Analytics Alerts
Browse the Cortex analytics alert reference.
7 alerts match the current filters. tactic: TA0002 ✕ technique: T1053 ✕
Show ATT&CK heatmapAn AWS Lambda Function was created Informational Cloud
An AWS Lambda Function was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)Required data: AWS Audit LogAttacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.Interactive at.exe privilege escalation method Low
Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Signed process creates a scheduled task via file access Informational 1 variation
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.Investigative actions: Check the created task file and look for the action triggered by the task.Variations
Signed process running from an untrusted directory creates a scheduled task via file access
Low overridden
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden
Suspicious container orchestration job Low
A suspicious orchestration job ran with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: XDR AgentAttacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.Investigative actions: Investigate The process activities and impact on the relevant container.Suspicious systemd timer activity Low
Suspicious systemd timer activity, which may indicate an attempt to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)Required data: XDR AgentAttacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.Uncommon remote scheduled task creation Low 1 variation
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.Variations
Uncommon remote scheduled task creation by a remote actor via RDP
High overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden
Unsigned process creates a scheduled task via file access Low 1 variation
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.Variations
Unsigned process creates a scheduled task via file access on a sensitive server
Medium overridden
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden