Analytics Alerts
Browse the Cortex analytics alert reference.
18 alerts match the current filters. tactic: TA0006 ✕ technique: T1555 ✕
Show ATT&CK heatmapAWS SSM parameters discovery Informational Cloud 1 variation
An attempt was made to list parameters stored in AWS SSM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS SSM parameters discovery
Informational overridden
An attempt was made to list parameters stored in AWS SSM. overridden
AWS SSM parameters retrieval Informational Cloud 2 variations
An attempt was made to retrieve parameters stored in AWS SSM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS SSM parameter store.Investigative actions: Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.Variations
AWS SSM encrypted parameters retrieval
Informational overridden
An attempt was made to retrieve encrypted parameters stored in AWS SSM. overridden
Unusual AWS SSM parameters retrieval
Informational overridden
An attempt was made to retrieve parameters stored in AWS SSM. overridden
AWS Secrets Manager Access Informational Cloud 1 variation
An attempt was made to retrieve secrets from AWS Secrets Manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.Investigative actions: Investigate the secret's purpose and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.Variations
Unusual AWS Secrets Manager Access
Informational overridden
An attempt was made to retrieve secrets from AWS Secrets Manager. overridden
AWS Secrets Manager discovery Informational Cloud 1 variation
An attempt was made to list secrets from AWS Secrets Manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS Secrets Manager discovery
Informational overridden
An attempt was made to list secrets from AWS Secrets Manager. overridden
An Azure Key Vault key was modified Informational Cloud
An Azure Key Vault key was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the Azure Key Vault.Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.An identity successfully extracted multiple secrets within the organization Low Cloud 2 variations
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity successfully enumerated and extracted multiple secrets within the organization
Medium overridden
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity successfully extracted multiple secrets within the organization across multiple regions
Medium overridden
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager
Medium overridden
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden
Rare process accessed a Keychain file Informational 5 variations
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Keychain (T1555.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to credentials stored in the Keychain file.Investigative actions: Determine whether it is legitimate for the process to access credential data directly. Analyze the process/application that touched the Keychain. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials stored on said Keychain.Variations
Rare process accessed a Keychain file using the networksetup tool
High overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file while installing a new certificate
Medium overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file initiated by a causality actor with a rare path
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare process accessed a Keychain file initiated by an unsigned causality actor
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Rare unsigned process accessed a Keychain file
Low overridden
An unusual process accessed a Keychain file. This might indicate a credential-grabbing attempt. overridden
Sensitive browser credential files accessed by a rare non browser process Informational 1 variation
Sensitive browser credential files accessed by a rare non browser process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Achieve Credential Access by harvesting credentials from local browser storage.This facilitates Lateral Movement and Persistence across the environmentto gain unauthorized control over sensitive resources and information.Investigative actions: Determine the legitimacy of the actor process that accessed the sensitive browser credential files. Analyze the process signature, file path, and command line arguments to verify the process's authenticity. Identify the process or user responsible for initiating the activity and assess its legitimacy.Variations
Sensitive browser credential files accessed by a rare non browser process from a commonly abused directory
Low overridden
Sensitive browser credential files accessed by a rare non browser process. overridden
Stored credentials exported using credwiz.exe Low 3 variations
Attackers may abuse the credwiz tool to export stored accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr function
Medium overridden
Attackers may abuse the credwiz tool to export stored accounts using keymgr.dll's KRShowKeyMgr function. overridden
Stored credentials exported using credwiz.exe over RDP
Low overridden
Attackers may abuse the credwiz tool to export stored accounts over RDP. overridden
Stored credentials exported using credwiz.exe with a built-in Windows tool
Low overridden
Attackers may abuse the credwiz tool to export stored accounts with a built-in Windows tool. overridden
Suspicious secrets dump activity Informational Cloud 2 variations
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity extracted every secret within the organization across multiple regions
Medium overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Uncommon access to Microsoft Teams cookies files Informational Identity Analytics 1 variation
Sensitive Microsoft Teams cookies files were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555) Steal Application Access Token (T1528)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft TeamsAttacker's goals: Attacker may access credentials files and steal application access tokens to gain remote access.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Review the host for any additional unusual activity. Investigate the Graph API calls followed by the user that might be related.Variations
Suspicious uncommon access to Microsoft Teams cookies files
Low overridden
Sensitive Microsoft Teams cookies files were accessed by a suspicious process. overridden
Uncommon access to cloud platforms' sensitive files by a scripting engine Informational 1 variation
A scripting engine has accessed sensitive cloud platforms' files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access/control over internal cloud platforms or repositories.Investigative actions: Investigate if the behavior is known to the user or part of known product's procedure. Investigate if the actor processes command line contains malicious indicators or a script file.Variations
Uncommon access to cloud platforms' sensitive files by an uncommon script or utility
Low overridden
A scripting engine has accessed sensitive cloud platforms' files. overridden
Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Unusual access to the AD Sync credential files Informational Cloud 2 variations
The AD Sync credential files were accessed in an unusual way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Extracting and decrypting stored Azure AD and Active Directory credentials from Azure AD Connect servers.Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Follow unusual actions of the AD Sync user. Check for remote SMB connections to the agent. Check for unusual Azure AD authentications. Check if this happened on other endpoints. Check for unusual logins.Variations
Suspicious process access to the AD Sync credential files
Medium overridden
The AD Sync credential files were accessed in an unusual way. overridden
An abnormal process accessed the AD Sync credential files
Low overridden
The AD Sync credential files were accessed in an unusual way. overridden
Unusual access to the Windows Internal Database on an ADFS server Informational 1 variation
The Windows Internal Database (WID) was queried in an unusual way on an ADFS server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can attempt to extract and decrypt the ADFS certificate that is used to sign SAML tokens, and fabricate a new SAML token.Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Monitor suspicious LDAP queries to the ADFS container in Active Directory. Check the possibility of a compromised ADFS server. Check for unusual Azure AD authentications. Check for unusual logins.Variations
Suspicious access to the Windows Internal Database on an ADFS server
Low overridden
The Windows Internal Database (WID) was queried in an unusual way on an ADFS server. overridden
Unusual process accessed web browser credentials Informational 2 variations
An unusual process has accessed a web browser credentials file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to credentials (such as cached logins) stored in the web browser.Investigative actions: Determine whether it is legitimate for the process to access web browser credential data directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser.Variations
Unusual process accessed web browser credentials and executed by a terminal process
High overridden
An unusual process has accessed a web browser credentials file. overridden
Unusual unsigned process accessed web browser credentials
Low overridden
An unusual process has accessed a web browser credentials file. overridden
Unusual secret management activity Informational Cloud
A cloud Identity performed a secret management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse exposed secrets to gain access to restricted cloud resources and applications.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive secret management operation that it shouldn't.