Analytics Alerts
Browse the Cortex analytics alert reference.
8 alerts match the current filters. tactic: TA0003 ✕ technique: T1546 ✕
Show ATT&CK heatmapA WMI subscriber was created Informational
A WMI subscriber was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.A rare file path was added to the AppInit_DLLs registry value Low 2 variations
A rare file path was added to AppInit_DLLs registry value.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution (T1546)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.Variations
A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
Google Workspace automation was created Informational Identity Threat Module 1 variation
Google Workspace automation was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.Variations
Google Workspace automation was created for a public document
Low overridden
The document that the automation was created for is publicly shared. overridden
Image file execution options (IFEO) registry key set Low 3 variations
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.Variations
Image file execution options (IFEO) registry key set to execute a shell or scripting engine process
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden
Image file execution options (IFEO) registry key set to activate Windows licenses illegally
Medium overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden
Image file execution options (IFEO) registry key set using reg.exe
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden
Manipulation of netsh helper DLLs Registry keys Medium
Registering netsh helper DLLs is uncommon, and could be used by malware for persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Netsh Helper DLL (T1546.007)Required data: XDR AgentAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Scrcons.exe Rare Child Process Informational 1 variation
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR AgentAttacker's goals: The attacker is trying to gain Persistence via WMI script registration.Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".Variations
Scrcons.exe Rare Child Process
Medium overridden
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden
Screensaver process executed from Users or temporary folder Low 1 variation
An executable file with a screensaver extension was executed from the Users or temp folder. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Screensaver (T1546.002)Required data: XDR AgentAttacker's goals: Gain persistence by configuring a new screensaver.Investigative actions: Check whether the executing process (with the SCR extension) is benign and if this was a desired behavior as part of its normal execution flow.Variations
Screensaver process executed from Users or temporary folder by a scripting engine process
High overridden
An executable file with a screensaver extension was executed from the Users or temp folder by a scripting engine process. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators. overridden
Uncommon Managed Object Format (MOF) compiler usage Informational
The mofcomp.exe WMI MOF compiled is used to compile code into the WMI repository that in turn may enable attackers to run scheduled or triggered code from the context of a Microsoft-signed binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR AgentAttacker's goals: Run code via triggers from the context of the WMI executor.Investigative actions: Verify if the executing process is suspicious. Check if the MOF file being compiled has any malicious indicators within it.