Analytics Alerts
Browse the Cortex analytics alert reference.
55 alerts match the current filters. tactic: TA0006 ✕ technique: T1552 ✕
Show ATT&CK heatmapA Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service
Informational overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service
Medium overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
A Kubernetes secret was created or deleted Informational Cloud
A Kubernetes secret was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Obtain Kubernetes secrets to access restricted information.Investigative actions: Check which changes were made to the Kubernetes secret.A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations
A compute-attached identity performed actions outside the compute instance region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.Variations
A compute-attached identity executed API calls outside the Lambda function's region
Informational overridden
A compute-attached identity performed actions outside the Lambda function region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN
High overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation
Medium overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual ASN
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity failed to execute API calls outside the instance's region
Informational overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A suspicious process enrolled for a certificate Low 1 variation
A suspicious process enrolled for a certificate.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may authenticate as users using a certificate. If a policy is configured with permissive options, the attacker can authenticate as a user with high privileges.Investigative actions: See whether this was a legitimate action. Follow process/user activities. Check for suspicious certificate authentications.Variations
An unsigned suspicious process enrolled for a certificate
Medium overridden
An unsigned suspicious process enrolled for a certificate. overridden
A user created a pfx file for the first time Informational Identity Analytics 1 variation
A user created a pfx file for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may export certificates to pfx files to use them for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx creation is legitimate for the user (testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Variations
A user created a pfx in a suspicious folder for the first time
Low overridden
A user created a pfx in a suspicious folder which is publicly accessible, for the first time. overridden
Abnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.Variations
Suspicious File Activity in SCCMContentLib Shared Folder by user
Low overridden
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden
Access to Kubernetes CA certificate file Informational 1 variation
A process accessed a Kubernetes CA certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Make API calls against the Kubernetes cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed certificate was used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed certificate.Variations
Access to Kubernetes CA certificate file by an unusual process
Low overridden
A process accessed a Kubernetes CA certificate file for the first time. overridden
Access to Kubernetes configuration file Informational 3 variations
A process accessed a Kubernetes node configuration file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENTAttacker's goals: Gain access to the Kubernetes environment.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to Kubernetes configuration file by an unusual process
Low overridden
A process accessed a Kubernetes node configuration file. overridden
Access to Kubernetes configuration file from an unusual Kubernetes pod
Low overridden
A process accessed a Kubernetes node configuration file. overridden
Access to Kubernetes configuration file from a Kubernetes pod
Informational overridden
A process accessed a Kubernetes node configuration file. overridden
Access to kubelet credentials file Informational 1 variation
A process accessed a kubelet credentials file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to kubelet credentials file by an unusual process
Low overridden
A process accessed a kubelet credentials file for the first time. overridden
An Azure Key Vault was modified Informational Cloud
Azure Key Vault has been modified or deleted by an Identity. This could be an indication of unauthorized access or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the Azure Key Vault.Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.An identity accessed Azure Kubernetes Secrets Informational Cloud
An identity has accessed or attempted to access Azure Kubernetes secrets or Config Objects.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Extract Kubernetes secrets to gain access to restricted resources in the cluster.Investigative actions: Verify whether the identity should be making this action. Check for any suspicious activity initiated by the identity.An unusual process in ingress-nginx has accessed a service-account token file High Cloud
An unusual process in ingress-nginx has read a service-account token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.Investigative actions: Check if the process is intended to preform these actions.Azure Key Vault Secrets were modified Informational Cloud
Azure key vault secrets were modified. A change or deletion of secrets in Azure Key Vault has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Gain access to confidential data stored in the Azure Key Vault.Investigative actions: Investigate what Azure Key Vault Secrets were modified or deleted. Check for any suspicious activity initiated by the identity.Azure Key Vault modification Informational Cloud
Azure Key Vault modifications can be crucial as it stores secrets e.g. encryption keys, certifications, etc.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: Azure Audit LogAttacker's goals: Exfiltrate information, persistence on existing users or damage critical accounts.Investigative actions: Check the identity actions before or after the Key Vault modification. Find which credentials were modified and their usage.Cloud IMDS access followed by remote token usage Medium Cloud
A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: AWS Audit Log XDR AgentAttacker's goals: Gain unauthorized access by leveraging valid cloud credentials.Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.Copy a user's GnuPG directory with rsync Low
Copy a user's GnuPG (.gnupg) directory on to a staging folder using the 'find' and 'rsync' commands.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)Required data: XDR AgentAttacker's goals: Adversaries may use the rsync tool to exfiltrate secrets.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Extracting credentials from Unix files Low
Suspicious Unix files containing insecurely stored credentials were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.Investigative actions: Investigate the process activities and use of the extracted credentials.Granting Access to an Account Informational Cloud
Azure access has been granted to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)Required data: Azure Audit LogAttacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.Kubernetes admission controller activity Informational Cloud 4 variations
A Kubernetes admission controller has been created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.Variations
Kubernetes validating admission controller was used in the organization for the first time
Low overridden
A validating Kubernetes admission controller has been created or modified. overridden
Kubernetes mutating admission controller was used in the organization for the first time
Medium overridden
A mutating Kubernetes admission controller has been created or modified. overridden
Kubernetes validating admission controller was used in the cluster for the first time
Low overridden
A validating Kubernetes admission controller has been created or modified. overridden
Kubernetes mutating admission controller was used in the cluster for the first time
Medium overridden
A mutating Kubernetes admission controller has been created or modified. overridden
Kubernetes secret enumeration activity Informational 5 variations
Kubectl secret enumeration command was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Attackers may gather sensitive information within a container environment.Investigative actions: Check whether the executing process is performed by authorized identity and if this was a desired behavior as part of its normal execution flow.Variations
Kubernetes secret describe activity from a Kubernetes Pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret value extraction activity from a Kubernetes pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret enumeration activity from a Kubernetes Pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret enumeration activity from a host
Low overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret value extraction activity
Informational overridden
Kubectl secret enumeration command was executed. overridden
Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation
A user accessed a large volume of files potentially containing credentials in Google Drive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.Variations
Possible credential files harvesting in Google Drive
Low overridden
A user accessed a large volume of files potentially containing credentials in Google Drive. overridden
Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation
A user registered a device and requested a Microsoft Configuration Manager policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR AgentDetector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious Microsoft Configuration Manager device registration and policy request
Low overridden
A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden
Possible Search For Password Files Medium
Attackers often search for files that have passwords in them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Potential SCCM credential harvesting using WMI detected Low 3 variations
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Obtain credentials used by the SCCM service.Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.Variations
Potential SCCM credential harvesting using WMI detected from a remote machine
Medium overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential SCCM inventory query using WMI detected
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential Enumeration of SCCM User, Device, and Deployment Data via WMI
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager
Medium overridden
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden
Potential kubelet impersonation attempt Low 1 variation
A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Potential kubelet impersonation attempt by an unusual process
Medium overridden
A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server. overridden
PowerShell pfx certificate extraction Informational 1 variation
PowerShell was used to extract a pfx certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may export certificates to .pfx files to use them for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx creation is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Variations
Suspicious PowerShell pfx certificate extraction
Low overridden
A user used PowerShell to extract a pfx certificate file. overridden
Reading bash command history file Low
Attackers may access the bash history file to glean cleartext usernames and passwords that were entered on the command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Shell History (T1552.003)Required data: XDR AgentAttacker's goals: Adversaries may search the bash history file to search for insecurely stored credentials.Investigative actions: Investigate the process activities and use of the extracted credentials.Remote usage of AWS Lambda's role Informational Cloud 5 variations
An AWS Lambda's role was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.Variations
Remote command line usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Medium overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Low overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Usage of AWS Lambda's role from a known ASN
Informational overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Remote usage of VM Service Account token Informational Cloud 1 variation
A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the service account was attached to a specific VM. Check if the service account was used by a user. Check if the relevant VM is compromised.Variations
Suspicious usage of VM Service Account token
High overridden
A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment. overridden
Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden
Remote usage of an App engine Service Account token Informational Cloud 1 variation
A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the Service Account was attached to a specific app engine. Check if the Service Account was used by a user. Check if the relevant app engine is compromised.Variations
Suspicious usage of App engine Service Account token
High overridden
A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token Low Cloud 4 variations
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Azure Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate valid token and abuse it remotely.Investigative actions: Verify whether the Managed Identity should be used remotely. Check what API calls were executed by the Managed Identity. Check if the relevant compute service is compromised.Variations
Remote usage of an Azure Function App's Managed Identity token
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Automation Account's Managed Identity token
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token from an unusual ASN
High overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token from an unusual IP
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Service Principal token Informational Cloud 2 variations
An Azure Service Principal token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Azure Audit LogAttacker's goals: Exfiltrate valid token and abuse it remotely.Investigative actions: Verify whether the service principal should be used remotely. Check what API calls were executed by the service principal. Determine whether the service principal is compromised.Variations
Remote usage of an Azure Service Principal token from an unusual ASN
High overridden
An Azure Service Principal token was used externally of the cloud environment. overridden
Remote usage of an Azure Service Principal token from an unusual IP
Medium overridden
An Azure Service Principal token was used externally of the cloud environment. overridden
Retrieval of kubelet credentials Informational 1 variation
A process retrieved kubelet credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Retrieval of kubelet credentials by an unusual process
Low overridden
A process retrieved kubelet credentials. overridden
Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
A non admin identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious Kubernetes pod token access Medium 2 variations
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Gain access to the Kubernetes environment.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Suspicious Kubernetes pod token access by an unusual pod
High overridden
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden
Suspicious Kubernetes pod token access by an unusual process
Medium overridden
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden
Suspicious access to cloud credential files Informational Cloud 6 variations
A process accessed multiple cloud credential files, which may indicate a credential theft activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gain initial access to the cloud environment.Investigative actions: Verify if the executing process is doing more suspicious activities. Verify if the exposed credential files were used to access to the cloud environment. Verify which operations were used against the cloud environment with the exposed credentials.Variations
Suspicious access to cloud credential files of various cloud providers within a cloud instance
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files within a cloud instance
Informational overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to Windows cloud credential files of various cloud providers
Medium overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to Windows cloud credential files by an unusual process
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files of various cloud providers
Medium overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files by an unusual process
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious process accessed certificate files Low
A suspicious process accessed certificate files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may search for local certificate files for authentication, persistence or NTLM extraction.Investigative actions: See whether this was a legitimate action. Follow process/user activities.Suspicious secrets dump activity Informational Cloud 2 variations
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity extracted every secret within the organization across multiple regions
Medium overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious usage of EC2 token Low Cloud 1 variation
An AWS EC2 STS token was used externally from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.Variations
Suspicious usage of EC2 token
Medium overridden
An AWS EC2 STS token was used externally from an EC2 instance. overridden
Uncommon SQL like command line Informational 3 variations
Uncommon SQL query in command line of an executed process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: An attacker may use SQL queries to steal information stored at the target databases.Investigative actions: Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.Variations
Uncommon SQL like command line executed by a remote actor
Medium overridden
Uncommon SQL query in command line of a process which executed remotely. overridden
Uncommon SQL like command line executed by an RMM tool
Medium overridden
Uncommon SQL query in command line of a process executed by a Remote Monitoring & Management tool. overridden
Uncommon SQL like command line executed by an uncommon CGO
Low overridden
Uncommon SQL query in command line of an executed process. overridden
Uncommon access to Microsoft Teams credential files Low 1 variation
Sensitive Microsoft Teams credential files were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Accessing these files is done by attackers to collect user credentials.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.Variations
Uncommon access to Microsoft Teams credential files by an unsigned and unpopular process
Low overridden
Sensitive Microsoft Teams credential files were accessed. by an unsigned and unpopular process. overridden
Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Unprivileged process opened a registry hive Low
An unprivileged process opened a registry hive directly.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Unusual ADConnect database file access Informational 2 variations
An unusual process accessed the ADConnect database files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.Variations
Suspicious access to ADConnect database file
Medium overridden
An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious. overridden
Access to ADConnect database file by an unsigned or unusual process
Low overridden
An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious access. overridden
Unusual CIM repository file access Low 1 variation
An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2). If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems. Determine whether this was a legitimate action.Investigative actions: Follow process, user, and host activities. Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources. Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption. Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.Variations
Suspicious CIM repository file access
Medium overridden
An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious. overridden
Unusual Kubernetes secret access Informational Cloud
Suspicious Kubernetes secret access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes Credentials Theft AnalyticsAttacker's goals: Access sensitive data on Kubernetes cluster.Investigative actions: Check if {identity_name} should access any Kubernetes secrets and restrict permissions if needed. The event was originated from {caller_ip} using {user_agent}.Unusual Kubernetes service account file read Informational 7 variations
An unusual process opened a Kubernetes service account file for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Utilize the Kubernetes service account files to perform additional actions on the cluster.Investigative actions: Check the exposed Kubernetes service account usage in the cluster. Check if any other suspicious activity was performed inside the pod.Variations
Unusual Kubernetes service account file read within a new pod
Informational overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Kubernetes service account file read
Informational overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account file read from the projected volume path
Medium overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read via an interactive shell
Medium overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read by an unusual process
Low overridden
An unusual process opened the Kubernetes service account token file for the first time. overridden
Suspicious Kubernetes service account file read by an unusual process
Low overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read
Low overridden
An unusual process opened the Kubernetes service account token file for the first time. overridden
Unusual certificate management activity Informational Cloud
A cloud identity performed a certificate management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse certificate management functionalities to generate valid signed certificates, which enable to launch man-in-the-middle attacks against different services.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive certificate management operation that it shouldn't.Unusual cloud Instance Metadata Service (IMDS) access Informational Cloud 6 variations
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Cloud Instance Metadata API (T1552.005)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Extract sensitive cloud compute tokens to access restricted cloud resources.Investigative actions: Determine whether a web service was involved and if it was exploited to execute this technique. Identify any additional commands that were executed. Review the permissions assigned to the target machine to identify which resources may be affected. Examine related compute activity in the cloud audit logs.Variations
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows web service
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows shell process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows scripting process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process
Low overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual key management activity Informational Cloud
A cloud identity performed a key management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse exposed cryptographic keys to decrypt sensitive information or create digital signatures to craft malicious messages.Using the decrypted information, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive KMS operation that it shouldn't.Unusual process accessed FTP Client credentials Low
An unusual process has accessed a third-party FTP client's credential file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to passwords stored in the FTP client.Investigative actions: Determine whether it is legitimate for the process to access FTP passwords directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the FTP client.Unusual secret management activity Informational Cloud
A cloud Identity performed a secret management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse exposed secrets to gain access to restricted cloud resources and applications.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive secret management operation that it shouldn't.