Analytics Alerts
Browse the Cortex analytics alert reference.
8 alerts match the current filters. tactic: TA0003 ✕ technique: T1543 ✕
Show ATT&CK heatmapAn uncommon service was started Low 1 variation
An uncommon service was started using systemctl or service processes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
An uncommon service was started in a Kubernetes pod
Low overridden
An uncommon service was started using systemctl or service processes. overridden
Installation of a new System-V service Low 1 variation
Installation of a new System-V service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Installation of a new System-V service in a Kubernetes pod
Low overridden
Installation of a new System-V service. overridden
Known service display name with uncommon image-path Low 3 variations
Service created with a known display name but has an uncommon image-path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Execution (TA0002)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Run malicious code with seemingly trustworthy services.Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.Variations
Known service display name with uncommon image-path created by an untrusted CGO
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known Palo Alto service display name with uncommon image-path
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known service display name with uncommon image-path in a suspicious folder
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known service name with an uncommon image-path Low 2 variations
A Service with a known service name has an uncommon image-path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Execution (TA0002)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Run malicious code within seemingly trustworthy services.Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.Variations
Known Palo Alto service name with an uncommon image-path
Medium overridden
A Service with a known service name has an uncommon image-path. overridden
Known service name with an uncommon image-path in a suspicious folder
Medium overridden
A Service with a known service name has an uncommon image-path. overridden
Rare service DLL was added to the registry Low 2 variations
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Rare service DLL was added to the registry from an injected thread
Medium overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Rare service DLL was added to the registry from a rare unsigned actor process
High overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Svchost.exe loads a rare unsigned module Low
Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.Uncommon Launch Agent persistency was registered or modified Informational 9 variations
An uncommon Launch Agent persistence mechanism was registered/modified on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Agent (T1543.001)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Establish persistent access to the compromised host by registering malicious code.Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.Variations
Uncommon Launch Agent persistency was registered or modified by a security testing tool
High overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by a security testing tool. overridden
Uncommon Launch Agent persistency was registered or modified by a tool with possible web access
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by a tool with possible web access. overridden
Uncommon Launch Agent persistency was registered or modified while using a data communication tool
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency-triggered execution. overridden
Uncommon Launch Agent persistency was registered or modified while using osascript
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency-triggered execution. overridden
Uncommon Launch Agent persistency was registered or modified using Plist Buddy with Run-At-Load key
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden
Uncommon Launch Agent persistency was registered or modified with an uncommon path containing a known vendor name
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden
Uncommon Launch Agent persistency was registered or modified with an unusual persistency executable path
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden
Uncommon Launch Agent persistency was registered or modified by a non validly signed process
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by a non validly signed process. overridden
Uncommon Launch Agent persistency was registered or modified by an unsigned process
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by an unsigned process. overridden
Uncommon Launch Daemon persistency was registered or modified Informational 9 variations
An uncommon Launch Daemon persistence mechanism was registered/modified on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Daemon (T1543.004)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Establish persistent access to the compromised host by registering malicious code.Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.Variations
Uncommon Launch Daemon persistency was registered or modified by a security testing tool
High overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a security testing tool. overridden
Uncommon Launch Daemon persistency was registered or modified by a tool with possible web access
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a tool with possible web access. overridden
Uncommon Launch Daemon persistency was registered or modified while using a data communication tool
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency triggered execution. overridden
Uncommon Launch Daemon persistency was registered or modified while using osascript
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden
Uncommon Launch Daemon persistency was registered or modified using Plist Buddy with Run-At-Load key
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden
Uncommon Launch Daemon persistency was registered or modified with an uncommon path containing a known vendor name
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden
Uncommon Launch Daemon persistency was registered or modified with an unusual persistency executable path
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden
Uncommon Launch Daemon persistency was registered or modified by a non validly signed process
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a non validly signed process. overridden
Uncommon Launch Daemon persistency was registered or modified by an unsigned process
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by an unsigned process. overridden