Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0011 ✕ technique: T1218 ✕

Show ATT&CK heatmap
  • Globally uncommon IP address connection from a signed process Informational 3 variations

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address connection from an injected thread in a signed process

    Medium overridden

    An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address connection from a signed process from a known vendor

    Medium overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address connection from a signed process

    Low overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root domain from a signed process Low 4 variations

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root domain from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    Medium overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination from a signed process Low 4 variations

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    Medium overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

  • Suspicious certutil command line Medium

    An attacker may use certutil to download malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: An attacker may use certutil to download malware.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.