Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

18 alerts match the current filters. tactic: TA0006 ✕ technique: T1555 ✕

Show ATT&CK heatmap
  • AWS SSM parameters discovery Informational Cloud 1 variation

    An attempt was made to list parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS SSM parameters discovery

    Informational overridden

    An attempt was made to list parameters stored in AWS SSM. overridden

  • AWS SSM parameters retrieval Informational Cloud 2 variations

    An attempt was made to retrieve parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS SSM parameter store.
    Investigative actions: Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

    Variations

    AWS SSM encrypted parameters retrieval

    Informational overridden

    An attempt was made to retrieve encrypted parameters stored in AWS SSM. overridden

    Unusual AWS SSM parameters retrieval

    Informational overridden

    An attempt was made to retrieve parameters stored in AWS SSM. overridden

  • AWS Secrets Manager Access Informational Cloud 1 variation

    An attempt was made to retrieve secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Investigate the secret's purpose and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

    Variations

    Unusual AWS Secrets Manager Access

    Informational overridden

    An attempt was made to retrieve secrets from AWS Secrets Manager. overridden

  • AWS Secrets Manager discovery Informational Cloud 1 variation

    An attempt was made to list secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS Secrets Manager discovery

    Informational overridden

    An attempt was made to list secrets from AWS Secrets Manager. overridden

  • An Azure Key Vault key was modified Informational Cloud

    An Azure Key Vault key was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to sensitive data stored in the Azure Key Vault.
    Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.
  • An identity successfully extracted multiple secrets within the organization Low Cloud 2 variations

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity successfully enumerated and extracted multiple secrets within the organization

    Medium overridden

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity successfully extracted multiple secrets within the organization across multiple regions

    Medium overridden

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager

    Medium overridden

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden

  • Rare process accessed a Keychain file Informational 5 variations

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Keychain (T1555.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to credentials stored in the Keychain file.
    Investigative actions: Determine whether it is legitimate for the process to access credential data directly. Analyze the process/application that touched the Keychain. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials stored on said Keychain.

    Variations

    Rare process accessed a Keychain file using the networksetup tool

    High overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file while installing a new certificate

    Medium overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file initiated by a causality actor with a rare path

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare process accessed a Keychain file initiated by an unsigned causality actor

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

    Rare unsigned process accessed a Keychain file

    Low overridden

    An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden

  • Sensitive browser credential files accessed by a rare non browser process Informational 1 variation

    Sensitive browser credential files accessed by a rare non browser process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Achieve Credential Access by harvesting credentials from local browser storage.This facilitates Lateral Movement and Persistence across the environmentto gain unauthorized control over sensitive resources and information.
    Investigative actions: Determine the legitimacy of the actor process that accessed the sensitive browser credential files. Analyze the process signature, file path, and command line arguments to verify the process's authenticity. Identify the process or user responsible for initiating the activity and assess its legitimacy.

    Variations

    Sensitive browser credential files accessed by a rare non browser process from a commonly abused directory

    Low overridden

    Sensitive browser credential files accessed by a rare non browser process. overridden

  • Stored credentials exported using credwiz.exe Low 3 variations

    Attackers may abuse the credwiz tool to export stored accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr function

    Medium overridden

    Attackers may abuse the credwiz tool to export stored accounts using keymgr.dll's KRShowKeyMgr function. overridden

    Stored credentials exported using credwiz.exe over RDP

    Low overridden

    Attackers may abuse the credwiz tool to export stored accounts over RDP. overridden

    Stored credentials exported using credwiz.exe with a built-in Windows tool

    Low overridden

    Attackers may abuse the credwiz tool to export stored accounts with a built-in Windows tool. overridden

  • Suspicious secrets dump activity Informational Cloud 2 variations

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity extracted every secret within the organization across multiple regions

    Medium overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Uncommon access to Microsoft Teams cookies files Informational Identity Analytics 1 variation

    Sensitive Microsoft Teams cookies files were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555) Steal Application Access Token (T1528)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft Teams
    Attacker's goals: Attacker may access credentials files and steal application access tokens to gain remote access.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Review the host for any additional unusual activity. Investigate the Graph API calls followed by the user that might be related.

    Variations

    Suspicious uncommon access to Microsoft Teams cookies files

    Low overridden

    Sensitive Microsoft Teams cookies files were accessed by a suspicious process. overridden

  • Uncommon access to cloud platforms' sensitive files by a scripting engine Informational 1 variation

    A scripting engine has accessed sensitive cloud platforms' files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access/control over internal cloud platforms or repositories.
    Investigative actions: Investigate if the behavior is known to the user or part of known product's procedure. Investigate if the actor processes command line contains malicious indicators or a script file.

    Variations

    Uncommon access to cloud platforms' sensitive files by an uncommon script or utility

    Low overridden

    A scripting engine has accessed sensitive cloud platforms' files. overridden

  • Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool

    High overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from an SSH private key

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

  • Unusual access to the AD Sync credential files Informational Cloud 2 variations

    The AD Sync credential files were accessed in an unusual way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Extracting and decrypting stored Azure AD and Active Directory credentials from Azure AD Connect servers.
    Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Follow unusual actions of the AD Sync user. Check for remote SMB connections to the agent. Check for unusual Azure AD authentications. Check if this happened on other endpoints. Check for unusual logins.

    Variations

    Suspicious process access to the AD Sync credential files

    Medium overridden

    The AD Sync credential files were accessed in an unusual way. overridden

    An abnormal process accessed the AD Sync credential files

    Low overridden

    The AD Sync credential files were accessed in an unusual way. overridden

  • Unusual access to the Windows Internal Database on an ADFS server Informational 1 variation

    The Windows Internal Database (WID) was queried in an unusual way on an ADFS server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can attempt to extract and decrypt the ADFS certificate that is used to sign SAML tokens, and fabricate a new SAML token.
    Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Monitor suspicious LDAP queries to the ADFS container in Active Directory. Check the possibility of a compromised ADFS server. Check for unusual Azure AD authentications. Check for unusual logins.

    Variations

    Suspicious access to the Windows Internal Database on an ADFS server

    Low overridden

    The Windows Internal Database (WID) was queried in an unusual way on an ADFS server. overridden

  • Unusual process accessed web browser credentials Informational 2 variations

    An unusual process has accessed a web browser credentials file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to credentials (such as cached logins) stored in the web browser.
    Investigative actions: Determine whether it is legitimate for the process to access web browser credential data directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser.

    Variations

    Unusual process accessed web browser credentials and executed by a terminal process

    High overridden

    An unusual process has accessed a web browser credentials file. overridden

    Unusual unsigned process accessed web browser credentials

    Low overridden

    An unusual process has accessed a web browser credentials file. overridden

  • Unusual secret management activity Informational Cloud

    A cloud Identity performed a secret management operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse exposed secrets to gain access to restricted cloud resources and applications.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive secret management operation that it shouldn't.