Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

9 alerts match the current filters. technique: T1027 ✕

Show ATT&CK heatmap
  • A process was executed with a command line obfuscated by Unicode character substitution Medium

    A process was executed with a command line obfuscated by Unicode character substitution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Hide its action and avoid detection.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Encoded information using Windows certificate management tool Medium

    Encoding/decoding to/from using certutil.exe could be used to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Encrypted/Encoded File (T1027.013) Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent
    Attacker's goals: Evade detection by executing processes with obfuscated arguments.
    Investigative actions: Check encoded/decoded command content and see whether it is benign or malicious.
  • Globally uncommon high entropy module was loaded Informational 1 variation

    A module with high entropy and a globally uncommon hash was loaded.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.
    Investigative actions: Check if the module is either compressed, encrypted, obfuscated or packed.

    Variations

    Globally uncommon high entropy module was loaded by process which was executed by a scheduled task

    Low overridden

    A module with high entropy and a globally uncommon hash was loaded. overridden

  • Globally uncommon high entropy process was executed Informational 4 variations

    A process with high entropy and a globally uncommon hash was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.
    Investigative actions: Check if the process' file is either compressed, encrypted, obfuscated or packed.

    Variations

    Globally uncommon high entropy process was executed by an untrusted CGO

    Low overridden

    A process with high entropy and a globally uncommon hash was executed by an untrusted CGO. overridden

    Globally uncommon high entropy process was executed by a web server process or CGO

    Low overridden

    A process with high entropy and a globally uncommon hash was executed by a web server process or CGO. overridden

    Globally uncommon high entropy process was extracted from an internet-downloaded archive and executed

    Low overridden

    A process with high entropy and a globally uncommon hash was extracted from an internet-downloaded archive and executed. overridden

    Globally uncommon high entropy process was downloaded from an uncommon source and executed

    Low overridden

    A process with high entropy and a globally uncommon hash was downloaded from an uncommon source and executed. overridden

  • Possible binary padding using dd Informational

    A suspicious dd command ran and added data to a binary. This may indicate binary padding to change the hash of a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Binary Padding (T1027.001)
    Required data: XDR Agent
    Attacker's goals: An adversary may use binary padding to avoid hash-based blacklists and static antivirus signatures.
    Investigative actions: Check the padded file and try to understand the impact of padding this specific binary.
  • Possible malicious .NET compilation started by a commonly abused process Medium

    Attackers may use csc.exe to compile payloads on a compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Compile After Delivery (T1027.004)
    Required data: XDR Agent
    Attacker's goals: Compile payloads on the host to evade detection.
    Investigative actions: Investigate the payload being compiled. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious data encryption Low

    Known applications were used to encrypt data within a machine's local file system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)
    Required data: XDR Agent
    Attacker's goals: Damage or hide data on the local file system.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.
  • Unicode RTL Override Character High

    An attacker may use a special right-to-left (RTL) override character to trick users into executing malicious files that look like benign file types.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Trick users into executing malicious files by making their file types seem benign.
    Investigative actions: Investigate the executed process. There is no reason for benign files to contain the Unicode right-to-left override character in their name.
  • Unusual use of a 'SysInternals' tool Informational 3 variations

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may leverage SysInternals tools for lateral movement, credential access, or to delete recovery backups to cause impact.
    Investigative actions: Check if the file is familiar to the user, if not, investigate further the source of it.

    Variations

    Unusual use of a 'SysInternals' tool by a process with an invalid or non-standard signature

    High overridden

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden

    Unusual use of a 'SysInternals' tool that can be used for offensive operations

    High overridden

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden

    A registry key related to SysInternals was modified by a known registry editor

    Informational overridden

    A registry key related to SysInternals was modified by a known registry editor to circumvent a EULA prompt. overridden