Possible brute force or configuration change attempt on cytool

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Guessing (T1110.001)

Severity

High

Description

An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.
This may indicate an attempt to guess the Administrator password.

Attacker's Goals

The attacker may disable the agent to perform malicious activities.

Investigative actions

Verify which user ran these commands and if it is a legitimate behavior on this host.