Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0004 ✕ technique: T1547 ✕
Show ATT&CK heatmapA contained executable was executed by an unusual process Medium 3 variations
A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.Variations
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by an unusual process
Medium overridden
A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden
Suspicious Udev driver rule execution manipulation Low 1 variation
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual Udev driver rule execution manipulation
Low overridden
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden
Uncommon Security Support Provider (SSP) registered via a registry key Low
Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain clear text passwords and persistency in the network.Investigative actions: Audit the specific key values to verify that the additional values are trusted.