Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0004 ✕ technique: T1546 ✕
Show ATT&CK heatmapA WMI subscriber was created Informational
A WMI subscriber was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.A rare file path was added to the AppInit_DLLs registry value Low 2 variations
A rare file path was added to AppInit_DLLs registry value.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution (T1546)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.Variations
A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
Image file execution options (IFEO) registry key set Low 3 variations
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.Variations
Image file execution options (IFEO) registry key set to execute a shell or scripting engine process
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden
Image file execution options (IFEO) registry key set to activate Windows licenses illegally
Medium overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden
Image file execution options (IFEO) registry key set using reg.exe
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden