Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. technique: T1207 ✕

Show ATT&CK heatmap
  • Possible DCSync from a non domain controller Low 5 variations

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check whether one of the machines is a new domain controller.

    Variations

    DCSync from a non domain controller from a non-standard process

    High overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller by AppID

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Possible DCSync from an internet-facing server

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    DCSync from a non domain controller

    Low overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

  • Potential DCSync by an unusual user Informational Identity Analytics 1 variation

    Attackers may leverage the domain replication process to extract sensitive information (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.

    Variations

    Possible DCSync by an unusual user

    Low overridden

    Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden