Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. tactic: TA0005 ✕ technique: T1027 ✕
Show ATT&CK heatmapA process was executed with a command line obfuscated by Unicode character substitution Medium
A process was executed with a command line obfuscated by Unicode character substitution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Hide its action and avoid detection.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Encoded information using Windows certificate management tool Medium
Encoding/decoding to/from using certutil.exe could be used to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Encrypted/Encoded File (T1027.013) Deobfuscate/Decode Files or Information (T1140)Required data: XDR AgentAttacker's goals: Evade detection by executing processes with obfuscated arguments.Investigative actions: Check encoded/decoded command content and see whether it is benign or malicious.Globally uncommon high entropy module was loaded Informational 1 variation
A module with high entropy and a globally uncommon hash was loaded.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.Investigative actions: Check if the module is either compressed, encrypted, obfuscated or packed.Variations
Globally uncommon high entropy module was loaded by process which was executed by a scheduled task
Low overridden
A module with high entropy and a globally uncommon hash was loaded. overridden
Globally uncommon high entropy process was executed Informational 4 variations
A process with high entropy and a globally uncommon hash was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.Investigative actions: Check if the process' file is either compressed, encrypted, obfuscated or packed.Variations
Globally uncommon high entropy process was executed by an untrusted CGO
Low overridden
A process with high entropy and a globally uncommon hash was executed by an untrusted CGO. overridden
Globally uncommon high entropy process was executed by a web server process or CGO
Low overridden
A process with high entropy and a globally uncommon hash was executed by a web server process or CGO. overridden
Globally uncommon high entropy process was extracted from an internet-downloaded archive and executed
Low overridden
A process with high entropy and a globally uncommon hash was extracted from an internet-downloaded archive and executed. overridden
Globally uncommon high entropy process was downloaded from an uncommon source and executed
Low overridden
A process with high entropy and a globally uncommon hash was downloaded from an uncommon source and executed. overridden
Possible binary padding using dd Informational
A suspicious dd command ran and added data to a binary. This may indicate binary padding to change the hash of a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Binary Padding (T1027.001)Required data: XDR AgentAttacker's goals: An adversary may use binary padding to avoid hash-based blacklists and static antivirus signatures.Investigative actions: Check the padded file and try to understand the impact of padding this specific binary.Possible malicious .NET compilation started by a commonly abused process Medium
Attackers may use csc.exe to compile payloads on a compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Compile After Delivery (T1027.004)Required data: XDR AgentAttacker's goals: Compile payloads on the host to evade detection.Investigative actions: Investigate the payload being compiled. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious data encryption Low
Known applications were used to encrypt data within a machine's local file system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)Required data: XDR AgentAttacker's goals: Damage or hide data on the local file system.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Unicode RTL Override Character High
An attacker may use a special right-to-left (RTL) override character to trick users into executing malicious files that look like benign file types.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Trick users into executing malicious files by making their file types seem benign.Investigative actions: Investigate the executed process. There is no reason for benign files to contain the Unicode right-to-left override character in their name.Unusual use of a 'SysInternals' tool Informational 3 variations
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may leverage SysInternals tools for lateral movement, credential access, or to delete recovery backups to cause impact.Investigative actions: Check if the file is familiar to the user, if not, investigate further the source of it.Variations
Unusual use of a 'SysInternals' tool by a process with an invalid or non-standard signature
High overridden
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden
Unusual use of a 'SysInternals' tool that can be used for offensive operations
High overridden
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden
A registry key related to SysInternals was modified by a known registry editor
Informational overridden
A registry key related to SysInternals was modified by a known registry editor to circumvent a EULA prompt. overridden