Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0011 ✕ technique: T1105 ✕

Show ATT&CK heatmap
  • File transfer from unusual IP using known tools Informational 1 variation

    An adversary might use known tools to transfer tools/payloads into the compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Expand attack vectors and compromise the rest of the network.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    File transfer from unusual IP using known tools in a Kubernetes pod

    Low overridden

    An adversary might use known tools to transfer tools/payloads into the compromised machine. overridden

  • MpCmdRun.exe was used to download files into the system Low

    Attackers might be using legitimate Windows Defender executables to download malicious code onto the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: Download malicious tools onto the host for more activities.
    Investigative actions: Check if the downloaded file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.
  • Suspicious certutil command line Medium

    An attacker may use certutil to download malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: An attacker may use certutil to download malware.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.