Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0003 ✕ technique: T1569 ✕

Show ATT&CK heatmap
  • Known service display name with uncommon image-path Low 3 variations

    Service created with a known display name but has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code with seemingly trustworthy services.
    Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known service display name with uncommon image-path created by an untrusted CGO

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known Palo Alto service display name with uncommon image-path

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known service display name with uncommon image-path in a suspicious folder

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

  • Known service name with an uncommon image-path Low 2 variations

    A Service with a known service name has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code within seemingly trustworthy services.
    Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known Palo Alto service name with an uncommon image-path

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

    Known service name with an uncommon image-path in a suspicious folder

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden