Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

19 alerts match the current filters. technique: T1548 ✕

Show ATT&CK heatmap
  • A new machine attempted Kerberos delegation Medium Identity Analytics

    A newly created machine attempted to perform a Kerberos delegation. This suspicious activity might indicate a Kerberos relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to system.
    Investigative actions: Check for any other suspicious activity related to the machine involved in the alert. Look for a new machine that was added to the domain.
  • An identity was granted permissions to manage user access to Azure resources Informational Cloud

    An identity was granted the User Access Administrator permission at the tenant scope.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)
    Required data: Azure Audit Log
    Attacker's goals: Elevate permission to gain access to all Azure Subscriptions.
    Investigative actions: Verify whether the identity should be making this action. Check what additional API calls were made by the identity.
  • Azure AD PIM role settings change Low Identity Threat Module 1 variation

    An identity changed the PIM role settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.
    Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.

    Variations

    Suspicious Azure AD PIM role settings change

    Medium overridden

    An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden

  • Azure Privilege Escalation Using an Application Medium Identity Threat Module

    An Azure application was observed assigning an Azure administrator role to a user. This might indicate a privilege escalation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.
    Investigative actions: Check if the affected account is new to the organization. Check whether the application that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.
  • BitLocker key retrieval Informational Identity Threat Module

    An identity retrieved a BitLocker Key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.
    Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.
  • Change of sudo caching configuration Low 1 variation

    Change of sudo caching configuration may have been intended to enable privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use the sudoers file to elevate privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Change of sudo caching configuration in a Kubernetes pod

    Low overridden

    Change of sudo caching configuration may have been intended to enable privilege escalation. overridden

  • Conditional Access policy removed Low Identity Threat Module

    An identity removed a Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.
  • Creation or modification of the default command executed when opening an application Informational 4 variations

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Check the registry data modified for a potentially malicious command line. Look for processes running matching the command line for malicious activity.

    Variations

    Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening an MMC application

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

  • Device Registration Policy modification Informational Identity Threat Module 1 variation

    An identity changed the Device Registration policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    A user modified the Device Registration Policy for the first time

    Low overridden

    An identity changed the Device Registration policy. overridden

  • Fodhelper.exe UAC bypass Medium

    Attackers may use Fodhelper.exe to bypass UAC (User Account Control) by having it spawn their malicious process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Search for a registry event that changes the key Software\Classes\ms-settings. Review the process that made the registry key. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • GCP service account impersonation attempt Informational Cloud

    An attempt to impersonate the GCP service account failed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: Gcp Audit Log
    Attacker's goals: Escalate privileges to gain elevated access to cloud resources.
    Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.
  • LOLBIN process executed with a high integrity level Low 1 variation

    A process spawned a suspicious LOLBIN process with a higher/system integrity level.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it.Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.

    Variations

    LOLBIN process executed with a high integrity level by a web server process or CGO

    Medium overridden

    A process spawned a suspicious LOLBIN process with a higher/system integrity level by a web server process or CGO.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges. overridden

  • Multiple failed AWS assume role attempts Informational Cloud 1 variation

    An AWS identity performed an unusual high number of failed assume role attempts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.
    Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.

    Variations

    Suspicious multiple failed AWS assume role attempts

    Medium overridden

    An AWS identity performed an unusual high number of failed assume role attempts. overridden

  • Possible Kerberos relay attack Low

    A suspicious local network login was observed, which might indicate on Kerberos relay attack. This attack can lead to privilege escalation by obtaining system privileges on the target.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Windows Event Collector XDR Agent
    Attacker's goals: An attacker is attempting to elevate its privileges on the machine.
    Investigative actions: Check for any other suspicious activity related to the host involved in the alert. Look for a new machine that was added to the domain.
  • Setuid and Setgid file bit manipulation Low 1 variation

    The setuid or setgid bits were set on a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to run the executable application as a different user.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Setuid and Setgid file bit manipulation in a Kubernetes pod

    Low overridden

    The setuid or setgid bits were set on a file. overridden

  • Suspicious process executed with a high integrity level Informational 1 variation

    A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.

    Variations

    Suspicious process executed with a high integrity level

    Low overridden

    A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation. overridden

  • Tampering with the Windows User Account Controls (UAC) configuration Informational 3 variations

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Tampering with the Windows User Account Controls (UAC) configuration by a remote host

    Medium overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

    Tampering with the Windows User Account Controls (UAC) configuration

    Low overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

    Tampering with the Windows User Account Controls (UAC) configuration

    Low overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

  • Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation

    An identity attempted to add or update an Azure AD Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    Suspicious Conditional Access operation for an identity

    Low overridden

    An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden

  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden