Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. technique: T1082 ✕
Show ATT&CK heatmapMultiple discovery commands Low 4 variations
The alerted causality performed multiple discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery commands from a web server CGO
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from an SQL server CGO
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from an unsigned causality
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from a standard IT tool
Informational overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Linux host by the same process Informational 2 variations
The alerted process performed multiple consecutive discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery commands on a Linux host by the same process
Medium overridden
The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden
Multiple discovery commands on a Linux host by the same process
Low overridden
The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process Low 5 variations
The alerted process performed multiple discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Remote Multiple discovery commands on a Windows host by the same IP
High overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from a web server CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from an SQL server CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from a remote CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Rare Multiple discovery commands on a Windows host by the same process
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery-like commands Informational 3 variations
The alerted process performed multiple consecutive discovery commands in a short time frame.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery-like commands by web server process
Low overridden
The web server process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple discovery-like commands on a Linux host
Informational overridden
The alerted process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple discovery-like commands
Informational overridden
The alerted process performed multiple consecutive discovery commands in a short time frame. overridden
Suspicious container reconnaissance activity in a Kubernetes pod Informational 2 variations
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Suspicious container reconnaissance activity in a Kubernetes pod
Medium overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
Suspicious container reconnaissance activity in a Kubernetes pod
Low overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
System information discovery via psinfo.exe Low
Using psinfo.exe, the attacker can gather information about the network, and gain an in-depth understanding of which devices are relevant to attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Information Discovery (T1082)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.System profiling WMI query execution Informational
Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Uncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon attempt at discovering a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at discovering /etc/hosts
Informational overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a security testing tool
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden