Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0005 ✕ technique: T1497 ✕

Show ATT&CK heatmap
  • Ping to localhost from an uncommon, unsigned parent process Informational

    Ping is often used by malware and attackers to delay the execution of suspicious commands in sandbox environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Virtualization/Sandbox Evasion (T1497)
    Required data: XDR Agent
    Attacker's goals: Use ping as an easy way to wait to try and evade detection between executions.
    Investigative actions: Validate if the executing process is malicious.
  • Security tools detection attempt Informational

    A script has executed commands that can be used to detect security tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.
    Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.
  • VM Detection attempt Informational

    A script has executed commands that can be used to detect VM environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.
    Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.
  • VM Detection attempt on Linux Informational 2 variations

    A Process executed a command and/or accessed a file that can be used to detect VM environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent
    Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.
    Investigative actions: Review the process for additional malicious actions. Check for any additional alerts raised within the same context of the script.

    Variations

    VM Detection attempt on Linux with further reconnaissance commands

    Medium overridden

    A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden

    VM Detection attempt on Linux using an unpopular technique

    Low overridden

    A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden