotation, might affect services/applications depended on the key set.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate information or damage critical services.
    Investigative actions: Check what actions were made by the users a few hours prior/after to the generation operation. Which actions were taken using the newly generated access keys.
  • Azure application consent Informational Identity Threat Module 1 variation

    An identity consented permissions to an application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)
    Required data: AzureAD Audit Log
    Attacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.
    Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.

    Variations

    First seen Azure admin consent to an application

    Low overridden

    An administrative identity consented permissions to an application. overridden

  • Owner added to Azure application Informational Identity Threat Module

    An identity was added as an owner to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add owners to an application to authenticate as the application later on and access resources.
    Investigative actions: Check if the added account is new to the organization. Check whether the account that added the new owner is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.
  • Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)
    Required data: AzureAD
    Attacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.
    Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.

    Variations

    OAuth Token Theft - Potential Session Hijacking Detected from new ASN

    Low overridden

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden

  • Remote usage of AWS Lambda's role Informational Cloud 5 variations

    An AWS Lambda's role was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.

    Variations

    Remote command line usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Medium overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Low overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Usage of AWS Lambda's role from a known ASN

    Informational overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

  • Remote usage of VM Service Account token Informational Cloud 1 variation

    A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the service account was attached to a specific VM. Check if the service account was used by a user. Check if the relevant VM is compromised.

    Variations

    Suspicious usage of VM Service Account token

    High overridden

    A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment. overridden

  • Remote usage of an AWS service token Low Cloud 1 variation

    An AWS service token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate a token and abuse it remotely.
    Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.

    Variations

    Suspicious usage of AWS service token

    Medium overridden

    An AWS service token was used externally of the cloud environment. overridden

  • Remote usage of an App engine Service Account token Informational Cloud 1 variation

    A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the Service Account was attached to a specific app engine. Check if the Service Account was used by a user. Check if the relevant app engine is compromised.

    Variations

    Suspicious usage of App engine Service Account token

    High overridden

    A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment. overridden

  • Remote usage of an Azure Managed Identity token Low Cloud 4 variations

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate valid token and abuse it remotely.
    Investigative actions: Verify whether the Managed Identity should be used remotely. Check what API calls were executed by the Managed Identity. Check if the relevant compute service is compromised.

    Variations

    Remote usage of an Azure Function App's Managed Identity token

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Automation Account's Managed Identity token

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Managed Identity token from an unusual ASN

    High overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Managed Identity token from an unusual IP

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

  • Remote usage of an Azure Service Principal token Informational Cloud 2 variations

    An Azure Service Principal token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate valid token and abuse it remotely.
    Investigative actions: Verify whether the service principal should be used remotely. Check what API calls were executed by the service principal. Determine whether the service principal is compromised.

    Variations

    Remote usage of an Azure Service Principal token from an unusual ASN

    High overridden

    An Azure Service Principal token was used externally of the cloud environment. overridden

    Remote usage of an Azure Service Principal token from an unusual IP

    Medium overridden

    An Azure Service Principal token was used externally of the cloud environment. overridden

  • Suspicious usage of EC2 token Low Cloud 1 variation

    An AWS EC2 STS token was used externally from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.

    Variations

    Suspicious usage of EC2 token

    Medium overridden

    An AWS EC2 STS token was used externally from an EC2 instance. overridden

  • Uncommon access to Microsoft Teams cookies files Informational Identity Analytics 1 variation

    Sensitive Microsoft Teams cookies files were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555) Steal Application Access Token (T1528)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft Teams
    Attacker's goals: Attacker may access credentials files and steal application access tokens to gain remote access.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Review the host for any additional unusual activity. Investigate the Graph API calls followed by the user that might be related.

    Variations

    Suspicious uncommon access to Microsoft Teams cookies files

    Low overridden

    Sensitive Microsoft Teams cookies files were accessed by a suspicious process. overridden