Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. technique: T1068 ✕

Show ATT&CK heatmap
  • Sudoedit Brute force attempt Medium

    An unusual amount of sudoedit commands executed in a short period of time. This may indicate an attempt to exploit CVE-2021-3156.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Exploitation for Privilege Escalation (T1068)
    Required data: XDR Agent
    Attacker's goals: The attacker may gain higher privileges via exploitation of sudoedit.
    Investigative actions: Verify that the current version of sudo in not vulnerable to CVE-2021-3156.
  • Windows Installer exploitation for local privilege escalation Medium

    The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Exploitation for Privilege Escalation (T1068)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to gain SYSTEM privileges.
    Investigative actions: Investigate the actor process SID and path and whether it's benign or normal for this host. This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.