Analytics Alerts
Browse the Cortex analytics alert reference.
24 alerts match the current filters. technique: T1036 ✕
Show ATT&CK heatmapA Kubernetes namespace was created or deleted Informational Cloud
A Kubernetes namespace was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Manipulating namespace name to make it appear legitimate or benign.Investigative actions: Check which changes were made to the Kubernetes namespace.A LOLBIN was copied to a different location Informational 2 variations
To evade detection, attackers may copy a LOLBIN executable to a different location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentAttacker's goals: Command execution via lolbins and detection avoidance via file rename.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the lolbin and try to see if it's benign.Variations
A LOLBIN was copied to a different location using a rare command line
High overridden
To evade detection, attackers may copy a LOLBIN executable to a different location. overridden
A LOLBIN was copied to a different location using a rare command line via a commonly used method
Low overridden
To evade detection, attackers may copy a LOLBIN executable to a different location. overridden
A process is masquerading as a common Microsoft product Informational 5 variations
An attacker might leverage common Microsoft software image names to run malicious processes without being caught.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.Variations
An unsigned actor executed masqueraded process which was downloaded from unexpected source
High overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
An unsigned and rare actor executing masqueraded process with uncommon characteristics
High overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process that was executed by remote causality actor is masquerading as a common Microsoft product
Medium overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process is masquerading as a common Microsoft Lolbin
Low overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process running from a commonly abused directory is masquerading as a common Microsoft product
Low overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A suspicious executable with multiple file extensions was created Medium
An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.A third-party utility was copied to a different location Informational
To evade detection, attackers may copy a third-party utility executable to a different location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file rename.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the third-party utility and try to see if it's benign.Common third-party software name masquerading Informational 2 variations
An attacker might leverage common third-party software image names to run malicious processes without being caught.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker is attempting to masquerade as a common third-party software image to execute malicious code.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.Variations
Common third-party software name masquerading which was downloaded from an unexpected source
Low overridden
An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden
Common third-party software name masquerading with uncommon characteristics by actor with uncommon characteristics
Low overridden
An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden
Email attachment with Right-to-Left Override Unicode character Low Email
The email message contains an attachment with a hidden Right-to-Left Override Unicode character.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.Email attachment with multiple extensions Informational Email 2 variations
This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.Variations
Email executable attachment with multiple extensions
Low overridden
This could be a potential attempt to trick the user into executing such file(s). overridden
Email executable attachment with multiple executable extensions
Low overridden
This could be a potential attempt to trick the user into executing such file(s). overridden
Email attachment(s) with potentially malicious MIME type Informational Email 2 variations
The email message contains an attachment(s) with a potentially malicious MIME type.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.Variations
Attachment(s) with potentially malicious MIME type unusual for the organization
Informational overridden
At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden
Attachment(s) with a potentially malicious MIME type that is unusual for the recipient
Informational overridden
At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden
Email containing a link with an IP address convention was detected Informational Email
A link with IP address convention was detected within the email body.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading (T1036) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into clicking the link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Executable moved to Windows system folder Informational 4 variations
An attacker may be trying to avoid detection by moving an executable to a Windows system folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker may be trying to avoid detection by moving an executable to a Windows system folder.Investigative actions: Check if the file is known in organization or malicious. Check if the digital signature of the file is valid and belongs to a known good software vendor. Investigate the process that has moved the file to the system folder.Variations
Rare executable moved to Windows system folder by rare causality actor
Medium overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Executable moved to Windows system folder by remote causality and a rare actor
Medium overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Rare executable moved to Windows system folder by rare actor
Low overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Executable moved to Windows system folder by rare and unsigned actor
Low overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Execution of masqueraded third-party utility Informational 2 variations
An attacker may be trying to avoid detection of third-party utility execution by renaming it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file masquerading.Investigative actions: Check the process origin or whether it comes with any packages the user has used.Variations
Execution of masqueraded third-party automation utility
Medium overridden
An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden
Execution of significantly masqueraded third-party utility
Low overridden
An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden
Execution of renamed lolbin Informational 1 variation
An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file rename.Investigative actions: Check the lolbin's origin or whether it comes with any packages the user has used.Variations
Execution of significantly renamed lolbin
Medium overridden
An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin. overridden
Masquerading as a default local account Low Identity Analytics 3 variations
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is attempting to evade detection.Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.Variations
Masquerading as a default local account for the first time
Medium overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Potential masquerading as a power user account
Low overridden
A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden
Masquerading as a default Administrator account
Informational overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Masquerading as the Linux crond process Low 1 variation
Copies a file and renames it as crond.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may masquerade as the crond executable.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Masquerading as the Linux crond process from a Kubernetes pod
Low overridden
Copies a file and renames it as crond. overridden
Punycode characters detected in URL(s) Informational Email
Punycode character(s) detected within URL(s) in email content.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading (T1036) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rare service DLL was added to the registry Low 2 variations
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Rare service DLL was added to the registry from an injected thread
Medium overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Rare service DLL was added to the registry from a rare unsigned actor process
High overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Space after filename Informational
A file was created or renamed to have a space at the end of its name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Space after Filename (T1036.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to change the extension of the file to evade detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Suspicious Process Spawned by wininit.exe Medium
An unusual process was spawned by wininit.exe, possibly indicating malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious Unicode character detected in email Informational Email 3 variations
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Embedding suspicious Unicode characters in the email to appear legitimate, evade security filters and bypass detection mechanisms.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Phishing terms obfuscation using Unicode characters detected in email
Low overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Words obfuscation using Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Multiple suspicious Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Suspicious process accessed a site masquerading as Google Informational 1 variation
A suspicious process accessed a site masquerading as Google.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)Required data: XDR AgentAttacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.Variations
Suspicious process resolved the DNS name of a site masquerading as Google
Informational overridden
A suspicious process resolved the DNS name of a site masquerading as Google. overridden
Svchost.exe loads a rare unsigned module Low
Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.Usage of homograph characters detected in an email Informational Email
Detected characters resembling Latin letters within an email's subject and/or body.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656) Masquerading (T1036)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Usage of homograph characters detected in an email's from header Informational Email
Detected characters resembling Latin letters within an email's From header.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.