Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. technique: T1033 ✕

Show ATT&CK heatmap
  • Discovery of host users via WMIC Informational

    Attackers may use wmic.exe to list the users of a host, and potentially its owner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Owner/User Discovery (T1033)
    Required data: XDR Agent
    Attacker's goals: Attackers can attempt to use the command to discover host users and enumerate a huge amount of information.
    Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).
  • Uncommon access to /etc/passwd Informational 11 variations

    A process made an uncommon attempt to access /etc/passwd.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics, Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon access to /etc/passwd by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potential Webshell

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon link creation to /etc/passwd

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd, involving a network utility

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with additional sensitive files in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd via a new inline bash script

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive binary

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive shell

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

  • Uncommon attempt at discovering a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at discovering /etc/hosts

    Informational overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

  • User discovery via WMI query execution Informational 3 variations

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.
    Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.

    Variations

    User discovery via WMI query execution by an unsigned process

    Low overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden

    User modification via WMIC query execution

    Low overridden

    Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden

    User discovery via WMIC query execution

    Informational overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden