Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0004 ✕ technique: T1037 ✕
Show ATT&CK heatmapSuspicious process modified RC script file Low 1 variation
A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Initialization Scripts: RC Scripts (T1037.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.Investigative actions: Check the modified RC script file and try to understand the impact of the file modification.Variations
Suspicious process modified RC script file in a Kubernetes pod
Low overridden
A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence. overridden