Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

13 alerts match the current filters. technique: T1136 ✕

Show ATT&CK heatmap
  • A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations

    A cloud identity invoked IAM related persistence operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.

    Variations

    A cloud identity invoked compute instance related persistence operations

    Informational overridden

    A cloud identity invoked compute instance related persistence operations. overridden

    A cloud identity invoked compute function related persistence operations

    Informational overridden

    A cloud identity invoked compute function related persistence operations. overridden

  • AWS user creation Informational Cloud

    A new AWS user was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Cloud Account (T1136.003)
    Required data: AWS Audit Log
    Attacker's goals: Maintaining persistence by creating backdoor users or malicious resources, ensuring ongoing access even if their initial entry is detected.
    Investigative actions: Check which user was created. Investigate the created user role and permissions. Verify the user who created the new identity is aware of this action. Be aware of any suspicious activity originating from the new user.
  • An IAM group was created Informational Cloud

    An IAM group was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: AWS Audit Log
    Attacker's goals: Gain persistence through an IAM user who may be a member of the newly created group.
    Investigative actions: Review the group's permissions. Identify which users were added to the group.
  • Azure account creation by a non-standard account Informational Identity Threat Module 1 variation

    An Azure AD account creation was performed by a user that doesn't typically create users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)
    Required data: AzureAD Audit Log
    Attacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.
    Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.

    Variations

    Unusual Azure account creation by a non-standard account

    Low overridden

    An Azure AD account creation was performed by a user that doesn't typically create users. overridden

  • GCP Service Account creation Informational Cloud

    A GCP service account was created. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Gcp Audit Log
    Attacker's goals: Persistence with service account. An attacker might use this technique to evade detection.
    Investigative actions: Check the identity that created the account and its actions.
  • Multiple suspicious user accounts were created Low Identity Analytics

    A user was observed creating multiple rare user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the accounts and verify the activity.
  • New cloud identity created with administrative policy Low Cloud 1 variation

    New cloud identity was created and assigned administrative policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Cloud Account (T1136.003) Create Account (T1136) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user/role to whom the administrative policy was attached.

    Variations

    Administrative IAM User Created with Credentials

    Low overridden

    New cloud identity was created and assigned administrative policy. overridden

  • Rare machine account creation Informational Identity Analytics

    A user was observed creating a machine account for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Verify the activity of the user who created the account. Follow actions performed by the new machine account.
  • Suspicious domain user account creation Informational Identity Analytics

    A user was observed creating a rare domain account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Domain Account (T1136.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity.
  • Suspicious hidden user created Medium Identity Analytics

    A user account was created with a name that mimics a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user account created and verify its activity.
  • Uncommon net group command execution Informational 7 variations

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon unsigned net group administrators command execution

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon unsigned net group administrators command execution - fixed localization issues

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group administrators command execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group administrators command execution

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon administrator net group execution by scripting engine or command prompt

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

  • Uncommon net localgroup command execution Informational 7 variations

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon net localgroup administrators command execution by a web server process or CGO

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden

    Uncommon unsigned net localgroup administrators command execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon unsigned net localgroup administrators command execution - fixed localization issues

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup administrators command execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon remote net localgroup execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon administrator net localgroup execution by scripting engine or command prompt

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

  • Uncommon user management via net.exe Informational 1 variation

    The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.

    Variations

    Uncommon user management via net.exe by an untrusted CGO

    Low overridden

    The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden