Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0008 ✕ technique: T1059 ✕
Show ATT&CK heatmapUncommon Linux remote shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux remote shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution using an exploitation tool
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution executing a reverse interactive shell
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution downloading a shell script
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution disabling firewall
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution possibly running from an XZ backdoor
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running as root
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution loading a kernel module
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a network tool
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution trying to gather information about the system
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution, possibly granting file execution permissions
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Wsmprovhost.exe Rare Child Process Low
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.