Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0007 ✕ technique: T1552 ✕
Show ATT&CK heatmapUncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden