Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

8 alerts match the current filters. tactic: TA0003 ✕ technique: T1543 ✕

Show ATT&CK heatmap
  • An uncommon service was started Low 1 variation

    An uncommon service was started using systemctl or service processes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    An uncommon service was started in a Kubernetes pod

    Low overridden

    An uncommon service was started using systemctl or service processes. overridden

  • Installation of a new System-V service Low 1 variation

    Installation of a new System-V service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Installation of a new System-V service in a Kubernetes pod

    Low overridden

    Installation of a new System-V service. overridden

  • Known service display name with uncommon image-path Low 3 variations

    Service created with a known display name but has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code with seemingly trustworthy services.
    Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known service display name with uncommon image-path created by an untrusted CGO

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known Palo Alto service display name with uncommon image-path

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known service display name with uncommon image-path in a suspicious folder

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

  • Known service name with an uncommon image-path Low 2 variations

    A Service with a known service name has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code within seemingly trustworthy services.
    Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known Palo Alto service name with an uncommon image-path

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

    Known service name with an uncommon image-path in a suspicious folder

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

  • Rare service DLL was added to the registry Low 2 variations

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.
    Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rare service DLL was added to the registry from an injected thread

    Medium overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

    Rare service DLL was added to the registry from a rare unsigned actor process

    High overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

  • Svchost.exe loads a rare unsigned module Low

    Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.
  • Uncommon Launch Agent persistency was registered or modified Informational 9 variations

    An uncommon Launch Agent persistence mechanism was registered/modified on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Agent (T1543.001)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Establish persistent access to the compromised host by registering malicious code.
    Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.

    Variations

    Uncommon Launch Agent persistency was registered or modified by a security testing tool

    High overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by a security testing tool. overridden

    Uncommon Launch Agent persistency was registered or modified by a tool with possible web access

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by a tool with possible web access. overridden

    Uncommon Launch Agent persistency was registered or modified while using a data communication tool

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency-triggered execution. overridden

    Uncommon Launch Agent persistency was registered or modified while using osascript

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency-triggered execution. overridden

    Uncommon Launch Agent persistency was registered or modified using Plist Buddy with Run-At-Load key

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden

    Uncommon Launch Agent persistency was registered or modified with an uncommon path containing a known vendor name

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden

    Uncommon Launch Agent persistency was registered or modified with an unusual persistency executable path

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden

    Uncommon Launch Agent persistency was registered or modified by a non validly signed process

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by a non validly signed process. overridden

    Uncommon Launch Agent persistency was registered or modified by an unsigned process

    Low overridden

    An uncommon Launch Agent persistence mechanism was registered/modified on the system by an unsigned process. overridden

  • Uncommon Launch Daemon persistency was registered or modified Informational 9 variations

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Daemon (T1543.004)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Establish persistent access to the compromised host by registering malicious code.
    Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.

    Variations

    Uncommon Launch Daemon persistency was registered or modified by a security testing tool

    High overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a security testing tool. overridden

    Uncommon Launch Daemon persistency was registered or modified by a tool with possible web access

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a tool with possible web access. overridden

    Uncommon Launch Daemon persistency was registered or modified while using a data communication tool

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency triggered execution. overridden

    Uncommon Launch Daemon persistency was registered or modified while using osascript

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden

    Uncommon Launch Daemon persistency was registered or modified using Plist Buddy with Run-At-Load key

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden

    Uncommon Launch Daemon persistency was registered or modified with an uncommon path containing a known vendor name

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden

    Uncommon Launch Daemon persistency was registered or modified with an unusual persistency executable path

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden

    Uncommon Launch Daemon persistency was registered or modified by a non validly signed process

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a non validly signed process. overridden

    Uncommon Launch Daemon persistency was registered or modified by an unsigned process

    Low overridden

    An uncommon Launch Daemon persistence mechanism was registered/modified on the system by an unsigned process. overridden