Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0004 ✕ technique: T1547 ✕

Show ATT&CK heatmap
  • A contained executable was executed by an unusual process Medium 3 variations

    A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.

    Variations

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by an unusual process

    Medium overridden

    A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden

  • Suspicious Udev driver rule execution manipulation Low 1 variation

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.
    Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual Udev driver rule execution manipulation

    Low overridden

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden

  • Uncommon Security Support Provider (SSP) registered via a registry key Low

    Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain clear text passwords and persistency in the network.
    Investigative actions: Audit the specific key values to verify that the additional values are trusted.