Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0008 ✕ technique: T1047 ✕

Show ATT&CK heatmap
  • DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations

    An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute malicious content on and move laterally across machine in the network.
    Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.

    Variations

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a script

    High overridden

    An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden

  • WmiPrvSe.exe Rare Child Command Line Low 1 variation

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.

    Variations

    WmiPrvSe.exe Rare Child Command Line

    Medium overridden

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden