Analytics Alerts
Browse the Cortex analytics alert reference.
14 alerts match the current filters. technique: T1564 ✕
Show ATT&CK heatmapA browser was opened in private mode Informational Identity Threat Module
A browser was opened in private mode, which may indicate an attempt to cover tracks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)Required data: XDR AgentAttacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Azure application removed Informational Cloud
An Azure application has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts (T1564)Required data: Azure Audit LogAttacker's goals: Delete apps used for malicious activities. Delete evidence of activity.Investigative actions: Check the Azure Portal for any changes in applications. Review the activities performed by the application.Email containing a redirected link Informational Email 1 variation
An email with a redirected link has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Attackers can use link redirection to disguise malicious URLs.Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Email containing a redirected link with multiple redirections
Informational overridden
An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden
Email with URL shortener detected Informational Email
A URL shortener was detected in the email body.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts (T1564)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Attackers use URL shorteners to hide the true destination of a link, making it easier to trick recipients into clicking on it.Investigative actions: Examine the sender's IP ֿֿaddress and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Exchange email-hiding inbox rule Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox rule that may be used to hide emails.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)Required data: Office 365 AuditAttacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule keywords look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures inbox rules.Variations
Possible BEC Exchange email-hiding inbox rule
Medium overridden
A user configured an Exchange inbox rule that may be used to hide emails. The rule contains characteristics that resemble a business email compromise (BEC) attack. overridden
Suspicious Exchange email-hiding inbox rule
Medium overridden
A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden
Abnormal Exchange email-hiding inbox rule
Low overridden
A user configured an Exchange inbox rule that may be used to hide emails. overridden
Exchange email-hiding transport rule Informational Identity Threat Module Email 2 variations
A user configured an Exchange transport rule that may be used to hide emails in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)Required data: Office 365 AuditAttacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule contains keywords and if they look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures transport rules.Variations
Suspicious Exchange email-hiding transport rule
Medium overridden
A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden
Exchange email-hiding transport rule based on message keywords
Low overridden
A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain certain keywords, which may be a sign of a compromised account. overridden
Hidden Attribute was added to a file using attrib.exe Informational
Hidden attribute was added to a file using attrib.exe, adversaries may set files to be hidden to evade detection mechanisms.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentAttacker's goals: Hide malware or staged files from standard file explorers.Investigative actions: Check if the hidden file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.Masquerading as a default local account Low Identity Analytics 3 variations
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is attempting to evade detection.Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.Variations
Masquerading as a default local account for the first time
Medium overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Potential masquerading as a power user account
Low overridden
A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden
Masquerading as a default Administrator account
Informational overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
New addition to Windows Defender exclusion list Low 1 variation
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.Variations
New addition to Windows Defender exclusion list from an unsigned process
Medium overridden
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden
Procdump executed from an atypical directory Medium
Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Scheduled Task hidden by registry modification Low
Attackers may try to hide a Scheduled Task by deleting the Scheduled Task's software descriptor (SD) value in the registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Registry (T1112) Hide Artifacts (T1564)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may hide their malicious Scheduled Task to evade detection.Investigative actions: Check the appropriate Scheduled Task to verify its legitimacy. You can also check the executing executable to verify its purpose.Suspicious hidden user created Medium Identity Analytics
A user account was created with a name that mimics a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user account created and verify its activity.Suspicious process execution from tmp folder Informational 4 variations
An unpopular process was executed from the tmp folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
A web server process executed an unpopular application from the tmp folder
Medium overridden
An executable application ran from the tmp folder by a web server process. overridden
Suspicious cron job task execution of a binary from the tmp folder
Medium overridden
An unpopular process was executed from the tmp folder. overridden
Suspicious interactive execution of a binary from the tmp folder
Medium overridden
An unpopular process was executed from the tmp folder. overridden
Suspicious process execution from tmp folder in a Kubernetes pod
Informational overridden
An unpopular process was executed from the tmp folder. overridden
Unpopular rsync process execution Informational 1 variation
An unpopular rsync process was executed on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may attempt to transfer tools or other files to a compromised host.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Unpopular rsync process execution in a Kubernetes Pod
Informational overridden
An unpopular rsync process was executed on the host. overridden