Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0003 ✕ technique: T1036 ✕

Show ATT&CK heatmap
  • Masquerading as a default local account Low Identity Analytics 3 variations

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.

    Variations

    Masquerading as a default local account for the first time

    Medium overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

    Potential masquerading as a power user account

    Low overridden

    A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden

    Masquerading as a default Administrator account

    Informational overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

  • Rare service DLL was added to the registry Low 2 variations

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.
    Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rare service DLL was added to the registry from an injected thread

    Medium overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

    Rare service DLL was added to the registry from a rare unsigned actor process

    High overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

  • Svchost.exe loads a rare unsigned module Low

    Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.