Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

24 alerts match the current filters. tactic: TA0005 ✕ technique: T1036 ✕

Show ATT&CK heatmap
  • A Kubernetes namespace was created or deleted Informational Cloud

    A Kubernetes namespace was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Manipulating namespace name to make it appear legitimate or benign.
    Investigative actions: Check which changes were made to the Kubernetes namespace.
  • A LOLBIN was copied to a different location Informational 2 variations

    To evade detection, attackers may copy a LOLBIN executable to a different location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Attacker's goals: Command execution via lolbins and detection avoidance via file rename.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the lolbin and try to see if it's benign.

    Variations

    A LOLBIN was copied to a different location using a rare command line

    High overridden

    To evade detection, attackers may copy a LOLBIN executable to a different location. overridden

    A LOLBIN was copied to a different location using a rare command line via a commonly used method

    Low overridden

    To evade detection, attackers may copy a LOLBIN executable to a different location. overridden

  • A process is masquerading as a common Microsoft product Informational 5 variations

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.

    Variations

    An unsigned actor executed masqueraded process which was downloaded from unexpected source

    High overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    An unsigned and rare actor executing masqueraded process with uncommon characteristics

    High overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process that was executed by remote causality actor is masquerading as a common Microsoft product

    Medium overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process is masquerading as a common Microsoft Lolbin

    Low overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process running from a commonly abused directory is masquerading as a common Microsoft product

    Low overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

  • A suspicious executable with multiple file extensions was created Medium

    An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.
    Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.
  • A third-party utility was copied to a different location Informational

    To evade detection, attackers may copy a third-party utility executable to a different location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file rename.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the third-party utility and try to see if it's benign.
  • Common third-party software name masquerading Informational 2 variations

    An attacker might leverage common third-party software image names to run malicious processes without being caught.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker is attempting to masquerade as a common third-party software image to execute malicious code.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.

    Variations

    Common third-party software name masquerading which was downloaded from an unexpected source

    Low overridden

    An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden

    Common third-party software name masquerading with uncommon characteristics by actor with uncommon characteristics

    Low overridden

    An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden

  • Email attachment with Right-to-Left Override Unicode character Low Email

    The email message contains an attachment with a hidden Right-to-Left Override Unicode character.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.
  • Email attachment with multiple extensions Informational Email 2 variations

    This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.

    Variations

    Email executable attachment with multiple extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

    Email executable attachment with multiple executable extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

  • Email attachment(s) with potentially malicious MIME type Informational Email 2 variations

    The email message contains an attachment(s) with a potentially malicious MIME type.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.

    Variations

    Attachment(s) with potentially malicious MIME type unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious MIME type that is unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email containing a link with an IP address convention was detected Informational Email

    A link with IP address convention was detected within the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Executable moved to Windows system folder Informational 4 variations

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker may be trying to avoid detection by moving an executable to a Windows system folder.
    Investigative actions: Check if the file is known in organization or malicious. Check if the digital signature of the file is valid and belongs to a known good software vendor. Investigate the process that has moved the file to the system folder.

    Variations

    Rare executable moved to Windows system folder by rare causality actor

    Medium overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Executable moved to Windows system folder by remote causality and a rare actor

    Medium overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Rare executable moved to Windows system folder by rare actor

    Low overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Executable moved to Windows system folder by rare and unsigned actor

    Low overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

  • Execution of masqueraded third-party utility Informational 2 variations

    An attacker may be trying to avoid detection of third-party utility execution by renaming it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file masquerading.
    Investigative actions: Check the process origin or whether it comes with any packages the user has used.

    Variations

    Execution of masqueraded third-party automation utility

    Medium overridden

    An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden

    Execution of significantly masqueraded third-party utility

    Low overridden

    An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden

  • Execution of renamed lolbin Informational 1 variation

    An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file rename.
    Investigative actions: Check the lolbin's origin or whether it comes with any packages the user has used.

    Variations

    Execution of significantly renamed lolbin

    Medium overridden

    An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin. overridden

  • Masquerading as a default local account Low Identity Analytics 3 variations

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.

    Variations

    Masquerading as a default local account for the first time

    Medium overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

    Potential masquerading as a power user account

    Low overridden

    A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden

    Masquerading as a default Administrator account

    Informational overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

  • Masquerading as the Linux crond process Low 1 variation

    Copies a file and renames it as crond.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may masquerade as the crond executable.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Masquerading as the Linux crond process from a Kubernetes pod

    Low overridden

    Copies a file and renames it as crond. overridden

  • Punycode characters detected in URL(s) Informational Email

    Punycode character(s) detected within URL(s) in email content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.
    Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rare service DLL was added to the registry Low 2 variations

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.
    Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rare service DLL was added to the registry from an injected thread

    Medium overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

    Rare service DLL was added to the registry from a rare unsigned actor process

    High overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

  • Space after filename Informational

    A file was created or renamed to have a space at the end of its name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Space after Filename (T1036.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to change the extension of the file to evade detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.
  • Suspicious Process Spawned by wininit.exe Medium

    An unusual process was spawned by wininit.exe, possibly indicating malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious Unicode character detected in email Informational Email 3 variations

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion, Phishing
    Attacker's goals: Embedding suspicious Unicode characters in the email to appear legitimate, evade security filters and bypass detection mechanisms.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Phishing terms obfuscation using Unicode characters detected in email

    Low overridden

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden

    Words obfuscation using Unicode characters detected in email

    Informational overridden

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden

    Multiple suspicious Unicode characters detected in email

    Informational overridden

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden

  • Suspicious process accessed a site masquerading as Google Informational 1 variation

    A suspicious process accessed a site masquerading as Google.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)
    Required data: XDR Agent
    Attacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.
    Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.

    Variations

    Suspicious process resolved the DNS name of a site masquerading as Google

    Informational overridden

    A suspicious process resolved the DNS name of a site masquerading as Google. overridden

  • Svchost.exe loads a rare unsigned module Low

    Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.
  • Usage of homograph characters detected in an email Informational Email

    Detected characters resembling Latin letters within an email's subject and/or body.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656) Masquerading (T1036)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.
    Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Usage of homograph characters detected in an email's from header Informational Email

    Detected characters resembling Latin letters within an email's From header.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.
    Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.