Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0002 ✕ technique: T1543 ✕

Show ATT&CK heatmap
  • Elevation to SYSTEM via services Low 2 variations

    Services were affected by a non SYSTEM integrity level process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Escalate privileges to system and execute commands.
    Investigative actions: Investigate the service being spawned on the host for malicious activities.

    Variations

    Elevation to SYSTEM via service creation

    Low overridden

    A service was created from a non SYSTEM integrity level process. overridden

    Elevation to SYSTEM via service modification

    Low overridden

    An existing service was modified from a non SYSTEM integrity level process. overridden

  • Known service display name with uncommon image-path Low 3 variations

    Service created with a known display name but has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code with seemingly trustworthy services.
    Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known service display name with uncommon image-path created by an untrusted CGO

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known Palo Alto service display name with uncommon image-path

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known service display name with uncommon image-path in a suspicious folder

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

  • Known service name with an uncommon image-path Low 2 variations

    A Service with a known service name has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code within seemingly trustworthy services.
    Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known Palo Alto service name with an uncommon image-path

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

    Known service name with an uncommon image-path in a suspicious folder

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden