Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

15 alerts match the current filters. tactic: TA0005 ✕ technique: T1055 ✕

Show ATT&CK heatmap
  • An unsigned process created scheduled task and performed an injection Medium 1 variation

    An unsigned process created scheduled task and performed an injection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.
    Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.

    Variations

    Possible an unsigned installer created scheduled task and performed an injection

    Low overridden

    Possible an unsigned installer created scheduled task and performed an injection. overridden

  • Executable created to disk by lsass.exe Medium

    Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: This activity was an important stage for several exploits.
    Investigative actions: Check the file that was written to the disk for malicious activities.
  • Globally uncommon injection from a signed process Informational 3 variations

    A signed process injected into another process that it does not normally target at a global level.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)
    Required data: XDR Agent
    Detector tags: Injection Analytics, Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon suspicious injection from a signed process

    Medium overridden

    A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process which was executed by a scheduled task

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

  • Injection into rundll32.exe Informational 1 variation

    A process injected into an instance of rundll32.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Injection into rundll32.exe which was executed by a scheduled task

    Low overridden

    A process injected into an instance of rundll32.exe. overridden

  • LOLBAS executable injects into another process Informational 1 variation

    A signed binary, which can be abused to run code, injected code to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.

    Variations

    LOLBAS executable injects into another process under an uncommon CGO

    Low overridden

    A signed binary, which can be abused to run code, injected code to another process. overridden

  • Microsoft Office injects code into a process Low 5 variations

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned Microsoft Office injects code into a process

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to a non-standard PE section

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to an undeclared memory page

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process from an unsigned process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

  • Office process spawned with suspicious command-line arguments Low 2 variations

    An Office process was executed with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that executes executables from the memory of Word/Excel/PowerPoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection: Process Hollowing (T1055.012)
    Required data: XDR Agent
    Attacker's goals: Execute arbitrary code or run malicious applications undetected.
    Investigative actions: Check the file that spawns the office application and search for macros, formulas, or scripts.

    Variations

    Masqueraded office process spawned with suspicious command-line arguments

    Medium overridden

    An executable masquerading an office process was executed with LOLBIN-like command-line arguments. overridden

    PowerPoint process accesses a suspicious PPAM file

    Low overridden

    A PowerPoint process opened a PPAM file which might be used to execute malicious code. overridden

  • Signed process performed an unpopular DLL injection Informational 4 variations

    A signed process performed an unpopular DLL injection into another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Signed process that got injected performed an unpopular and suspicious dll injection

    High overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process that got injected performed an unpopular and suspicious dll injection

    Medium overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process that got injected performed an unpopular dll injection

    Medium overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process performed an unpopular DLL injection

    Low overridden

    A signed process performed an unpopular DLL injection into another process. overridden

  • Signed process performed an unpopular injection Informational 6 variations

    A signed process performed an unpopular injection to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Signed process that got injected performed an unpopular and suspicious injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process that got injected performed an unpopular and suspicious injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process that got injected performed an unpopular injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Commonly abused signed process performed a globally unpopular injection to a Microsoft signed process

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process performed an unpopular injection

    Low overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process executed by a scheduled task performed an unpopular injection

    Low overridden

    A signed process performed an unpopular injection to another process. overridden

  • Suspicious DotNet log file created Low 3 variations

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Run/Inject DotNet code in the context of a signed process.
    Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.

    Variations

    DotNet log file created by svchost from 'Absolute software Corp' causality

    Informational overridden

    Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden

    Suspicious DotNet log file created from an injected thread

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

    Suspicious DotNet log file created

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

  • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations

    A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host in the context of another process.
    Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.

    Variations

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process

    High overridden

    An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread

    Medium overridden

    An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process

    Medium overridden

    A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process

    Medium overridden

    An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

  • Unsigned and unpopular process performed a DLL injection Low 5 variations

    An unsigned process with low popularity injected a dll into another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject DLLs into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned and unpopular process performed process hollowing DLL injection

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed queue APC DLL injection

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a sensitive process

    Medium overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a commonly abused process

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a security vendor signed process

    Medium overridden

    An unsigned process with low popularity injected a dll into another process. overridden

  • Unsigned and unpopular process performed an injection Low 7 variations

    An unsigned process with low popularity injected code to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned and unpopular process performed process hollowing injection

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed queue APC injection

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into a sensitive process

    Medium overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into svchost.exe

    High overridden

    An unsigned process with low popularity injected code to another process. This process attempted to obtain System user permissions. overridden

    Unsigned and unpopular process performed injection into a commonly abused process

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into a process signed by a security vendor

    Medium overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process executed by a scheduled task performed an injection

    Low overridden

    An unsigned process with low popularity injected code to another process. overridden

  • Unsigned process injecting into a Windows system binary with no command line Medium

    An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.
  • Wscript/Cscript loads .NET DLLs Low

    An unusual script loads .NET DLLs, possibly indicating JScriptToDotnet execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.