Skip to content
Threat Feed
high advisory

CyberArk PAS Recommended Monitor Events

This rule identifies CyberArk Privileged Access Security (PAS) events recommended for monitoring, focusing on non-error level audit events to detect potential privilege escalation, initial access, credential access, and persistence activities.

This detection focuses on identifying noteworthy events within CyberArk Privileged Access Security (PAS) environments. CyberArk PAS is a critical component for managing and securing privileged accounts, and monitoring its audit logs is essential for detecting malicious activities. This rule specifically targets a set of non-error level audit events recommended by CyberArk for proactive monitoring, as outlined in their official documentation. By focusing on these specific events, security teams can gain enhanced visibility into potential privilege escalation attempts, unauthorized access, credential compromise, and persistence mechanisms employed by attackers targeting privileged accounts. The rule leverages event codes correlated to the CyberArk Vault Audit Action Codes to identify suspicious activities.

Attack Chain

  1. An attacker gains initial access to a system with existing CyberArk PAS credentials (T1078).
  2. The attacker attempts to access the CyberArk Vault using valid credentials.
  3. The attacker performs actions that trigger monitored CyberArk audit events (e.g., password retrieval, account creation, policy changes) based on specific event codes like 4, 22, 24, etc..
  4. The CyberArk PAS system logs these actions as audit events, recording the user, timestamp, and action performed.
  5. The attacker attempts to elevate privileges by modifying account settings or policies (T1098).
  6. The attacker attempts to retrieve stored credentials or secrets (T1555).
  7. The system logs successful, but suspicious, privileged actions.
  8. The attacker uses the elevated privileges to move laterally, access sensitive data, or establish persistence.

Impact

Compromise of CyberArk PAS can lead to widespread damage, as attackers gain control over privileged accounts. Successful attacks can result in unauthorized access to critical systems, data breaches, service disruption, and the installation of persistent backdoors. The potential impact includes significant financial losses, reputational damage, and regulatory fines.

Recommendation

  • Deploy the Sigma rule CyberArk PAS Recommended Monitor to your SIEM to detect suspicious CyberArk PAS events. Tune the rule by excluding known benign event.code values to reduce false positives.
  • Enable CyberArk PAS audit logging and ensure logs are being ingested into your SIEM (reference index field).
  • Consult the CyberArk Vault Audit Action Codes documentation (linked in references) to understand the context and implications of triggered events.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the activity and take appropriate remediation steps.
  • Review and update CyberArk PAS security policies to minimize the risk of privilege escalation and unauthorized access.
  • Monitor event.action values for any unusual or unexpected activity (reference rule_name_override field).

Detection coverage 3

CyberArk PAS Recommended Monitor

high

Detects CyberArk PAS events recommended for monitoring based on event codes.

sigma tactics: privilege_escalation techniques: T1078 sources: audit, cyberarkpas

CyberArk Account Manipulation Events

medium

Detects specific CyberArk PAS audit events related to account manipulation.

sigma tactics: persistence techniques: T1098 sources: audit, cyberarkpas

CyberArk Password Retrieval Event

medium

Detects CyberArk PAS password retrieval attempts.

sigma tactics: credential_access techniques: T1555 sources: audit, cyberarkpas

Detection queries are available on the platform. Get full rules →