Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0003 ✕ technique: T1055 ✕
Show ATT&CK heatmapAn unsigned process created scheduled task and performed an injection Medium 1 variation
An unsigned process created scheduled task and performed an injection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.Variations
Possible an unsigned installer created scheduled task and performed an injection
Low overridden
Possible an unsigned installer created scheduled task and performed an injection. overridden
Globally uncommon injection from a signed process Informational 3 variations
A signed process injected into another process that it does not normally target at a global level.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)Required data: XDR AgentDetector tags: Injection Analytics, Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon suspicious injection from a signed process
Medium overridden
A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process which was executed by a scheduled task
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden