Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0004 ✕ technique: T1546 ✕

Show ATT&CK heatmap
  • A WMI subscriber was created Informational

    A WMI subscriber was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • A rare file path was added to the AppInit_DLLs registry value Low 2 variations

    A rare file path was added to AppInit_DLLs registry value.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution (T1546)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.
    Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.

    Variations

    A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

    A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

  • Image file execution options (IFEO) registry key set Low 3 variations

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.

    Variations

    Image file execution options (IFEO) registry key set to execute a shell or scripting engine process

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

    Image file execution options (IFEO) registry key set to activate Windows licenses illegally

    Medium overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden

    Image file execution options (IFEO) registry key set using reg.exe

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden