Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

8 alerts match the current filters. tactic: TA0007 ✕ technique: T1083 ✕

Show ATT&CK heatmap
  • A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A suspicious process queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user suspiciously queried AD CS objects via LDAP

    Low overridden

    A user suspiciously queried AD CS objects via LDAP. overridden

  • A user accessed an abnormal number of files on a remote shared folder Informational Identity Threat Module

    A user remotely accessed an abnormal number of files on a remote shared folder. This might indicate an attempt to collect data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect valuable data about the organization for exfiltration purposes.
    Investigative actions: Check for other suspicious activity made by the user at the time of the event. Go over the list of files and check if such user should have access to those files.
  • A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A user queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user enumerated AD CS objects using suspicious LDAP query

    Low overridden

    A user enumerated AD CS objects using suspicious LDAP query. overridden

  • Discovery of misconfigured certificate templates using LDAP Medium 1 variation

    An LDAP query searching for misconfigured certificate templates was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker can use misconfigured certificate templates for escalation and authentication.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    Frequent LDAP discovery of misconfigured certificate templates by a common process

    Low overridden

    An LDAP query searching for misconfigured certificate templates was executed regularly by a common process. overridden

  • Possible path traversal via HTTP request Low 3 variations

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.

    Variations

    Possible sensitive path traversal via HTTP request

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

    Possible path traversal via HTTP request from a TOR exit node

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

    Possible credential path traversal via HTTP request

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

  • SUID/GUID permission discovery Low

    Attackers may search for potential to elevate permissions using binaries that have the SUID or GUID bit enabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent
    Attacker's goals: Attackers may use GUID/SUID binaries to elevate privileges.
    Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.
  • Uncommon access to /etc/passwd Informational 11 variations

    A process made an uncommon attempt to access /etc/passwd.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics, Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon access to /etc/passwd by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potential Webshell

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon link creation to /etc/passwd

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd, involving a network utility

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with additional sensitive files in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd via a new inline bash script

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive binary

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive shell

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

  • Uncommon attempt at discovering a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at discovering /etc/hosts

    Informational overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden