Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0004 ✕ technique: T1569 ✕

Show ATT&CK heatmap
  • Elevation to SYSTEM via services Low 2 variations

    Services were affected by a non SYSTEM integrity level process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Escalate privileges to system and execute commands.
    Investigative actions: Investigate the service being spawned on the host for malicious activities.

    Variations

    Elevation to SYSTEM via service creation

    Low overridden

    A service was created from a non SYSTEM integrity level process. overridden

    Elevation to SYSTEM via service modification

    Low overridden

    An existing service was modified from a non SYSTEM integrity level process. overridden

  • PsExec was executed with a suspicious command line Informational 4 variations

    PsExec.exe was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.
    Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.

    Variations

    PsExec was executed with a suspicious command line by a LOLBIN

    Low overridden

    PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden

    PsExec was executed with a suspicious command line by an unsigned actor

    Medium overridden

    PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with NT/System privilege level. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with plain-text credentials. overridden