Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

8 alerts match the current filters. tactic: TA0003 ✕ technique: T1546 ✕

Show ATT&CK heatmap
  • A WMI subscriber was created Informational

    A WMI subscriber was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • A rare file path was added to the AppInit_DLLs registry value Low 2 variations

    A rare file path was added to AppInit_DLLs registry value.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution (T1546)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.
    Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.

    Variations

    A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

    A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

  • Google Workspace automation was created Informational Identity Threat Module 1 variation

    Google Workspace automation was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.
    Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.

    Variations

    Google Workspace automation was created for a public document

    Low overridden

    The document that the automation was created for is publicly shared. overridden

  • Image file execution options (IFEO) registry key set Low 3 variations

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.

    Variations

    Image file execution options (IFEO) registry key set to execute a shell or scripting engine process

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

    Image file execution options (IFEO) registry key set to activate Windows licenses illegally

    Medium overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden

    Image file execution options (IFEO) registry key set using reg.exe

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

  • Manipulation of netsh helper DLLs Registry keys Medium

    Registering netsh helper DLLs is uncommon, and could be used by malware for persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Netsh Helper DLL (T1546.007)
    Required data: XDR Agent
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Scrcons.exe Rare Child Process Informational 1 variation

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent
    Attacker's goals: The attacker is trying to gain Persistence via WMI script registration.
    Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".

    Variations

    Scrcons.exe Rare Child Process

    Medium overridden

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden

  • Screensaver process executed from Users or temporary folder Low 1 variation

    An executable file with a screensaver extension was executed from the Users or temp folder. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Screensaver (T1546.002)
    Required data: XDR Agent
    Attacker's goals: Gain persistence by configuring a new screensaver.
    Investigative actions: Check whether the executing process (with the SCR extension) is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Screensaver process executed from Users or temporary folder by a scripting engine process

    High overridden

    An executable file with a screensaver extension was executed from the Users or temp folder by a scripting engine process. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators. overridden

  • Uncommon Managed Object Format (MOF) compiler usage Informational

    The mofcomp.exe WMI MOF compiled is used to compile code into the WMI repository that in turn may enable attackers to run scheduled or triggered code from the context of a Microsoft-signed binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent
    Attacker's goals: Run code via triggers from the context of the WMI executor.
    Investigative actions: Verify if the executing process is suspicious. Check if the MOF file being compiled has any malicious indicators within it.