Analytics Alerts
Browse the Cortex analytics alert reference.
15 alerts match the current filters. tactic: TA0005 ✕ technique: T1055 ✕
Show ATT&CK heatmapAn unsigned process created scheduled task and performed an injection Medium 1 variation
An unsigned process created scheduled task and performed an injection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.Variations
Possible an unsigned installer created scheduled task and performed an injection
Low overridden
Possible an unsigned installer created scheduled task and performed an injection. overridden
Executable created to disk by lsass.exe Medium
Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: This activity was an important stage for several exploits.Investigative actions: Check the file that was written to the disk for malicious activities.Globally uncommon injection from a signed process Informational 3 variations
A signed process injected into another process that it does not normally target at a global level.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)Required data: XDR AgentDetector tags: Injection Analytics, Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon suspicious injection from a signed process
Medium overridden
A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process which was executed by a scheduled task
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Injection into rundll32.exe Informational 1 variation
A process injected into an instance of rundll32.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Injection into rundll32.exe which was executed by a scheduled task
Low overridden
A process injected into an instance of rundll32.exe. overridden
LOLBAS executable injects into another process Informational 1 variation
A signed binary, which can be abused to run code, injected code to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.Variations
LOLBAS executable injects into another process under an uncommon CGO
Low overridden
A signed binary, which can be abused to run code, injected code to another process. overridden
Microsoft Office injects code into a process Low 5 variations
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned Microsoft Office injects code into a process
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to a non-standard PE section
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to an undeclared memory page
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process from an unsigned process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Office process spawned with suspicious command-line arguments Low 2 variations
An Office process was executed with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that executes executables from the memory of Word/Excel/PowerPoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection: Process Hollowing (T1055.012)Required data: XDR AgentAttacker's goals: Execute arbitrary code or run malicious applications undetected.Investigative actions: Check the file that spawns the office application and search for macros, formulas, or scripts.Variations
Masqueraded office process spawned with suspicious command-line arguments
Medium overridden
An executable masquerading an office process was executed with LOLBIN-like command-line arguments. overridden
PowerPoint process accesses a suspicious PPAM file
Low overridden
A PowerPoint process opened a PPAM file which might be used to execute malicious code. overridden
Signed process performed an unpopular DLL injection Informational 4 variations
A signed process performed an unpopular DLL injection into another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Signed process that got injected performed an unpopular and suspicious dll injection
High overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process that got injected performed an unpopular and suspicious dll injection
Medium overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process that got injected performed an unpopular dll injection
Medium overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process performed an unpopular DLL injection
Low overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process performed an unpopular injection Informational 6 variations
A signed process performed an unpopular injection to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Signed process that got injected performed an unpopular and suspicious injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process that got injected performed an unpopular and suspicious injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process that got injected performed an unpopular injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Commonly abused signed process performed a globally unpopular injection to a Microsoft signed process
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process performed an unpopular injection
Low overridden
A signed process performed an unpopular injection to another process. overridden
Signed process executed by a scheduled task performed an unpopular injection
Low overridden
A signed process performed an unpopular injection to another process. overridden
Suspicious DotNet log file created Low 3 variations
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Run/Inject DotNet code in the context of a signed process.Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.Variations
DotNet log file created by svchost from 'Absolute software Corp' causality
Informational overridden
Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden
Suspicious DotNet log file created from an injected thread
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Suspicious DotNet log file created
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations
A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host in the context of another process.Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.Variations
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process
High overridden
An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread
Medium overridden
An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process
Medium overridden
A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process
Medium overridden
An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Unsigned and unpopular process performed a DLL injection Low 5 variations
An unsigned process with low popularity injected a dll into another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject DLLs into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned and unpopular process performed process hollowing DLL injection
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed queue APC DLL injection
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a sensitive process
Medium overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a commonly abused process
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a security vendor signed process
Medium overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed an injection Low 7 variations
An unsigned process with low popularity injected code to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned and unpopular process performed process hollowing injection
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed queue APC injection
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into a sensitive process
Medium overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into svchost.exe
High overridden
An unsigned process with low popularity injected code to another process. This process attempted to obtain System user permissions. overridden
Unsigned and unpopular process performed injection into a commonly abused process
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into a process signed by a security vendor
Medium overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process executed by a scheduled task performed an injection
Low overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned process injecting into a Windows system binary with no command line Medium
An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Wscript/Cscript loads .NET DLLs Low
An unusual script loads .NET DLLs, possibly indicating JScriptToDotnet execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.