Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. technique: T1037 ✕

Show ATT&CK heatmap
  • Suspicious process modified RC script file Low 1 variation

    A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Initialization Scripts: RC Scripts (T1037.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.
    Investigative actions: Check the modified RC script file and try to understand the impact of the file modification.

    Variations

    Suspicious process modified RC script file in a Kubernetes pod

    Low overridden

    A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence. overridden