Analytics Alerts
Browse the Cortex analytics alert reference.
37 alerts match the current filters. technique: T1087 ✕
Show ATT&CK heatmapA New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment Informational Cloud
A new server has been added to an Azure Active Directory Hybrid Health AD FS Environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the new server. Gain access to other servers in the Azure Active Directory Hybrid Health AD FS Environment. Gain access to user accounts in the Azure Active Directory Hybrid Health AD FS Environment.Investigative actions: Check the Azure Active Directory Hybrid Health Monitor to identify the new server. Verify that the new server is correctly configured for ADFS. Check the logs for any errors related to the new server.A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation
A user executed multiple LDAP enumeration queries.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server)Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.Variations
A user executed suspicious LDAP enumeration queries
Low overridden
A user executed multiple LDAP enumeration queries. overridden
AWS IAM account discovery operation Informational Cloud
AWS IAM account discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Understand the IAM structure and relationships between users, roles, and groups to identify high-privilege identities or misconfigurations. Identify identities or roles that can be used to escalate privileges or gain broader access.Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.AWS principals discovery Informational Cloud
A cloud identity has enumerated principals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtaining a list of principals that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.AWS resource discovery Informational Cloud
A cloud identity has enumerated resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.Administrator groups enumerated via LDAP Informational
An LDAP search query that collects information about administrators was executed. This may be indicative of Active Directory domain enumeration, which can be used to perform attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators.An Azure identity performed multiple actions that were denied Informational Cloud 3 variations
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Execute various of commands to explore the cloud environment.Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.Variations
An Azure application attempted multiple actions on resources that were denied
Medium overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure identity attempted multiple actions on resources that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure application performed multiple actions that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
Cached credentials discovery with cmdkey Low 2 variations
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)Required data: XDR AgentAttacker's goals: Access cached user credentials.Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.Variations
The process cmdkey runs with modified name and extract cached credentials
High overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Transfer cached credentials with cmdkey to other standard output
Medium overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Cloud user performed multiple actions that were denied Informational Cloud 1 variation
An identity performed multiple actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Execute various commands to explore the cloud environment.Investigative actions: Check if the API calls were made by the identity.Check if there are additional calls executed by the identity.Variations
Cloud non-user identity performed multiple actions that were denied
Low overridden
An identity performed multiple actions that were denied, which may indicate it is being misused. overridden
Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious discovery of accounts without pre-authentication required via LDAP
Medium overridden
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
IAM Enumeration sequence Informational Cloud 1 variation
An identity has executed a sequence of events which may be related to an IAM recon enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.Variations
IAM Enumeration sequence executed from a cloud Internet facing instance
Low overridden
A cloud Internet facing instance performed an unusual IAM enumeration. overridden
IAM instance profiles were listed Informational Cloud
AWS IAM instance profiles associated with a role were listed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.Investigative actions: Determine which instance profiles were listed. Investigate any suspicious activities related to the identity and the role.IAM role-attached managed policies were listed Informational Cloud
AWS IAM managed policies that are attached to a role were listed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.Investigative actions: Determine which managed policies were listed. Investigate any suspicious activities related to the identity and the role.Interactive local account enumeration Low Identity Analytics
Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Kerberos User Enumeration Medium Identity Analytics
A high amount of Kerberos principal unknown errors were generated on users in the last hour.This may be indicative of Kerberos user enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users and finding service accounts.Investigative actions: Check whether any service principal names (SPNs) were not set correctly, as they will always return a principal unknown error.LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Abnormal LDAP AD CS Enumeration via Attack Tool
Medium overridden
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden
LDAP search query from an unpopular and unsigned process Low
An unpopular and unsigned process performed an LDAP search query. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.LDAP traffic from non-standard process Informational 4 variations
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR AgentAttacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating LDAP. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.Variations
LDAP traffic from reverse SSH tunnel
Medium overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from non-standard and uncommon process
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from non-standard process executed under an unsigned causality actor in a commonly abused directory
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from an injected thread within a non-standard process
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Local account discovery Informational
One of several local account discovery commands were executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Local Account (T1087.001)Required data: XDR AgentAttacker's goals: Account discovery.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Local user enumeration via SAMR Informational 1 variation
A user enumerated local users via SAMR.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Local Account (T1087.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local user discovery to identify privileged users and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the user enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local users is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Local user enumeration via SAMR on an internet facing server
Low overridden
A user enumerated local users via SAMR. overridden
Multiple failed AWS assume role attempts Informational Cloud 1 variation
An AWS identity performed an unusual high number of failed assume role attempts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.Variations
Suspicious multiple failed AWS assume role attempts
Medium overridden
An AWS identity performed an unusual high number of failed assume role attempts. overridden
Possible Kerberos User Enumeration Informational Identity Analytics 1 variation
Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Domain Account (T1087.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users.Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Check the host from which the errors originated, and verify the legitimacy of the TGT requests. Correlate successful logons from the source host to identify potential account compromises following the failed attempts. Review source host activity to detect any additional suspicious or lateral movement behavior.Variations
Possible Kerberos User Enumeration Involving Exposed Users
Low overridden
Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration. overridden
Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Possible admin enumeration via LDAP
Informational overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
A user executed an LDAP enumeration query with suspicious characteristics
Medium overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Rare LDAP enumeration query executed by a user
Low overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Possible LDAP Enumeration of Microsoft Configuration Manager Informational Identity Analytics 1 variation
A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Microsoft SCCM AnalyticsAttacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.Variations
Suspicious enumeration on Microsoft Configuration Manager via LDAP
Low overridden
A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible LDAP enumeration by unsigned process Informational 2 variations
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.Variations
Possible LDAP enumeration by unsigned process
Medium overridden
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden
Possible LDAP enumeration by unsigned process
Low overridden
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden
Possible SPN enumeration Informational Identity Analytics 1 variation
A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious SPN enumeration via LDAP
Low overridden
A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Rare LDAP enumeration Low
Possible LDAP enumeration with a rare combination of queries.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: LDAP AnalyticsAttacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.Remote account enumeration Informational Identity Analytics 2 variations
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Variations
Suspicious Remote domain account enumeration
Medium overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Remote account enumeration on domain accounts
Low overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Suspicious LDAP search query executed Low 2 variations
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious LDAP search query executed
High overridden
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Suspicious LDAP search query executed
Low overridden
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Suspicious reconnaissance using LDAP Informational 1 variation
A process executed multiple suspicious LDAP search queries. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.Variations
Suspicious reconnaissance using LDAP from untrusted process
Low overridden
A process executed multiple suspicious LDAP search queries. This may be indicative of LDAP enumeration. overridden
Uncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon user management via net.exe Informational 1 variation
The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.Variations
Uncommon user management via net.exe by an untrusted CGO
Low overridden
The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden
Unusual IAM enumeration activity by a non-user Identity Informational Cloud
An unusual command which may be related to an IAM recon enumeration was executed by a non-user identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: Gcp Audit LogAttacker's goals: Collect information on the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Check if the API call was made by the identity.Check if there are additional unusual API calls from the identity.Unusual multi-region AWS Resource Explorer searches Informational Cloud
An identity performed unusual discovery activity in multiple regions using Resource Explorer's Search operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtain a list of resources that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.User and Group Enumeration via SAMR Informational
The endpoint performed unfamiliar SAMR querying activity to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may enumerate users and groups to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC-based services to multiple hosts. Check if there are any other suspicious activities originating from the same machine.User discovery via WMI query execution Informational 3 variations
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Variations
User discovery via WMI query execution by an unsigned process
Low overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
User modification via WMIC query execution
Low overridden
Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden
User discovery via WMIC query execution
Informational overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden