Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0008 ✕ technique: T1078 ✕
Show ATT&CK heatmapA user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.Variations
Rare RDP User Login to Domain Controller by an Abnormal Department
Medium overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal RDP User Login to Domain Controller
Low overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
RDP User Login to Domain Controller
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal User Login to Domain Controller by an Abnormal Department
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
PKINIT TGT authentication request Informational Identity Analytics 2 variations
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.Variations
Suspicious PKINIT TGT authentication request
Medium overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Abnormal PKINIT TGT authentication request
Low overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden