Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0005 ✕ technique: T1497 ✕
Show ATT&CK heatmapPing to localhost from an uncommon, unsigned parent process Informational
Ping is often used by malware and attackers to delay the execution of suspicious commands in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Virtualization/Sandbox Evasion (T1497)Required data: XDR AgentAttacker's goals: Use ping as an easy way to wait to try and evade detection between executions.Investigative actions: Validate if the executing process is malicious.Security tools detection attempt Informational
A script has executed commands that can be used to detect security tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.VM Detection attempt Informational
A script has executed commands that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.VM Detection attempt on Linux Informational 2 variations
A Process executed a command and/or accessed a file that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR AgentAttacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the process for additional malicious actions. Check for any additional alerts raised within the same context of the script.Variations
VM Detection attempt on Linux with further reconnaissance commands
Medium overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden
VM Detection attempt on Linux using an unpopular technique
Low overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden