Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0004 ✕ technique: T1055 ✕
Show ATT&CK heatmapUncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations
A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host in the context of another process.Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.Variations
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process
High overridden
An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread
Medium overridden
An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process
Medium overridden
A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process
Medium overridden
An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Unsigned process injecting into a Windows system binary with no command line Medium
An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.