Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

7 alerts match the current filters. tactic: TA0002 ✕ technique: T1053 ✕

Show ATT&CK heatmap
  • An AWS Lambda Function was created Informational Cloud

    An AWS Lambda Function was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: AWS Audit Log
    Attacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.
    Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.
  • Interactive at.exe privilege escalation method Low

    Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Signed process creates a scheduled task via file access Informational 1 variation

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.
    Investigative actions: Check the created task file and look for the action triggered by the task.

    Variations

    Signed process running from an untrusted directory creates a scheduled task via file access

    Low overridden

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden

  • Suspicious container orchestration job Low

    A suspicious orchestration job ran with a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    10 Minutes
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.
    Investigative actions: Investigate The process activities and impact on the relevant container.
  • Suspicious systemd timer activity Low

    Suspicious systemd timer activity, which may indicate an attempt to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)
    Required data: XDR Agent
    Attacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.
    Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.
  • Uncommon remote scheduled task creation Low 1 variation

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.
    Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.

    Variations

    Uncommon remote scheduled task creation by a remote actor via RDP

    High overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden

  • Unsigned process creates a scheduled task via file access Low 1 variation

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Unsigned process creates a scheduled task via file access on a sensitive server

    Medium overridden

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden