Analytics Alerts
Browse the Cortex analytics alert reference.
19 alerts match the current filters. technique: T1548 ✕
Show ATT&CK heatmapA new machine attempted Kerberos delegation Medium Identity Analytics
A newly created machine attempted to perform a Kerberos delegation. This suspicious activity might indicate a Kerberos relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to system.Investigative actions: Check for any other suspicious activity related to the machine involved in the alert. Look for a new machine that was added to the domain.An identity was granted permissions to manage user access to Azure resources Informational Cloud
An identity was granted the User Access Administrator permission at the tenant scope.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)Required data: Azure Audit LogAttacker's goals: Elevate permission to gain access to all Azure Subscriptions.Investigative actions: Verify whether the identity should be making this action. Check what additional API calls were made by the identity.Azure AD PIM role settings change Low Identity Threat Module 1 variation
An identity changed the PIM role settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.Variations
Suspicious Azure AD PIM role settings change
Medium overridden
An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden
Azure Privilege Escalation Using an Application Medium Identity Threat Module
An Azure application was observed assigning an Azure administrator role to a user. This might indicate a privilege escalation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.Investigative actions: Check if the affected account is new to the organization. Check whether the application that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.BitLocker key retrieval Informational Identity Threat Module
An identity retrieved a BitLocker Key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.Change of sudo caching configuration Low 1 variation
Change of sudo caching configuration may have been intended to enable privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use the sudoers file to elevate privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Change of sudo caching configuration in a Kubernetes pod
Low overridden
Change of sudo caching configuration may have been intended to enable privilege escalation. overridden
Conditional Access policy removed Low Identity Threat Module
An identity removed a Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.Creation or modification of the default command executed when opening an application Informational 4 variations
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Check the registry data modified for a potentially malicious command line. Look for processes running matching the command line for malicious activity.Variations
Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening an MMC application
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Device Registration Policy modification Informational Identity Threat Module 1 variation
An identity changed the Device Registration policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.Variations
A user modified the Device Registration Policy for the first time
Low overridden
An identity changed the Device Registration policy. overridden
Fodhelper.exe UAC bypass Medium
Attackers may use Fodhelper.exe to bypass UAC (User Account Control) by having it spawn their malicious process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR AgentAttacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Search for a registry event that changes the key Software\Classes\ms-settings. Review the process that made the registry key. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.GCP service account impersonation attempt Informational Cloud
An attempt to impersonate the GCP service account failed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: Gcp Audit LogAttacker's goals: Escalate privileges to gain elevated access to cloud resources.Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.LOLBIN process executed with a high integrity level Low 1 variation
A process spawned a suspicious LOLBIN process with a higher/system integrity level.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it.Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Variations
LOLBIN process executed with a high integrity level by a web server process or CGO
Medium overridden
A process spawned a suspicious LOLBIN process with a higher/system integrity level by a web server process or CGO.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges. overridden
Multiple failed AWS assume role attempts Informational Cloud 1 variation
An AWS identity performed an unusual high number of failed assume role attempts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.Variations
Suspicious multiple failed AWS assume role attempts
Medium overridden
An AWS identity performed an unusual high number of failed assume role attempts. overridden
Possible Kerberos relay attack Low
A suspicious local network login was observed, which might indicate on Kerberos relay attack. This attack can lead to privilege escalation by obtaining system privileges on the target.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Windows Event Collector XDR AgentAttacker's goals: An attacker is attempting to elevate its privileges on the machine.Investigative actions: Check for any other suspicious activity related to the host involved in the alert. Look for a new machine that was added to the domain.Setuid and Setgid file bit manipulation Low 1 variation
The setuid or setgid bits were set on a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application as a different user.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Setuid and Setgid file bit manipulation in a Kubernetes pod
Low overridden
The setuid or setgid bits were set on a file. overridden
Suspicious process executed with a high integrity level Informational 1 variation
A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Variations
Suspicious process executed with a high integrity level
Low overridden
A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation. overridden
Tampering with the Windows User Account Controls (UAC) configuration Informational 3 variations
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Tampering with the Windows User Account Controls (UAC) configuration by a remote host
Medium overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation
An identity attempted to add or update an Azure AD Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.Variations
Suspicious Conditional Access operation for an identity
Low overridden
An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden
Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden