Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0011 ✕ technique: T1105 ✕
Show ATT&CK heatmapFile transfer from unusual IP using known tools Informational 1 variation
An adversary might use known tools to transfer tools/payloads into the compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Ingress Tool Transfer (T1105)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Expand attack vectors and compromise the rest of the network.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
File transfer from unusual IP using known tools in a Kubernetes pod
Low overridden
An adversary might use known tools to transfer tools/payloads into the compromised machine. overridden
MpCmdRun.exe was used to download files into the system Low
Attackers might be using legitimate Windows Defender executables to download malicious code onto the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: Download malicious tools onto the host for more activities.Investigative actions: Check if the downloaded file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.Suspicious certutil command line Medium
An attacker may use certutil to download malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: An attacker may use certutil to download malware.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.