Analytics Alerts
Browse the Cortex analytics alert reference.
77 alerts match the current filters. tactic: TA0008 ✕
Show ATT&CK heatmapA remote service was created via RPC over SMB Low 1 variation
A remote service was created via RPC over SMB.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Process creation on a remote host.Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.Variations
A remote service with an uncommon name was created via RPC over SMB
Medium overridden
A remote service was created via RPC over SMB. overridden
A user authenticated with weak NTLM to multiple hosts Informational Identity Analytics
A user account authenticated to multiple hosts via NTLMv1 or LM authentication for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned user for additional suspicious activity.A user established an SMB connection to multiple hosts Informational Identity Analytics 2 variations
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries can effectively map out and strategize their lateral movement within a network by leveraging diverse protocols for reconnaissance.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Look for the process that initiated this activity on the remote host. Check if the user is authorized to perform such activity.Variations
A user established an SMB connection to multiple hosts for the first time
Medium overridden
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden
A user performed an abnormal SMB activity to multiple hosts
Low overridden
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden
A user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
A user uploaded malware to SharePoint or OneDrive Low Identity Threat Module 2 variations
A user uploaded a file that was classified as malware to SharePoint or OneDrive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Taint Shared Content (T1080) User Execution: Malicious File (T1204.002)Required data: Office 365 AuditAttacker's goals: An attacker may upload malware to a shared location to gain execution and move laterally.Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the file that was uploaded for any malicious indicators. Follow further actions done by the account.Variations
A user uploaded malware to SharePoint or OneDrive with suspicious characteristics
Medium overridden
A user uploaded a file that was classified as malware to SharePoint or OneDrive with some additional suspicious characteristics. overridden
A user uploaded a malicious payload to SharePoint or OneDrive
Informational overridden
A user uploaded a file that was classified as malware to SharePoint or OneDrive. The file was labelled as malicious by Microsoft's file scanning engine. overridden
AWS SSM send command attempt Informational Cloud 2 variations
An identity executed an AWS SSM Document.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.Variations
AWS SSM SendCommand targeting multiple instances
Low overridden
An identity executed an AWS SSM Document. overridden
Unusual AWS SSM send command
Low overridden
An identity executed an AWS SSM Document. overridden
Abnormal RDP connections to multiple hosts Informational 1 variation
The endpoint attempted to initiate rare RDP connections to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: NDR Lateral Movement Analytics, Enhanced RDP AnalyticsAttacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.Variations
Abnormal RDP connections to multiple hosts
Low overridden
The endpoint attempted to initiate rare RDP connections to multiple hosts. overridden
Abnormal RDP connections to multiple hosts from a rarely seen host Low
The endpoint attempted to initiate rare RDP connections to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.Abnormal RDP session to a remote host from a rarely seen host Low
The endpoint performed a rare RDP session to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.Investigative actions: Inspect the legitimacy of the user which the RDP made the connection with. Verify that this isn't IT activity.Abnormal SMB activity to multiple hosts Low 4 variations
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.Variations
Highly rare SMB activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare, SMB activity to multiple hosts on the network. overridden
Highly rare SMB activity to multiple hosts
Medium overridden
An endpoint performed a new, and highly rare SMB activity to multiple hosts on the network. overridden
Abnormal SMB activity to multiple hosts
Medium overridden
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden
Abnormal SMB activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden
Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.Variations
Rare RDP User Login to Domain Controller by an Abnormal Department
Medium overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal RDP User Login to Domain Controller
Low overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
RDP User Login to Domain Controller
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal User Login to Domain Controller by an Abnormal Department
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal sensitive RPC traffic to multiple hosts Low 1 variation
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.Variations
Abnormal sensitive RPC traffic to multiple IPs
Informational overridden
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface. overridden
Abnormal sensitive RPC traffic to multiple hosts from a rarely seen host Low
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.An identity started an AWS SSM session Informational Cloud 2 variations
An identity started an AWS SSM interactive session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the specifics of the SSM session, including the source IP address, identity, and timestamp. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant instance.Variations
An identity started an unusual AWS SSM session
Medium overridden
An identity started an AWS SSM interactive session. overridden
An unusual identity started an AWS SSM session
Low overridden
An identity started an AWS SSM interactive session. overridden
An uncommon RDP session from a managed host Informational 5 variations
An RDP session was established with uncommon parameters from a managed host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Variations
An uncommon RDP session initiated by a chained RDP client
Low overridden
An RDP session was established by a process that is itself an RDP client, which is uncommon behavior. overridden
An uncommon RDP session initiated by a globally rare RDP client
Low overridden
An RDP session was established by a process hash that has not been seen globally, which is uncommon. overridden
An uncommon RDP session initiated by a rare RDP client
Low overridden
An RDP session was established by a process hash that is rare in the environment. overridden
An uncommon RDP session from a host that rarely initiates RDP
Low overridden
An RDP session was initiated from a host that does not typically establish RDP connections. overridden
An uncommon RDP session initiated by a process with rare causality
Low overridden
An RDP session was established by a process with an uncommon parent process relationship. overridden
An uncommon RDP session was established Informational 5 variations
An RDP session was established with uncommon parameters.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Variations
An uncommon RDP session was established from a Suspicious Autonomous System (AS)
Medium overridden
An RDP session was established with uncommon parameters. overridden
An uncommon RDP session was established originating from a chained RDP session which is also from a rare subnet
Low overridden
An RDP session was established with uncommon parameters. The connection appears to originate from an endpoint that itself received an RDP connection, suggesting a chained session. overridden
An uncommon RDP session was established between subnets with no prior communication
Low overridden
An RDP session was established with uncommon parameters. The source and destination subnets have not been observed communicating with each other previously. overridden
An uncommon RDP session was established involving subnets with no prior RDP history
Low overridden
An RDP session was established with uncommon parameters. Neither the source nor the destination subnet has been observed participating in RDP sessions previously. overridden
An uncommon RDP session was established involving a destination subnet which rarely receives incoming RDP sessions
Low overridden
An RDP session was established with uncommon parameters. The destination subnet is rarely involved in RDP activity. overridden
An uncommon executable was remotely written over SMB to an uncommon destination Low 3 variations
An uncommon executable was remotely written over SMB to a destination, which was not involved in significant similar activity during last month.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Transfer tools as part of lateral movement activity across the network.Investigative actions: Verify if the shared file is malicious. Investigate if the file was executed on the host. Check the remote SMB client for other suspicious activities.Variations
An uncommon executable was remotely written over SMB to a highly suspicious destination
High overridden
An uncommon executable was remotely written over SMB to a highly suspicious destination, which was not involved in significant similar activity during last month. overridden
An uncommon executable with SCR extension was remotely written over SMB to an uncommon destination
Medium overridden
An uncommon executable with SCR extension was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden
PsExec remote service component was remotely written over SMB to an uncommon destination
Low overridden
PsExec remote service component was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden
Attempt to execute a command on a remote host using PsExec.exe Low 1 variation
There was an attempt to run a command on a remote host using PsExec.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run processes remotely.Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.Variations
Attempt to execute a command on a remote host using PsExec.exe
Low overridden
There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden
Autorun.inf created in root C drive Medium
An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)Required data: XDR AgentAttacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation
A user modified Chrome OS Remote Access configuration in Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.Variations
Suspicious Chrome OS Remote Access policy was modified in Google Workspace
Low overridden
This is the first time the user performs this operation in the last 30 days. overridden
Cloud compute serial console access Informational Cloud 2 variations
An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.Investigative actions: Verify whether the identity should be making this action. Investigate which actions were performed via serial console access.Variations
Cloud compute serial console access by an identity with high administrative activity
Informational overridden
An identity with high administrative activity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden
Suspicious cloud compute serial console access in a project
Low overridden
An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden
Cloud email service activity Informational Cloud 2 variations
A cloud Identity performed an email service operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Internal Spearphishing (T1534)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Abuse the cloud email service for sending phishing emails.Investigative actions: Check for any following actions related to this activity. Verify that the identity did not abuse the email service to send phishing emails to victims.Variations
Unusual cloud email service activity
Low overridden
A cloud Identity performed an email service operation for the first time in the tenant. overridden
Cloud email service entity creation
Low overridden
A cloud Identity created a new cloud email identity. overridden
Command execution via AWS SSM Medium Cloud
A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit LogAttacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations
An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Execute malicious content on and move laterally across machine in the network.Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.Variations
DSC (Desired State Configuration) lateral movement using PowerShell to execute a script
High overridden
An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service
Medium overridden
An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry
Medium overridden
An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden
Machine Account NTLM Relay Low
An NTLM NTProofStr was seen from more than one source. This indicates that machine account NTLM authentication data has been relayed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.Multiple alerts associated with a single RDP connection Informational
Multiple alerts associated with a single RDP connection were triggered.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Multiple users authenticated with weak NTLM to a host Informational Identity Analytics
Multiple user accounts authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be a result of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned host for additional suspicious activity.NTLM Relay Informational
An NTLM NTProofStr was seen from more than one source. This indicates that NTLM authentication data has been relayed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.New Administrative Behavior Medium 1 variation
The endpoint performed new administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.Investigative actions: Investigate the endpoint to determine if it is legitimately being used for administrative functions.Variations
New SSH Administrative Behavior
Informational overridden
The endpoint performed new SSH administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement. overridden
PKINIT TGT authentication request Informational Identity Analytics 2 variations
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.Variations
Suspicious PKINIT TGT authentication request
Medium overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Abnormal PKINIT TGT authentication request
Low overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Possible Brute-Force attempt Informational Identity Analytics 2 variations
This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Possible Brute-Force attempt on a Honey User Account
Medium overridden
This may indicate a brute-force attack. overridden
Possible Brute-Force attempt with a successful login and suspicious characteristics
Low overridden
This may indicate a brute-force attack. overridden
Possible Pass-the-Hash Low Identity Analytics
An account was successfully logged on to with new credentials. This login type is rare and may be an attacker's attempt to pass-the-hash and move laterally within a network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentAttacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Audit all login events and review for discrepancies. Look for LSASS process access, an indication of an attacker attempting to obtain password hashes. Check for the RunAs command with the /netonly option.Possible RDP session hijacking using tscon.exe Medium
The executable tscon.exe can be used to hijack other sessions on the same computer. The attacker may use another user's credentials to proceed with the lateral movement or disguise the activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Service Session Hijacking: RDP Hijacking (T1563.002)Required data: XDR AgentAttacker's goals: Attackers might hijack existing sessions on the same host to gain access to private data or leverage the logged-in user credentials to laterally move across the network.Investigative actions: Verify if the executing process is suspicious. Investigate if the interactive user did any more suspicious or malicious actions.Possible TGT reuse from different hosts (pass the ticket) Informational Identity Analytics 1 variation
We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Ticket (T1550.003)Required data: XDR AgentAttacker's goals: Lateral movement using stolen user-account credentials.Investigative actions: Check if the mentioned hosts are not the same, and investigate if the ticket was stolen from one of them.Variations
TGT reuse from different hosts (pass the ticket)
Low overridden
We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and passed to another host. overridden
Potential NTLM Relay Attack Informational Identity Analytics 3 variations
Multiple NTLM authentications were made to the same workstation and user from different IPs.This might indicate a potential NTLM Relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the workstation supports weak, outdated versions of NTLM. Check for network activity to and from the suspicious IP address and workstation, to verify if they were compromised. Check for process activity to and from the suspicious IP address to verify if it was compromised. Check for changes in the network configurations, including indicators of poisoning attacks. Monitor closely the actions of the potentially compromised user account for any anomalous behavior.Variations
NTLM Relay Attack using a sensitive user and a vulnerable package
Medium overridden
Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack using a vulnerable package
Low overridden
Multiple NTLM authentications were made to the same workstation and user from different IPs using a vulnerable NTLM package.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack using a sensitive user
Low overridden
Multiple NTLM authentications were made to the same workstation and sensitive user from different IPs.This might indicate a potential NTLM Relay attack. overridden
Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server Informational Identity Analytics 1 variation
Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs in a short period of time.This might indicate a potential NTLM Relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentDetector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may coerce the SCCM site server to authenticate to a malicious host and relay it to escalate privileges and move laterally across site systems.Investigative actions: Ensure that the alerted host is not a NAT device or proxy that replicates or forwards network traffic as part of its expected operational behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack. Check for network activity to and from the suspicious IP address to verify if it is a compromised machine. Monitor closely the actions of the potentially compromised user account for any anomalous behavior, especially suspicious SCCM-related activity occurring near the time of the alert.Variations
Potential NTLM Relay Attack against a Microsoft Configuration Manager Site Server using a vulnerable package
Low overridden
Multiple NTLM authentications were made to the same Microsoft Configuration Manager site server and user from different IPs using a vulnerable NTLM package in a short period of time.This might indicate a potential NTLM Relay attack. overridden
Potential creation of persistent cloud credentials Informational Cloud
A cloud identity invoked a credential-related persistence operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)Required data: AWS Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.RDP Connection to localhost Medium
An RDP connection to localhost can be used for privilege escalation by leveraging Windows accessibility features.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: An attacker may initiate RDP tunneling for a more convenient and stable interface.Investigative actions: Identify the process/user performing RDP and check that it is authorized. Check whether the initiating process also connects to an external host.RDP connections enabled remotely via Registry Low 2 variations
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Enhanced RDP AnalyticsAttacker's goals: Remotely enable RDP on the host for lateral movement.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Search for RDP sessions to this host and investigate them for malicious activities.Variations
RDP connections enabled by a remote process via Registry
Low overridden
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden
RDP connections enabled remotely via Registry using WinRM
Low overridden
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden
RDP from an unmanaged endpoint in a typically managed subnet Low 1 variation
An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Lateral movement to critical assets from an unmanaged host.Investigative actions: Verify if the source endpoint is authorized to perform RDP connections. Validate that the source endpoint is managed or unmanaged. Investigate the user account used for the RDP connection.Variations
RDP from an unmanaged endpoint in a typically managed subnet with a significantly higher number of managed endpoints in the subnet
Low overridden
An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement. The source subnet has a significantly higher number of managed endpoints compared to the unmanaged ones. overridden
Rare DCOM RPC activity Informational 1 variation
The endpoint performed abnormal DCOM RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using the DCOM RPC interface. The DCOM RPC interface is used to remotely invoke registered COM applications on remote hosts.Investigative actions: Review the action of the initiated COM application on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare DCOM RPC activity
Low overridden
The endpoint performed abnormal DCOM RPC activity to a remote host. overridden
Rare MS-Update traffic over HTTP Informational
The endpoint requested an MS-Update operation with abnormal HTTP traffic characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Exploitation of Remote Services (T1210)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attacker may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.Rare NTLM Access By User To Host Informational Identity Analytics
An unusual NTLM authentication attempt by a user to a host. This may indicate the use of stolen credentials or access tokens to access restricted hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may be attempting lateral movement within a compromised network.Investigative actions: Verify any successful authentication for the user account referenced by the alert, as this could indicate the attacker has used stolen credentials.Rare NTLM Usage by User Informational Identity Analytics
Rare authentication by user account to host via NTLM.The user has not authenticated with NTLM in the past 30 days.This may be indicative of downgrade attacks from Kerberos to NTLM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: The attacker is attempting to move laterally within a compromised network.Investigative actions: Verify any successful authentication for the user account referenced by the alert, as these can indicate the attacker managed to use the stolen credentials.Rare RDP session to a remote host Low 1 variation
The endpoint performed a rare RDP session to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement Analytics, Enhanced RDP AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.Investigative actions: Inspect the legitimacy of the user who initiated the RDP session. Verify that this isn't routine IT activity.Variations
Rare RDP session to a remote host
Informational overridden
The endpoint performed a rare RDP session to a remote host. overridden
Rare Remote Service (SVCCTL) RPC activity Informational 3 variations
The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using services. The service control manager RPC interface is used to create and start services on a local or a remote host.Investigative actions: Review the action of services.exe on the remote host where possible. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote service creation and initiation via Remote Service (SVCCTL) RPC interface
Medium overridden
The endpoint performed abnormal service creation and initiation via Remote Service (SVCCTL) RPC interface to a remote host. overridden
Rare remote service change or creation via Remote Service (SVCCTL) RPC interface
Medium overridden
The endpoint performed abnormal service creation via Remote Service (SVCCTL) RPC interface to a remote host. overridden
Rare Remote Service (SVCCTL) RPC activity
Low overridden
The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host. overridden
Rare SMB session to a remote host Low 1 variation
The endpoint performed a rare SMB activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use the SMB protocol in an attempt to move laterally in the network, and expand their foothold in the organization.Investigative actions: Check whether the username used in the SMB connection is legitimate. Verify that this isn't IT activity.Variations
Rare SMB session to a remote host
Informational overridden
The endpoint performed a rare SMB activity to a remote host. overridden
Rare SSH Session Low
Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentAttacker's goals: Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.Investigative actions: Verify that the process is allowed in the organization. Check if the user should access the destination and whether the session was successful or not.Rare Scheduled Task RPC activity Informational 3 variations
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote task registration and creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden
Rare remote task creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden
Rare Scheduled Task RPC activity
Low overridden
The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden
Rare Scheduled Task RPC activity from a rarely seen host Low
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Rare WinRM Session Informational
Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote system. WinRM sessions can be established using WinRM/WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006)Required data: XDR AgentAttacker's goals: Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.Investigative actions: Investigate the endpoints participating in the session.Rare Windows Remote Management (WinRM) HTTP Activity Low
The endpoint performed unfamiliar WinRM HTTP activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use WinRM to execute code on remote hosts, in an attempt to gain persistence or move laterally in the network.Investigative actions: Correlate the WinRM HTTP request from the source host and understand which software initiated it. Verify that this isn't IT activity.Rare file transfer over SMB protocol Low
The endpoint performed an abnormal file transfer over SMB to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by dropping executable files and scripts on remote hosts using the SMB protocol.Investigative actions: Inspect the file that was transferred to the remote host. Verify that this isn't IT activity.Rare process with VNC server capabilities started Low
A rare process with VNC server capabilities was started.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Remote DCOM command execution Low 4 variations
A remotely triggered DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the DCOM call from the source host and understand which software initiated it.Variations
Remote suspicious DCOM-MMC20.Application command execution
High overridden
A remotely triggered suspicious DCOM-MMC20.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM-Excel.Application command execution
High overridden
A remotely triggered suspicious DCOM-Excel.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM-Outlook.Application command execution
High overridden
A remotely triggered suspicious DCOM-Outlook.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM command execution
Medium overridden
A remotely triggered suspicious DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote PsExec-like command execution Informational 5 variations
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Variations
Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service
High overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from an unsigned non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from a signed non-standard PsExec service
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec command execution
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote WMI process execution Medium 1 variation
A host that rarely initiates WMI to other remote hosts triggered a remote process execution by using WMI RPC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which process or software initiated it.Variations
Suspicious remote WMI process execution
High overridden
A host that rarely initiates WMI to other remote hosts triggered a suspicious remote process execution by using WMI RPC. overridden
Remote service command execution from an uncommon source High
A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote service start from an uncommon source Low
A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden
Serial console access was enabled in AWS account Informational Cloud
Serial console access to EC2 instances was enabled in an AWS account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.Investigative actions: Verify whether serial console access should be enabled. Investigate which actions were performed via serial console access.Suspicious Encrypting File System Remote call (EFSRPC) to domain controller Medium
An Encrypting File System Remote call (EFSRPC) was made to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Check for suspicious processes on the host. Check if the source host is a vulnerability scanner. Look for following suspicious connections using the DC machine account.Suspicious SMB connection from domain controller Low
A domain controller has initiated an SMB connection to another host. The domain controllers usually communicate over SMB only with other domain controllers. An attacker can abuse such sessions for relay attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Check if the destination is domain controller, if it is, exclude it. Look for earlier connections to the DC, which may cause it to initiate the session.Suspicious SSH Downgrade Low 2 variations
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.Variations
A Host Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden
A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden
Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations
An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.Variations
Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity
Informational overridden
An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Instance SSH keys were modified for the first time in the cloud provider
High overridden
An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification by a service account
Medium overridden
A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification
Informational overridden
An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious GCP project level metadata modification by a service account
Low overridden
A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification attempt
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious usage of File Server Remote VSS Protocol (FSRVP) High
A suspicious usage of File Server Remote VSS Protocol (FSRVP) was done.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentAttacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Check for suspicious processes on the source host. Check if the source host is a vulnerability scanner. Look for additional suspicious activities by users.Uncommon Linux remote shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux remote shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution using an exploitation tool
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution executing a reverse interactive shell
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution downloading a shell script
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution disabling firewall
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution possibly running from an XZ backdoor
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running as root
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution loading a kernel module
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a network tool
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution trying to gather information about the system
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution, possibly granting file execution permissions
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon RDP connection Informational
RDP is used by attackers to laterally move to new hosts. Standard processes do not usually implement RDP on their own, and attackers might inject or tunnel using a non-standard process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Validate if the process is a legitimate IT software. Verify if the process is known to be malicious. Look into actions done on the remote host.Uncommon VNC server communication Low 4 variations
Uncommon VNC server network traffic was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Variations
Uncommon VNC scanning activity detected from a scanning tool
Medium overridden
An uncommon VNC scanning network traffic was observed from a scanning tool. overridden
Uncommon VNC server communication from an unmanaged previously unseen external host
Low overridden
Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden
Partially uncommon VNC server communication
Informational overridden
Uncommon VNC server network traffic was observed. overridden
Uncommon VNC server connection
Informational overridden
An uncommon VNC Server network connection was observed. overridden
Unusual ADFS Remote Synchronization network connections from non-ADFS server Low
Detected an unauthorized configuration sync request to the ADFS Policy Store from a non-ADFS server, step for forging SAML tokens in a Golden SAML attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002) Exploitation of Remote Services (T1210)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.Investigative actions: Correlate this network event with AD FS service account activity. The attacker must use the service account's credentials to authenticate this request. Check for a possible DCSync alerts. Check alerts that related to ADFS server. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Inspect the source machine for the presence of tools like AADInternals or custom SOAP-based scripts.Unusual AWS systems manager activity Informational Cloud
A cloud identity performed an SSM operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Lateral Movement (TA0008)ATT&CK techniques: Cloud Service Discovery (T1526) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Manipulate SSM operations to take control over EC2 instances and strengthen the foothold in the cloud environment of the organization, by running critical operating system commands, manipulating the parameters store, and patch management configuration.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive SSM operation that it shouldn't.Unusual DB process spawning a shell Informational 3 variations
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Lateral Movement (TA0008)ATT&CK techniques: Exploit Public-Facing Application (T1190) Exploitation of Remote Services (T1210)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.Investigative actions: Review the commands/processes executed by the shell for malicious actions. Check if and what else the DB process has executed. Check for any additional alerts raised in the context of the DB process. Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).Variations
Unusual DB process spawning a shell with a possible reconnaissance command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with a possible web download/access command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with an unusual command line
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual internal access to network device management interface Informational
Unusual internal access to Palo Alto Networks device on management port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.Unusual weak authentication by user Informational Identity Analytics
A user account authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be indicative of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage.User sent messages in Microsoft Teams to multiple conversations via Graph API Informational Identity Threat Module 1 variation
A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Internal Spearphishing (T1534)Required data: Microsoft Graph LogsDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage a compromised user account to send phishing or malicious messages via Graph API to multiple recipients, aiming to propagate the attack while evading detection.Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.Variations
User sent messages in Microsoft Teams to several conversations via Graph API with suspicious characteristics
Low overridden
A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it. overridden
WmiPrvSe.exe Rare Child Command Line Low 1 variation
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.Variations
WmiPrvSe.exe Rare Child Command Line
Medium overridden
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden
Wsmprovhost.exe Rare Child Process Low
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.