Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

7 alerts match the current filters. tactic: TA0003 ✕ technique: T1133 ✕

Show ATT&CK heatmap
  • AWS network ACL rule creation Informational Cloud

    An AWS network ACL rule was created with a specific rule number.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.
  • Azure Event Hub Authorization rule creation/modification Informational Cloud

    An authorization rule is bound with specific rights, once created within a namespace, which has management permissions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using the created/updated rule.
    Investigative actions: Check the identity that created/updated the authorization rule. What actions were taken using the rule.
  • Executable or Script file written by a web server process Low 3 variations

    An uncommon executable or script file was created, written, or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gain the ability to execute commands on the host and establish persistence.
    Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.

    Variations

    A driver was written by a web server process

    Low overridden

    An uncommon driver file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process in an internet facing server

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

  • Modification or Deletion of an Azure Application Gateway Detected Informational Cloud

    Modification or Deletion of an Azure Application Gateway Detected. A change has been detected in an Azure Application Gateway. This may indicate unauthorized access or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to the resources behind the Azure Application Gateway.
    Investigative actions: Check the Azure Application Gateway to identify the changes made. Verify whether the identity should be making this action.
  • Possible webshell file written by a web server process Low 3 variations

    An uncommon file with a web file extension was created, written or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.

    Variations

    Possible webshell file written by a node web server process

    Informational overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process in an internet facing server

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

  • Suspicious HTTP parameters detected Medium

    The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.
  • Web server CGO executed an uncommon process Informational 1 variation

    An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.

    Variations

    Web server CGO executed a LOLBIN process with direct IP in the command line

    High overridden

    A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden