Analytics Alerts
Browse the Cortex analytics alert reference.
11 alerts match the current filters. tactic: TA0002 ✕ technique: T1021 ✕
Show ATT&CK heatmapA remote service was created via RPC over SMB Low 1 variation
A remote service was created via RPC over SMB.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Process creation on a remote host.Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.Variations
A remote service with an uncommon name was created via RPC over SMB
Medium overridden
A remote service was created via RPC over SMB. overridden
AWS SSM send command attempt Informational Cloud 2 variations
An identity executed an AWS SSM Document.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.Variations
AWS SSM SendCommand targeting multiple instances
Low overridden
An identity executed an AWS SSM Document. overridden
Unusual AWS SSM send command
Low overridden
An identity executed an AWS SSM Document. overridden
Attempt to execute a command on a remote host using PsExec.exe Low 1 variation
There was an attempt to run a command on a remote host using PsExec.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run processes remotely.Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.Variations
Attempt to execute a command on a remote host using PsExec.exe
Low overridden
There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden
Command execution via AWS SSM Medium Cloud
A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit LogAttacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations
An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Execute malicious content on and move laterally across machine in the network.Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.Variations
DSC (Desired State Configuration) lateral movement using PowerShell to execute a script
High overridden
An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service
Medium overridden
An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry
Medium overridden
An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden
Remote PsExec-like command execution Informational 5 variations
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Variations
Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service
High overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from an unsigned non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from a signed non-standard PsExec service
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec command execution
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote service command execution from an uncommon source High
A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote service start from an uncommon source Low
A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Uncommon Linux remote shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux remote shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution using an exploitation tool
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution executing a reverse interactive shell
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution downloading a shell script
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution disabling firewall
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution possibly running from an XZ backdoor
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running as root
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution loading a kernel module
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a network tool
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution trying to gather information about the system
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution, possibly granting file execution permissions
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
WmiPrvSe.exe Rare Child Command Line Low 1 variation
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.Variations
WmiPrvSe.exe Rare Child Command Line
Medium overridden
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden
Wsmprovhost.exe Rare Child Process Low
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.