Activity in a dormant region of a cloud project

Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Security Operations
Cortex XDR
Cortex XDR™ Analytics Alert Reference
Cortex XDR Analytics Alert Reference
Activity in a dormant region of a cloud project

Last Updated:

Thu Aug 04 05:14:05 PDT 2022

Table of Contents

Search the Table of Contents

Cortex XDR Analytics Alert Reference

Analytics Alerts by Required Data Source

A LOLBIN was copied to a different location

A Successful VPN connection from TOR

A Successful login from TOR

A TCP stream was created directly in a shell

A WMI subscriber was created

A browser was opened in private mode

A cloud identity executed an API call from an unusual country

A cloud identity had escalated its permissions

A compiled HTML help file wrote a script file to the disk

A compressed file was exfiltrated over SSH

A computer account was promoted to DC

A contained executable from a mounted share initiated a suspicious outbound network connection

A contained executable was executed by unusual process

A contained process attempted to escape using notify on release feature

A disabled user attempted to log in

A disabled user attempted to log in to a VPN

A disabled user successfully authenticated via SSO

A machine certificate was issued with a mismatch

A new machine attempted Kerberos delegation

A process connected to a rare external host

A remote service was created via RPC over SMB

A service was disabled

A successful SSO sign-in from TOR

A suspicious file was written to the startup folder

A suspicious process enrolled for a certificate

A suspicious process queried AD CS objects via LDAP

A user accessed an uncommon AppID

A user accessed multiple time-wasting websites

A user accessed multiple unusual resources via SSO

A user account was modified to password never expires

A user added a Windows firewall rule

A user authenticated with weak NTLM to multiple hosts

A user changed the Windows system time

A user cleared their browser's history

A user connected a USB storage device for the first time

A user connected a new USB storage device to a host

A user connected a new USB storage device to multiple hosts

A user connected from a new country

A user connected to a VPN from a new country

A user created a pfx file for the first time

A user created an abnormal password-protected archive

A user performed suspiciously massive file activity

A user printed an unusual number of files

A user successfully authenticated via SSO for the first time

A user was added to a Windows security group

AWS Cloud Trail log trail modification

AWS CloudWatch log group deletion

AWS CloudWatch log stream deletion

AWS Config Recorder stopped

AWS EC2 instance exported into S3

AWS Flow Logs deletion

AWS Guard-Duty detector deletion

AWS IAM resource group deletion

AWS RDS cluster deletion

AWS Role Trusted Entity modification

AWS System Manager API call execution

AWS config resource deletion

AWS network ACL rule creation

AWS network ACL rule deletion

AWS user creation

AWS web ACL deletion

Abnormal process connection to default Meterpreter port

Account probing

Activity in a dormant region of a cloud project

Adding execution privileges

Administrator groups enumerated via LDAP

An AWS RDS Global Cluster Deletion

An Azure Firewall policy deletion

An IAM group was created

An Identity accessed a secret from Secret Manager

An identity assumed a Role

An internal Cloud resource performed port scan on external networks

An uncommon kubectl secret enumeration command was executed

An uncommon service was started

An unusual archive file creation by a user

Attempt to execute a command on a remote host using PsExec.exe

Aurora DB cluster stopped

Authentication Attempt From a Dormant Account

Autorun.inf created in root C drive

Azure Automation Account Creation

Azure Automation Runbook Creation/Modification

Azure Automation Runbook Deletion

Azure Automation Webhook creation

Azure Blob Container Access Level Modification

Azure Event Hub Authorization rule creation/modification

Azure Event Hub Deletion

Azure Key Vault modification

Azure Network Watcher Deletion

Azure Resource Group Deletion

Azure Storage Account key generated

Azure diagnostic configuration deletion

Azure user creation

Azure virtual machine commands execution

Bitsadmin.exe persistence using command-line callback

Bronze-Bit exploit

Browser bookmark files accessed by a rare non-browser process

Cached credentials discovery with cmdkey

Certutil pfx parsing

Change of sudo caching configuration

Cloud Trail Logging has been stopped/suspended

Cloud Trail logging deletion

Cloud Watch alarm deletion

Cloud impersonation by unusual identity type

Cloud user performed multiple actions that were denied

Command execution via wmiexec

Command running with COMSPEC in the command line argument

Commonly abused AutoIT script connects to an external domain

Commonly abused AutoIT script drops an executable file to disk

Commonly abused process launched as a system service

Conhost.exe spawned a suspicious child process

Contained process execution with a rare GitHub URL

Copy a process memory file

DNS Tunneling

Delayed Deletion of Files

Disable encryption operations

Discovery of host users via WMIC

Discovery of misconfigured certificate templates using LDAP

Domain federation settings have been modified

EC2 snapshot attribute has been modification

Editing ld.so.preload for persistence and injection

Elevation to SYSTEM via services

Encoded information using Windows certificate management tool

Excessive user account lockouts

Executable created to disk by lsass.exe

Executable moved to Windows system folder

Execution of dllhost.exe with an empty command line

Execution of renamed lolbin

Execution of the Hydra Linux password brute-force tool

External cloud storage access with an unusual ASN

External cloud storage access with unusual user agent

Extracting credentials from Unix files

Failed Connections

Failed DNS

Failed Login For Locked-Out Account

Failed Login For a Long Username With Special Characters

File transfer from unusual IP using known tools

First SSO access from ASN in organization

First VPN access attempt from a country in organization

First VPN access from ASN for user

First VPN access from ASN in organization

First access to a bucket by an identity

First cloud API call from a country in organization

First connection from a country in organization

Fodhelper.exe UAC bypass

GCP Firewall Rule Modification

GCP Firewall Rule creation

GCP IAM Custom Role Creation

GCP IAM Role Deletion

GCP IAM Service Account Key Deletion

GCP Logging Bucket Deletion

GCP Logging Sink Deletion

GCP Logging Sink Modification

GCP Pub/Sub Subscription Deletion

GCP Pub/Sub Topic Deletion

GCP Service Account Disable

GCP Service Account creation

GCP Service Account deletion

GCP Service Account key creation

GCP Storage Bucket Configuration Modification

GCP Storage Bucket Permissions Modification

GCP Storage Bucket deletion

GCP VPC Firewall Rule Deletion

GCP Virtual Private Cloud (VPC) Network Deletion

GCP Virtual Private Network Route Creation

GCP Virtual Private Network Route Deletion

Globally uncommon root domain from a signed process

Globally uncommon root-domain port combination from a signed process

Hidden Attribute was added to a file using attrib.exe

IAM Enumeration sequence

IAM User added to an IAM group

IAM enumeration activity executed by an IAM user Identity

Image File Execution Options Registry key injection by unsigned process

Impossible traveler - SSO

Impossible traveler - VPN

Increase in Job-Related Site Visits

Indicator blocking

Indirect command execution using the Program Compatibility Assistant

Installation of a new System-V service

Interactive at.exe privilege escalation method

Interactive local account enumeration

Interactive login by a machine account

Interactive login by a service account

Interactive login from a shared user account

Iptables configuration command was executed

Kerberos Pre-Auth Failures by Host

Kerberos Pre-Auth Failures by User and Host

Kerberos Traffic from Non-Standard Process

Kerberos User Enumeration

Keylogging using system commands

Kubectl administration command execution

LDAP Traffic from Non-Standard Process

LDAP search query from an unpopular and unsigned process

LOLBAS executable injects into another process

LOLBIN process executed with a high integrity level

LSASS dump file written to disk

Large Upload (FTP)

Large Upload (Generic)

Large Upload (HTTPS)

Large Upload (SMTP)

Linux system firewall was disabled

Linux system firewall was modified

Local account discovery

Log4J exploitation attempt against cloud hosted resources

Login Password Spray

Login by a dormant user

MFA device was removed/deactivated from an IAM user

MSI accessed a web page running a server-side script

Machine account was added to a domain admins group

Mailbox Client Access Setting (CAS) changed

Manipulation of netsh helper DLLs Registry keys

Masquerading as Linux crond process

Massive file activity abnormal to process

Massive file compression by user

Massive upload to a rare storage or mail domain

Memory dumping with comsvcs.dll

Microsoft Office Process Spawning a Suspicious One-Liner

Microsoft Office adds a value to autostart Registry key

Microsoft Office injects code into a process

Microsoft Office process spawns a commonly abused process

Modification of NTLM restrictions in the Registry

Modification of PAM

MpCmdRun.exe was used to download files into the system

Mshta.exe launched with suspicious arguments

Multi region enumeration activity

Multiple Rare LOLBIN Process Executions by User

Multiple Rare Process Executions in Organization

Multiple Weakly-Encrypted Kerberos Tickets Received

Multiple discovery commands

Multiple suspicious user accounts were created

Multiple user accounts were deleted

Multiple users authenticated with weak NTLM to a host

NTLM Brute Force

NTLM Brute Force on a Service Account

NTLM Brute Force on an Administrator Account

NTLM Hash Harvesting

NTLM Password Spray

NTLM Relay

Netcat makes or gets connections

New Administrative Behavior

New Shared User Account

New addition to Windows Defender exclusion list

New process created via a WMI call

Non-browser access to a pastebin-like site

Non-browser failed access to a pastebin-like site

Office process creates a scheduled task via file access

Office process spawned with suspicious command-line arguments

Outlook files accessed by an unsigned process

Penetration testing tool activity

Penetration testing tool attempt

Permission Groups discovery commands

Phantom DLL Loading

Ping to localhost from an uncommon, unsigned parent process

Port Scan

Possible AWS Instance Metadata Service (IMDS) Abuse

Possible Brute-Force attempt

Possible DCShadow attempt

Possible DCSync from a non domain controller

Possible Email collection using Outlook RPC

Possible Kerberoasting without SPNs

Possible Kerberos relay attack

Possible LDAP enumeration by unsigned process

Possible Microsoft module side-loading into Microsoft process

Possible Microsoft process masquerading

Possible Pass-the-Hash

Possible Persistence via group policy Registry keys

Possible RDP session hijacking using tscon.exe

Possible Search For Password Files

Possible binary padding using dd

Possible brute force on sudo user

Possible brute force or configuration change attempt on cytool

Possible code downloading from a remote host by Regsvr32

Possible compromised machine account

Possible data exfiltration over a USB storage device

Possible data obfuscation

Possible external RDP Brute-Force

Possible internal data exfiltration over a USB storage device

Possible malicious .NET compilation started by a commonly abused process

Possible network connection to a TOR relay server

Possible network service discovery via command-line tool

Possible network sniffing attempt via tcpdump or tshark

Possible new DHCP server

Possible use of a networking driver for network sniffing

PowerShell Initiates a Network Connection to GitHub

PowerShell pfx certificate extraction

PowerShell runs suspicious base64-encoded commands

PowerShell suspicious flags

PowerShell used to export mailbox contents

PowerShell used to remove mailbox export request logs

Procdump executed from an atypical directory

Process execution with a suspicious command line indicative of the Spring4Shell exploit

PsExec was executed with a suspicious command line

Python HTTP server started

RDP Connection to localhost

Random-Looking Domain Names

Rare AppID usage for this destination port to rare destination

Rare LOLBIN Process Execution by User

Rare NTLM Access By User To Host

Rare NTLM Usage by User

Rare SMTP/S Session

Rare SSH Session

Rare Unix process divide files by size

Rare Unsigned Process Spawned by Office Process Under Suspicious Directory

Rare WinRM Session

Rare communication over email ports to external email server by unsigned process

Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol

Rare machine account creation

Rare process execution by user

Rare process execution in organization

Rare process spawned by srvany.exe

Rare scheduled task created

Rare security product signed executable executed in the network

Rare signature signed executable executed in the network

Reading bash command history file

Recurring access to rare IP

Recurring rare domain access from an unsigned process

Recurring rare domain access to dynamic DNS domain

Registration of Uncommon .NET Services and/or Assemblies

Remote DCOM command execution

Remote PsExec-like command execution

Remote WMI process execution

Remote account enumeration

Remote command execution via wmic.exe

Remote service command execution from an uncommon source

Remote service start from an uncommon source

Remote usage of AWS Lambda's token

Remote usage of VM Service Account token

Remote usage of an AWS service token

Remote usage of an App engine Service Account token

Reverse SSH tunnel to external domain/ip

Root user logged in to AWS console

Run downloaded script using pipe

Rundll32.exe running with no command-line arguments

Rundll32.exe spawns conhost.exe

S3 configuration deletion

SMB Traffic from Non-Standard Process

SPNs cleared from a machine account

SSH authentication brute force attempts

SSO authentication by a machine account

SSO authentication by a service account

SSO with abnormal operating system

SSO with abnormal user agent

SSO with new operating system

SUID/GUID permission discovery

Scrcons.exe Rare Child Process

Screensaver process executed from Users or temporary folder

Script file added to startup-related Registry keys

SecureBoot was disabled

Security tools detection attempt

Sensitive account password reset attempt

Sensitive browser credential files accessed by a rare non browser process

Service execution via sc.exe

Service ticket request with a spoofed sAMAccountName

Setuid and Setgid file bit manipulation

Short-lived user account

Signed process performed an unpopular DLL injection

Signed process performed an unpopular injection

Space after filename

Spam Bot Traffic

Sudoedit Brute force attempt

Suspicious .NET process loads an MSBuild DLL

Suspicious AMSI decode attempt

Suspicious API call from a Tor exit node

Suspicious Certutil AD CS contact

Suspicious DotNet log file created

Suspicious Encrypting File System Remote call (EFSRPC) to domain controller

Suspicious External RDP Login

Suspicious GCP compute instance metadata modification

Suspicious LDAP search query executed

Suspicious PowerShell Command Line

Suspicious PowerShell Enumeration of Running Processes

Suspicious PowerSploit's recon module (PowerView) net function was executed

Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts

Suspicious Process Spawned by Adobe Reader

Suspicious Process Spawned by wininit.exe

Suspicious RunOnce Parent Process

Suspicious SMB connection from domain controller

Suspicious SSO access from ASN

Suspicious SearchProtocolHost.exe parent process

Suspicious Udev driver rule execution manipulation

Suspicious User Login to Domain Controller

Suspicious access to shadow file

Suspicious active setup registered

Suspicious allocation of compute resources in multiple regions - possible mining activity

Suspicious authentication package registered

Suspicious certutil command line

Suspicious cloud identity impersonation

Suspicious cloud infrastructure enumeration activity

Suspicious container orchestration job

Suspicious curl user agent

Suspicious data encryption

Suspicious disablement of the Windows Firewall

Suspicious disablement of the Windows Firewall using PowerShell commands

Suspicious domain user account creation

Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin

Suspicious execution of ODBCConf

Suspicious failed HTTP request - potential Spring4Shell exploit

Suspicious hidden user created

Suspicious identity downloaded multiple objects from a bucket

Suspicious large allocation of compute resources - possible mining activity

Suspicious objects encryption in an AWS bucket

Suspicious print processor registered

Suspicious process accessed a site masquerading as Google

Suspicious process accessed certificate files

Suspicious process changed or created the ssh_authorized_keys file

Suspicious process executed with a high integrity level

Suspicious process execution by scheduled task

Suspicious process execution from tmp folder

Suspicious process loads a known PowerShell module

Suspicious process modified RC script file

Suspicious proxy environment variable setting

Suspicious reconnaissance using LDAP

Suspicious runonce.exe parent process

Suspicious sAMAccountName change

Suspicious sshpass command execution

Suspicious systemd timer activity

Suspicious time provider registered

Suspicious usage of EC2 token

Suspicious usage of File Server Remote VSS Protocol (FSRVP)

Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet

System information discovery via psinfo.exe

System profiling WMI query execution

System shutdown or reboot

TGT request with a spoofed sAMAccountName - Event log

TGT request with a spoofed sAMAccountName - Network

TGT reuse from different hosts (pass the ticket)

Tampering with Internet Explorer Protected Mode configuration

The CA policy EditFlags was queried

Uncommon ARP cache listing via arp.exe

Uncommon DotNet module load relationship

Uncommon GetClipboardData API function invocation of a possible information stealer

Uncommon IP Configuration Listing via ipconfig.exe

Uncommon Managed Object Format (MOF) compiler usage

Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer

Uncommon PowerShell commands used to create or alter scheduled task parameters

Uncommon RDP connection

Uncommon Security Support Provider (SSP) registered via a registry key

Uncommon Service Create/Config

Uncommon SetWindowsHookEx API invocation of a possible keylogger

Uncommon jsp file write by a Java process

Uncommon kernel module load

Uncommon local scheduled task creation via schtasks.exe

Uncommon msiexec execution of an arbitrary file from remote location

Uncommon multiple service stop commands

Uncommon net group or localgroup execution

Uncommon net localgroup execution

Uncommon remote scheduled task creation

Uncommon remote service start via sc.exe

Uncommon routing table listing via route.exe

Uncommon user management via net.exe

Unicode RTL Override Character

Unprivileged process opened a registry hive

Unsigned and unpopular process performed a DLL injection

Unsigned and unpopular process performed an injection

Unsigned process creates a scheduled task via file access

Unsigned process injecting into a Windows system binary with no command line

Unusual AWS credentials creation

Unusual AWS systems manager activity

Unusual AWS user added to group

Unusual IAM enumeration activity by a non-user Identity

Unusual Identity and Access Management (IAM) activity

Unusual Lolbins Process Spawned by InstallUtil.exe

Unusual certificate management activity

Unusual compressed file password protection

Unusual key management activity

Unusual process accessed the PowerShell history file

Unusual resource modification/creation by newly seen user

Unusual secret management activity

Unusual weak authentication by user

Unverified domain added to Azure AD

User account delegation change

User attempted to connect from a suspicious country

User collected remote shared files in an archive

User successfully connected from a suspicious country

VM Detection attempt

VM Detection attempt on Linux

VPN access with a new operating system for a user

VPN access with an abnormal operating system

VPN login Brute-Force attempt

VPN login by a dormant user

VPN login by a service account

VPN login with a machine account

Vulnerable driver loaded

Wbadmin deleted files in quiet mode

Weakly-Encrypted Kerberos Ticket Requested

WebDAV drive mounted from net.exe over HTTPS

Windows Event Log was cleared using wevtutil.exe

Windows Installer exploitation for local privilege escalation

Windows event logs were cleared with PowerShell

WmiPrvSe.exe Rare Child Command Line

Wscript/Cscript loads .NET DLLs

Wsmprovhost.exe Rare Child Process

Cortex XDR Analytics Alert Reference