Analytics Alerts
Browse the Cortex analytics alert reference.
7 alerts match the current filters. tactic: TA0003 ✕ technique: T1133 ✕
Show ATT&CK heatmapAWS network ACL rule creation Informational Cloud
An AWS network ACL rule was created with a specific rule number.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.Azure Event Hub Authorization rule creation/modification Informational Cloud
An authorization rule is bound with specific rights, once created within a namespace, which has management permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133)Required data: Azure Audit LogAttacker's goals: Persistence using the created/updated rule.Investigative actions: Check the identity that created/updated the authorization rule. What actions were taken using the rule.Executable or Script file written by a web server process Low 3 variations
An uncommon executable or script file was created, written, or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gain the ability to execute commands on the host and establish persistence.Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.Variations
A driver was written by a web server process
Low overridden
An uncommon driver file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process in an internet facing server
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Modification or Deletion of an Azure Application Gateway Detected Informational Cloud
Modification or Deletion of an Azure Application Gateway Detected. A change has been detected in an Azure Application Gateway. This may indicate unauthorized access or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133)Required data: Azure Audit LogAttacker's goals: Gain access to the resources behind the Azure Application Gateway.Investigative actions: Check the Azure Application Gateway to identify the changes made. Verify whether the identity should be making this action.Possible webshell file written by a web server process Low 3 variations
An uncommon file with a web file extension was created, written or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.Variations
Possible webshell file written by a node web server process
Informational overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process in an internet facing server
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Suspicious HTTP parameters detected Medium
The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.Web server CGO executed an uncommon process Informational 1 variation
An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.Variations
Web server CGO executed a LOLBIN process with direct IP in the command line
High overridden
A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden