Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0004 ✕ technique: T1543 ✕
Show ATT&CK heatmapAn uncommon service was started Low 1 variation
An uncommon service was started using systemctl or service processes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
An uncommon service was started in a Kubernetes pod
Low overridden
An uncommon service was started using systemctl or service processes. overridden
Elevation to SYSTEM via services Low 2 variations
Services were affected by a non SYSTEM integrity level process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Escalate privileges to system and execute commands.Investigative actions: Investigate the service being spawned on the host for malicious activities.Variations
Elevation to SYSTEM via service creation
Low overridden
A service was created from a non SYSTEM integrity level process. overridden
Elevation to SYSTEM via service modification
Low overridden
An existing service was modified from a non SYSTEM integrity level process. overridden
Installation of a new System-V service Low 1 variation
Installation of a new System-V service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Installation of a new System-V service in a Kubernetes pod
Low overridden
Installation of a new System-V service. overridden