Analytics Alerts
Browse the Cortex analytics alert reference.
13 alerts match the current filters. technique: T1136 ✕
Show ATT&CK heatmapA cloud identity invoked IAM related persistence operations Informational Cloud 2 variations
A cloud identity invoked IAM related persistence operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.Variations
A cloud identity invoked compute instance related persistence operations
Informational overridden
A cloud identity invoked compute instance related persistence operations. overridden
A cloud identity invoked compute function related persistence operations
Informational overridden
A cloud identity invoked compute function related persistence operations. overridden
AWS user creation Informational Cloud
A new AWS user was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Cloud Account (T1136.003)Required data: AWS Audit LogAttacker's goals: Maintaining persistence by creating backdoor users or malicious resources, ensuring ongoing access even if their initial entry is detected.Investigative actions: Check which user was created. Investigate the created user role and permissions. Verify the user who created the new identity is aware of this action. Be aware of any suspicious activity originating from the new user.An IAM group was created Informational Cloud
An IAM group was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: AWS Audit LogAttacker's goals: Gain persistence through an IAM user who may be a member of the newly created group.Investigative actions: Review the group's permissions. Identify which users were added to the group.Azure account creation by a non-standard account Informational Identity Threat Module 1 variation
An Azure AD account creation was performed by a user that doesn't typically create users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)Required data: AzureAD Audit LogAttacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.Variations
Unusual Azure account creation by a non-standard account
Low overridden
An Azure AD account creation was performed by a user that doesn't typically create users. overridden
GCP Service Account creation Informational Cloud
A GCP service account was created. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: Gcp Audit LogAttacker's goals: Persistence with service account. An attacker might use this technique to evade detection.Investigative actions: Check the identity that created the account and its actions.Multiple suspicious user accounts were created Low Identity Analytics
A user was observed creating multiple rare user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who created the accounts and verify the activity.New cloud identity created with administrative policy Low Cloud 1 variation
New cloud identity was created and assigned administrative policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Cloud Account (T1136.003) Create Account (T1136) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user/role to whom the administrative policy was attached.Variations
Administrative IAM User Created with Credentials
Low overridden
New cloud identity was created and assigned administrative policy. overridden
Rare machine account creation Informational Identity Analytics
A user was observed creating a machine account for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Verify the activity of the user who created the account. Follow actions performed by the new machine account.Suspicious domain user account creation Informational Identity Analytics
A user was observed creating a rare domain account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Domain Account (T1136.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who created the account and verify its activity.Suspicious hidden user created Medium Identity Analytics
A user account was created with a name that mimics a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user account created and verify its activity.Uncommon net group command execution Informational 7 variations
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon unsigned net group administrators command execution
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon unsigned net group administrators command execution - fixed localization issues
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group administrators command execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group administrators command execution
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon administrator net group execution by scripting engine or command prompt
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net localgroup command execution Informational 7 variations
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup administrators command execution by a web server process or CGO
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden
Uncommon unsigned net localgroup administrators command execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon unsigned net localgroup administrators command execution - fixed localization issues
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup administrators command execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon remote net localgroup execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon administrator net localgroup execution by scripting engine or command prompt
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon user management via net.exe Informational 1 variation
The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.Variations
Uncommon user management via net.exe by an untrusted CGO
Low overridden
The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden