Suspicious account attribute modification that matches that of another account

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Windows Event Collector OR XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags	Active Directory Certificate Services Analytics
ATT&CK Tactic	Privilege Escalation (TA0004) Persistence (TA0003)
ATT&CK Technique	Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
Severity	Low

Suspicious account attribute modification that matches that of another account.

An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.

Check if any associated certificates were granted.
Check if any login attempts were made by the impersonated accounts using certificates.
Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Suspicious account attribute modification that matches that of another account.

An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.

Check if any associated certificates were granted.
Check if any login attempts were made by the impersonated accounts using certificates.
Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.