Analytics Alerts
Browse the Cortex analytics alert reference.
22 alerts match the current filters. tactic: TA0005 ✕ technique: T1218 ✕
Show ATT&CK heatmapA compiled HTML help file wrote a script file to the disk Low
A compiled HTML help file wrote a script file to the disk. Compiled HTLM help files usually don't write script files to the disk. This behavior is often employed by malware that leverages malicious CHM files to deliver a 2nd stage payload.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Compiled HTML File (T1218.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Deliver a 2nd stage payload or to avoid detection.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check the file that was written to the disk for malicious activities.Conhost.exe spawned a suspicious cmd process Low 3 variations
Attackers may abuse the conhost process to execute malicious files and evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Investigate the processes being spawned on the host for malicious activities.Investigative actions: An adversary may use the conhost process to evade detection.Variations
Conhost.exe spawned a suspicious powershell encoded command
High overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Conhost.exe spawned a suspicious scripting process with long command line
Medium overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Conhost.exe spawned a suspicious child process
Medium overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Execution of dllhost.exe with an empty command line Low 2 variations
The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Evade detection when running suspicious commands.Investigative actions: Check if an entry for dllhost.exe was added in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.Variations
Execution of unsigned dllhost from a non-typical path with empty command line
High overridden
An unsigned process was executed with the name dllhost.exe from a non-typical path, this behavior is suspicious and maybe performed by a malicious actor in an attempt to hide their actions. overridden
Globally uncommon execution of dllhost.exe with an empty command line
Low overridden
The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection. overridden
Globally uncommon IP address connection from a signed process Informational 3 variations
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.Variations
Globally uncommon IP address connection from an injected thread in a signed process
Medium overridden
An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process from a known vendor
Medium overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address connection from a signed process
Low overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon image load from a signed process Informational 5 variations
A signed process loaded a DLL that, on a global level, it usually doesn't load.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: Global Anomaly Analytics, DLL Hijacking AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon image load from a signed process from a known vendor
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon unsigned image side loaded to a signed process
Medium overridden
A signed process side loaded an unsigned DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon and very rare image load from a signed process
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon image load from an injected thread in a signed process
Low overridden
An injected thread in a signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon DLL was downloaded from an uncommon source and loaded by a signed process
Low overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon injection from a signed process Informational 3 variations
A signed process injected into another process that it does not normally target at a global level.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)Required data: XDR AgentDetector tags: Injection Analytics, Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon suspicious injection from a signed process
Medium overridden
A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process which was executed by a scheduled task
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon root domain from a signed process Low 4 variations
A signed process connected to an external domain that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root domain from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
Medium overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process Low 4 variations
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
Medium overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
MSI accessed a web page running a server-side script Informational 1 variation
The Microsoft installer command line included a URL to a web page running a server-side script, which is suspicious.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: An attacker may use this technique to install a malicious tool from a remote server.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow.Variations
MSI accessed a web page running a server-side script
High overridden
MSI on an internet-facing server accessed a web page running a server-side script. overridden
Mshta.exe launched with suspicious arguments Low
Microsoft HTML application host process has been launched with suspicious arguments, which may indicate malicious intent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Mshta.exe spawns from a browser process Low 1 variation
Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)Required data: XDR AgentAttacker's goals: Execute malicious code through system binary proxy execution to bypass application controls and security monitoring.Investigative actions: Examine the command line arguments passed to mshta for suspicious URLs or file paths. Check the browser process that spawned mshta for signs of compromise. Review network connections around the time of execution. Analyze any HTML applications (.hta files) that may have been executed.Variations
Mshta.exe spawns from a browser process that executes a script from a URL
Medium overridden
Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector. overridden
Msiexec execution of an executable from an uncommon remote location Informational 2 variations
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)Required data: XDR AgentAttacker's goals: Evading security controls and executing arbitrary files from the web.Investigative actions: Check execution of msiexec and the IP/Domain that used. Is the URL that is encoded in the command line trusted. Is executed DLL or MSI file known as legitimate. Is the initiating process legitimate and the user running it knows of its use.Variations
Msiexec execution of an executable from an uncommon remote location with a specific port
High overridden
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. overridden
Msiexec execution of an executable from an uncommon remote location without properties
Medium overridden
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. Execution without properties is more common in malware. overridden
Possible code downloading from a remote host by Regsvr32 Medium
Regsvr32 may be used to fetch arbitrary code from a remote host and execute it without dropping the payload onto the disk. Known to be used for malicious purposes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Regsvr32 (T1218.010)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Registration of Uncommon .NET Services and/or Assemblies Informational
Regasm.exe and regsvcs.exe are used to register .NET COM assemblies, which are typically located in specific paths, attackers might leverage that to execute code within a Microsoft signed binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)Required data: XDR AgentAttacker's goals: Load untrusted code into a trusted Microsoft context to evade detection.Investigative actions: Verify if the loaded dll is known to be malicious. Track down which process dropped the library being loaded. Validate if the actions being done by the regasm.exe process are malicious.Rundll32.exe executes a rare unsigned module Low 2 variations
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow.Variations
Rundll32.exe executes a rare unsigned module with very high entropy
Medium overridden
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. The module executed by Rundll32 has very high entropy. overridden
Rundll32.exe executes a rare unsigned module with suspicious characteristics
Medium overridden
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. overridden
Rundll32.exe running with no command-line arguments Medium
Rundll32.exe is meant to run with parameters, so the absence of them is extremely suspicious; this behavior is used in the default configuration of Cobalt Strike.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Run as a signed Microsoft executables to avoid detection. Rundll32 is the default process used by Cobalt Strike for running post-exploitation tools.Investigative actions: Check for any injection event to the Rundll32 process. Check the causality of execution for any injections.Rundll32.exe spawns conhost.exe Medium
This unusual parent-child process relationship may indicate that an attacker has abused rundll32.exe to run a console-based application such as PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious SearchProtocolHost.exe parent process Medium
SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious certutil command line Medium
An attacker may use certutil to download malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: An attacker may use certutil to download malware.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.Uncommon execution of ODBCConf Low 1 variation
Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Odbcconf (T1218.008)Required data: XDR AgentAttacker's goals: Execute arbitrary code or load malicious DLL modules undetected within Microsoft signed program from Microsoft signed process.Investigative actions: Check the execution command-line, in case of 'REGSVR' points to a DLL, then check it. If the command-line contains '/f' argument (for script file) check the content of the script.Variations
Uncommon execution of ODBCConf to load dll directly
High overridden
Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files. overridden
Uncommon msiexec execution of an arbitrary file from a remote location Low 1 variation
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)Required data: XDR AgentAttacker's goals: Evading security controls and executing arbitrary files from the web.Investigative actions: Check if the the URL that is encoded in the command line is trusted. Determine if the executed DLL or MSI file is known as legitimate. Confirm whether the initiating process is legitimate and if the user running it knows of its use.Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.Variations
Suspicious msiexec execution on an internet-facing endpoint
Low overridden
Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server. overridden
Unusual Lolbins Process Spawned by InstallUtil.exe Low
An unusual process was spawned by InstallUtil.exe, possibly indicating malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: InstallUtil (T1218.004)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.