Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0001 ✕ technique: T1505 ✕

Show ATT&CK heatmap
  • Executable or Script file written by a web server process Low 3 variations

    An uncommon executable or script file was created, written, or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gain the ability to execute commands on the host and establish persistence.
    Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.

    Variations

    A driver was written by a web server process

    Low overridden

    An uncommon driver file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process in an internet facing server

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

  • Possible webshell file written by a web server process Low 3 variations

    An uncommon file with a web file extension was created, written or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.

    Variations

    Possible webshell file written by a node web server process

    Informational overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process in an internet facing server

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

  • Suspicious HTTP parameters detected Medium

    The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.
  • Web server CGO executed an uncommon process Informational 1 variation

    An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.

    Variations

    Web server CGO executed a LOLBIN process with direct IP in the command line

    High overridden

    A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden