Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. technique: T1140 ✕

Show ATT&CK heatmap
  • Encoded information using Windows certificate management tool Medium

    Encoding/decoding to/from using certutil.exe could be used to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Encrypted/Encoded File (T1027.013) Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent
    Attacker's goals: Evade detection by executing processes with obfuscated arguments.
    Investigative actions: Check encoded/decoded command content and see whether it is benign or malicious.
  • Possible data obfuscation Informational 1 variation

    A command that can be used for file obfuscation was executed with an uncommon command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use obfuscated files to cover their tracks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Possible data obfuscation in a Kubernetes pod

    Low overridden

    A command that can be used for file obfuscation was executed with an uncommon command line. overridden

  • Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager

    Medium overridden

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden

  • Suspicious AMSI decode attempt Informational

    A script has executed commands that can be used to decode commands or files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Minute
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid security mitigations and detections.
    Investigative actions: Check the payload for malicious activity.