Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

18 alerts match the current filters. technique: T1053 ✕

Show ATT&CK heatmap
  • A Kubernetes Cronjob was created Informational Cloud

    A Kubernetes CronJob was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence by scheduling deployment of containers configured to execute malicious code.
    Investigative actions: Check which changes were made to the Kubernetes CronJob.
  • An AWS Lambda Function was created Informational Cloud

    An AWS Lambda Function was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: AWS Audit Log
    Attacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.
    Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.
  • An uncommon lolbin execution by scheduled task Informational 2 variations

    A lolbin was executed with uncommon commandline by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.
    Investigative actions: Review the lolbin's command line executed by the schedule task. Investigate the specific scheduled task execution chain. Investigate how the scheduled task was created and the actor who created it.

    Variations

    An uncommon lolbin execution by scheduled task on a sensitive server

    Informational overridden

    A lolbin was executed with uncommon commandline by a scheduled task. overridden

    A rare and commonly-abused lolbin execution by scheduled task

    Informational overridden

    A commonly abused lolbin was executed with uncommon commandline by a scheduled task. overridden

  • An unsigned process created scheduled task and performed an injection Medium 1 variation

    An unsigned process created scheduled task and performed an injection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.
    Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.

    Variations

    Possible an unsigned installer created scheduled task and performed an injection

    Low overridden

    Possible an unsigned installer created scheduled task and performed an injection. overridden

  • Interactive at.exe privilege escalation method Low

    Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Rare Scheduled Task RPC activity Informational 3 variations

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare remote task registration and creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden

    Rare remote task creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden

    Rare Scheduled Task RPC activity

    Low overridden

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden

  • Rare Scheduled Task RPC activity from a rarely seen host Low

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.
  • Rare scheduled task created Informational 4 variations

    A new rare scheduled task was created with a rare path and a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics, Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled task.
    Investigative actions: Review the action of the created scheduled task. Investigate the execution chain of the process creating the scheduled task.

    Variations

    Rare scheduled task created by an injected actor

    High overridden

    A new rare scheduled task was created by an injected actor with a rare path and a rare command line. overridden

    Uncommon remote scheduled task created

    Medium overridden

    A new uncommon remote scheduled task was created with a rare path and a rare command line. overridden

    Uncommon local scheduled task created

    Low overridden

    A new uncommon local scheduled task was created with a rare path and a rare command line. overridden

    Highly rare scheduled task created

    Low overridden

    A new rare scheduled task was created with an highly rare path and a rare command line. overridden

  • Rare unsigned process execution by scheduled task Low 3 variations

    Rare and unsigned process was executed by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Uncommon unsigned process execution by scheduled task

    Informational overridden

    Uncommon and unsigned process was executed by a scheduled task. overridden

    Rare unsigned process execution with high integrity level by scheduled task

    Medium overridden

    Rare and unsigned process was execution with high integrity level by a scheduled task. overridden

    Rare unsigned process execution by scheduled task on a sensitive server

    Medium overridden

    Rare and unsigned process was executed by a scheduled task. overridden

  • Signed process creates a scheduled task via file access Informational 1 variation

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.
    Investigative actions: Check the created task file and look for the action triggered by the task.

    Variations

    Signed process running from an untrusted directory creates a scheduled task via file access

    Low overridden

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden

  • Suspicious container orchestration job Low

    A suspicious orchestration job ran with a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    10 Minutes
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.
    Investigative actions: Investigate The process activities and impact on the relevant container.
  • Suspicious systemd timer activity Low

    Suspicious systemd timer activity, which may indicate an attempt to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)
    Required data: XDR Agent
    Attacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.
    Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.
  • Uncommon AT task-job creation by user Low 2 variations

    An unpopular AT task-job was created by a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: At (T1053.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may use at task-jobs for persistence or executing malicious files.
    Investigative actions: Check the AT job task for suspicious activity.

    Variations

    Uncommon AT task-job creation by user from a web server process

    Medium overridden

    A web process used the AT command to create a new AT task-job. overridden

    Uncommon AT task-job creation by user from unpopular process

    Low overridden

    An unpopular process created an AT task-job on the host, which is not popular in the organization. overridden

  • Uncommon PowerShell commands used to create or alter scheduled task parameters Low

    Attackers may create or alter scheduled task parameters to gain higher privileges or persistence on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Create a new scheduled task or alter an existing one to gain persistence in the system or to gain higher privileges.
    Investigative actions: Examine the PowerShell command to identify suspicious scheduled task creation or modification. Inspect the system for suspicious activity that is triggered by a scheduled task.
  • Uncommon local scheduled task creation via schtasks.exe Informational 4 variations

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process that creates the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Uncommon local scheduled task creation via schtasks.exe by a remote actor

    Informational overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by an unsigned and rare actor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by an unsigned actor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by a signed actor from a rare vendor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

  • Uncommon remote scheduled task creation Low 1 variation

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.
    Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.

    Variations

    Uncommon remote scheduled task creation by a remote actor via RDP

    High overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden

  • Uncommon signed process execution by scheduled task Informational 3 variations

    An uncommon process was executed by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain. Check if the vendor is known in the organization for creating scheduled tasks to execute his product.

    Variations

    Uncommon Microsoft signed process execution by scheduled task

    Informational overridden

    An uncommon process was executed by a scheduled task. overridden

    Uncommon signed process execution by scheduled task on a sensitive server

    Low overridden

    An uncommon process was executed by a scheduled task. overridden

    Rare signed process execution by scheduled task

    Low overridden

    A rare process was executed by a scheduled task. overridden

  • Unsigned process creates a scheduled task via file access Low 1 variation

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Unsigned process creates a scheduled task via file access on a sensitive server

    Medium overridden

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden