Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

11 alerts match the current filters. tactic: TA0002 ✕ technique: T1021 ✕

Show ATT&CK heatmap
  • A remote service was created via RPC over SMB Low 1 variation

    A remote service was created via RPC over SMB.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Process creation on a remote host.
    Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.

    Variations

    A remote service with an uncommon name was created via RPC over SMB

    Medium overridden

    A remote service was created via RPC over SMB. overridden

  • AWS SSM send command attempt Informational Cloud 2 variations

    An identity executed an AWS SSM Document.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.

    Variations

    AWS SSM SendCommand targeting multiple instances

    Low overridden

    An identity executed an AWS SSM Document. overridden

    Unusual AWS SSM send command

    Low overridden

    An identity executed an AWS SSM Document. overridden

  • Attempt to execute a command on a remote host using PsExec.exe Low 1 variation

    There was an attempt to run a command on a remote host using PsExec.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run processes remotely.
    Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.

    Variations

    Attempt to execute a command on a remote host using PsExec.exe

    Low overridden

    There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden

  • Command execution via AWS SSM Medium Cloud

    A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.
    Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).
  • DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations

    An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute malicious content on and move laterally across machine in the network.
    Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.

    Variations

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a script

    High overridden

    An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden

  • Remote PsExec-like command execution Informational 5 variations

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.

    Variations

    Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service

    High overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from an unsigned non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from a signed non-standard PsExec service

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec command execution

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

  • Remote service command execution from an uncommon source High

    A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Remote service start from an uncommon source Low

    A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Uncommon Linux remote shell command execution Informational 15 variations

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon Linux remote shell command execution, possibly running LinPEAS

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution using an exploitation tool

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution executing a reverse interactive shell

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution downloading a shell script

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution disabling firewall

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution possibly running from an XZ backdoor

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running as root

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution setting a scheduled task

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution loading a kernel module

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a network tool

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution trying to gather information about the system

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution, possibly granting file execution permissions

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • WmiPrvSe.exe Rare Child Command Line Low 1 variation

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.

    Variations

    WmiPrvSe.exe Rare Child Command Line

    Medium overridden

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden

  • Wsmprovhost.exe Rare Child Process Low

    The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.