Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

22 alerts match the current filters. tactic: TA0005 ✕ technique: T1218 ✕

Show ATT&CK heatmap
  • A compiled HTML help file wrote a script file to the disk Low

    A compiled HTML help file wrote a script file to the disk. Compiled HTLM help files usually don't write script files to the disk. This behavior is often employed by malware that leverages malicious CHM files to deliver a 2nd stage payload.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Compiled HTML File (T1218.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Deliver a 2nd stage payload or to avoid detection.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check the file that was written to the disk for malicious activities.
  • Conhost.exe spawned a suspicious cmd process Low 3 variations

    Attackers may abuse the conhost process to execute malicious files and evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Investigate the processes being spawned on the host for malicious activities.
    Investigative actions: An adversary may use the conhost process to evade detection.

    Variations

    Conhost.exe spawned a suspicious powershell encoded command

    High overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

    Conhost.exe spawned a suspicious scripting process with long command line

    Medium overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

    Conhost.exe spawned a suspicious child process

    Medium overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

  • Execution of dllhost.exe with an empty command line Low 2 variations

    The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Evade detection when running suspicious commands.
    Investigative actions: Check if an entry for dllhost.exe was added in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

    Variations

    Execution of unsigned dllhost from a non-typical path with empty command line

    High overridden

    An unsigned process was executed with the name dllhost.exe from a non-typical path, this behavior is suspicious and maybe performed by a malicious actor in an attempt to hide their actions. overridden

    Globally uncommon execution of dllhost.exe with an empty command line

    Low overridden

    The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection. overridden

  • Globally uncommon IP address connection from a signed process Informational 3 variations

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address connection from an injected thread in a signed process

    Medium overridden

    An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address connection from a signed process from a known vendor

    Medium overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address connection from a signed process

    Low overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon image load from a signed process Informational 5 variations

    A signed process loaded a DLL that, on a global level, it usually doesn't load.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics, DLL Hijacking Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon image load from a signed process from a known vendor

    Medium overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon unsigned image side loaded to a signed process

    Medium overridden

    A signed process side loaded an unsigned DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon and very rare image load from a signed process

    Medium overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon image load from an injected thread in a signed process

    Low overridden

    An injected thread in a signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon DLL was downloaded from an uncommon source and loaded by a signed process

    Low overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

  • Globally uncommon injection from a signed process Informational 3 variations

    A signed process injected into another process that it does not normally target at a global level.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)
    Required data: XDR Agent
    Detector tags: Injection Analytics, Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon suspicious injection from a signed process

    Medium overridden

    A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process which was executed by a scheduled task

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

  • Globally uncommon root domain from a signed process Low 4 variations

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root domain from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    Medium overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination from a signed process Low 4 variations

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    Medium overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

  • MSI accessed a web page running a server-side script Informational 1 variation

    The Microsoft installer command line included a URL to a web page running a server-side script, which is suspicious.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: An attacker may use this technique to install a malicious tool from a remote server.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    MSI accessed a web page running a server-side script

    High overridden

    MSI on an internet-facing server accessed a web page running a server-side script. overridden

  • Mshta.exe launched with suspicious arguments Low

    Microsoft HTML application host process has been launched with suspicious arguments, which may indicate malicious intent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Mshta.exe spawns from a browser process Low 1 variation

    Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)
    Required data: XDR Agent
    Attacker's goals: Execute malicious code through system binary proxy execution to bypass application controls and security monitoring.
    Investigative actions: Examine the command line arguments passed to mshta for suspicious URLs or file paths. Check the browser process that spawned mshta for signs of compromise. Review network connections around the time of execution. Analyze any HTML applications (.hta files) that may have been executed.

    Variations

    Mshta.exe spawns from a browser process that executes a script from a URL

    Medium overridden

    Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector. overridden

  • Msiexec execution of an executable from an uncommon remote location Informational 2 variations

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and executing arbitrary files from the web.
    Investigative actions: Check execution of msiexec and the IP/Domain that used. Is the URL that is encoded in the command line trusted. Is executed DLL or MSI file known as legitimate. Is the initiating process legitimate and the user running it knows of its use.

    Variations

    Msiexec execution of an executable from an uncommon remote location with a specific port

    High overridden

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. overridden

    Msiexec execution of an executable from an uncommon remote location without properties

    Medium overridden

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. Execution without properties is more common in malware. overridden

  • Possible code downloading from a remote host by Regsvr32 Medium

    Regsvr32 may be used to fetch arbitrary code from a remote host and execute it without dropping the payload onto the disk. Known to be used for malicious purposes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Regsvr32 (T1218.010)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Registration of Uncommon .NET Services and/or Assemblies Informational

    Regasm.exe and regsvcs.exe are used to register .NET COM assemblies, which are typically located in specific paths, attackers might leverage that to execute code within a Microsoft signed binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)
    Required data: XDR Agent
    Attacker's goals: Load untrusted code into a trusted Microsoft context to evade detection.
    Investigative actions: Verify if the loaded dll is known to be malicious. Track down which process dropped the library being loaded. Validate if the actions being done by the regasm.exe process are malicious.
  • Rundll32.exe executes a rare unsigned module Low 2 variations

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rundll32.exe executes a rare unsigned module with very high entropy

    Medium overridden

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. The module executed by Rundll32 has very high entropy. overridden

    Rundll32.exe executes a rare unsigned module with suspicious characteristics

    Medium overridden

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. overridden

  • Rundll32.exe running with no command-line arguments Medium

    Rundll32.exe is meant to run with parameters, so the absence of them is extremely suspicious; this behavior is used in the default configuration of Cobalt Strike.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Run as a signed Microsoft executables to avoid detection. Rundll32 is the default process used by Cobalt Strike for running post-exploitation tools.
    Investigative actions: Check for any injection event to the Rundll32 process. Check the causality of execution for any injections.
  • Rundll32.exe spawns conhost.exe Medium

    This unusual parent-child process relationship may indicate that an attacker has abused rundll32.exe to run a console-based application such as PowerShell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious SearchProtocolHost.exe parent process Medium

    SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious certutil command line Medium

    An attacker may use certutil to download malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: An attacker may use certutil to download malware.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.
  • Uncommon execution of ODBCConf Low 1 variation

    Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Odbcconf (T1218.008)
    Required data: XDR Agent
    Attacker's goals: Execute arbitrary code or load malicious DLL modules undetected within Microsoft signed program from Microsoft signed process.
    Investigative actions: Check the execution command-line, in case of 'REGSVR' points to a DLL, then check it. If the command-line contains '/f' argument (for script file) check the content of the script.

    Variations

    Uncommon execution of ODBCConf to load dll directly

    High overridden

    Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files. overridden

  • Uncommon msiexec execution of an arbitrary file from a remote location Low 1 variation

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and executing arbitrary files from the web.
    Investigative actions: Check if the the URL that is encoded in the command line is trusted. Determine if the executed DLL or MSI file is known as legitimate. Confirm whether the initiating process is legitimate and if the user running it knows of its use.Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.

    Variations

    Suspicious msiexec execution on an internet-facing endpoint

    Low overridden

    Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server. overridden

  • Unusual Lolbins Process Spawned by InstallUtil.exe Low

    An unusual process was spawned by InstallUtil.exe, possibly indicating malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: InstallUtil (T1218.004)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.