Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

14 alerts match the current filters. technique: T1564 ✕

Show ATT&CK heatmap
  • A browser was opened in private mode Informational Identity Threat Module

    A browser was opened in private mode, which may indicate an attempt to cover tracks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)
    Required data: XDR Agent
    Attacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • Azure application removed Informational Cloud

    An Azure application has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts (T1564)
    Required data: Azure Audit Log
    Attacker's goals: Delete apps used for malicious activities. Delete evidence of activity.
    Investigative actions: Check the Azure Portal for any changes in applications. Review the activities performed by the application.
  • Email containing a redirected link Informational Email 1 variation

    An email with a redirected link has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers can use link redirection to disguise malicious URLs.
    Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email containing a redirected link with multiple redirections

    Informational overridden

    An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden

  • Email with URL shortener detected Informational Email

    A URL shortener was detected in the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts (T1564)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers use URL shorteners to hide the true destination of a link, making it easier to trick recipients into clicking on it.
    Investigative actions: Examine the sender's IP ֿֿaddress and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Exchange email-hiding inbox rule Informational Identity Threat Module Email 3 variations

    A user configured an Exchange inbox rule that may be used to hide emails.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)
    Required data: Office 365 Audit
    Attacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule keywords look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures inbox rules.

    Variations

    Possible BEC Exchange email-hiding inbox rule

    Medium overridden

    A user configured an Exchange inbox rule that may be used to hide emails. The rule contains characteristics that resemble a business email compromise (BEC) attack. overridden

    Suspicious Exchange email-hiding inbox rule

    Medium overridden

    A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden

    Abnormal Exchange email-hiding inbox rule

    Low overridden

    A user configured an Exchange inbox rule that may be used to hide emails. overridden

  • Exchange email-hiding transport rule Informational Identity Threat Module Email 2 variations

    A user configured an Exchange transport rule that may be used to hide emails in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)
    Required data: Office 365 Audit
    Attacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule contains keywords and if they look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures transport rules.

    Variations

    Suspicious Exchange email-hiding transport rule

    Medium overridden

    A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden

    Exchange email-hiding transport rule based on message keywords

    Low overridden

    A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain certain keywords, which may be a sign of a compromised account. overridden

  • Hidden Attribute was added to a file using attrib.exe Informational

    Hidden attribute was added to a file using attrib.exe, adversaries may set files to be hidden to evade detection mechanisms.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Attacker's goals: Hide malware or staged files from standard file explorers.
    Investigative actions: Check if the hidden file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.
  • Masquerading as a default local account Low Identity Analytics 3 variations

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.

    Variations

    Masquerading as a default local account for the first time

    Medium overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

    Potential masquerading as a power user account

    Low overridden

    A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden

    Masquerading as a default Administrator account

    Informational overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

  • New addition to Windows Defender exclusion list Low 1 variation

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.

    Variations

    New addition to Windows Defender exclusion list from an unsigned process

    Medium overridden

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden

  • Procdump executed from an atypical directory Medium

    Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Scheduled Task hidden by registry modification Low

    Attackers may try to hide a Scheduled Task by deleting the Scheduled Task's software descriptor (SD) value in the registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Registry (T1112) Hide Artifacts (T1564)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may hide their malicious Scheduled Task to evade detection.
    Investigative actions: Check the appropriate Scheduled Task to verify its legitimacy. You can also check the executing executable to verify its purpose.
  • Suspicious hidden user created Medium Identity Analytics

    A user account was created with a name that mimics a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user account created and verify its activity.
  • Suspicious process execution from tmp folder Informational 4 variations

    An unpopular process was executed from the tmp folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    A web server process executed an unpopular application from the tmp folder

    Medium overridden

    An executable application ran from the tmp folder by a web server process. overridden

    Suspicious cron job task execution of a binary from the tmp folder

    Medium overridden

    An unpopular process was executed from the tmp folder. overridden

    Suspicious interactive execution of a binary from the tmp folder

    Medium overridden

    An unpopular process was executed from the tmp folder. overridden

    Suspicious process execution from tmp folder in a Kubernetes pod

    Informational overridden

    An unpopular process was executed from the tmp folder. overridden

  • Unpopular rsync process execution Informational 1 variation

    An unpopular rsync process was executed on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may attempt to transfer tools or other files to a compromised host.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Unpopular rsync process execution in a Kubernetes Pod

    Informational overridden

    An unpopular rsync process was executed on the host. overridden