Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0004 ✕ technique: T1055 ✕

Show ATT&CK heatmap
  • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations

    A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host in the context of another process.
    Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.

    Variations

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process

    High overridden

    An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread

    Medium overridden

    An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process

    Medium overridden

    A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process

    Medium overridden

    An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

  • Unsigned process injecting into a Windows system binary with no command line Medium

    An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.