Analytics Alerts
Browse the Cortex analytics alert reference.
35 alerts match the current filters. technique: T1059 ✕
Show ATT&CK heatmapA Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
A TCP stream was created directly in a shell Medium
Attackers may create a TCP stream using the shell command line to generate a reverse shell, enabling remote access to the endpoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter (T1059)Required data: XDR AgentAttacker's goals: Attackers may use this device file to create sockets though shell commands as part of a reverse shell.Investigative actions: Review the command line used. Search for the corresponding network event. Check the prevalence of the target IP/domain.A cloud identity started a Cloud Shell session Informational Cloud
A cloud identity started a Cloud Shell session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Investigate any unusual activity originating from the suspected identity.Adding execution privileges Informational 1 variation
A script was granted execution privileges using chmod before being run.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use chmod to grant execution privileges to scripts or binaries for malicious execution.Investigative actions: Verify that this activity is not part of normal IT operations. Check for similar commands executed on other hosts.Variations
Adding execution privileges in a Kubernetes pod
Informational overridden
A script was granted execution privileges using chmod before being run. overridden
AppleScript executed a shell script Informational 2 variations
An uncommon shell script has been executed by the AppleScript interpreter process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002) Command and Scripting Interpreter: Unix Shell (T1059.004)Required data: XDR AgentDetector tags: AppleScript Analytics, Shell AnalyticsAttacker's goals: Use the AppleScript interpreter to execute a second stage payload.Investigative actions: Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the script was executed in an unusual way.Variations
AppleScript executed a shell script using an unsigned, globally rare causality actor
Low overridden
An uncommon shell script has been executed by the AppleScript interpreter process. overridden
AppleScript executed a shell script using an uncommon shell process
Low overridden
An uncommon shell script has been executed by the AppleScript interpreter process. overridden
AppleScript interpreter dynamic library loaded into a process Informational 2 variations
The AppleScript interpreter dynamic library was loaded into a process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)Required data: XDR AgentDetector tags: AppleScript AnalyticsAttacker's goals: Stealthily execute AppleScript code while evading script-based detections.Investigative actions: Analyze the process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior. Check whether the process was executed in an unusual way.Variations
AppleScript interpreter dynamic library loaded into an unsigned applet
Low overridden
The AppleScript interpreter dynamic library was loaded into an unsigned applet. overridden
AppleScript interpreter dynamic library loaded into a process with an uncommon vendor signature
Low overridden
The AppleScript interpreter dynamic library was loaded into a process with an uncommon vendor signature. overridden
AppleScript process executed with a rare command line Informational 6 variations
The AppleScript interpreter process was executed with an uncommon command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)Required data: XDR AgentDetector tags: AppleScript AnalyticsAttacker's goals: Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.Investigative actions: Analyze the command line and determine whether it performs any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the process was executed in an unusual way.Variations
AppleScript process executed with a rare command line possibly using Finder to perform operations
High overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line with an unusual password prompt
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line that possibly injects JavaScript into a browser
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line that possibly establishes persistence
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line that possibly installs a proxy
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line performing clipboard access
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
Azure virtual machine commands execution Informational Cloud
An Azure virtual machine executed PowerShell commands with System privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter (T1059)Required data: Azure Audit LogAttacker's goals: Executing malicious commands for discovery, privilege escalation, etc.Investigative actions: Check the VM that executed the commands and their results.Command running with COMSPEC in the command line argument Low
COMSPEC is an environmental variable that points to cmd.exe. Attackers may use this command to obfuscate their command and avoid detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Windows Command Shell (T1059.003)Required data: XDR AgentAttacker's goals: Attackers might use environment variables to try and avoid being detected and obfuscate their commands.Investigative actions: Investigate the actor and the command line that executed with COMSPEC Verify that the command executed from a trusted source.Commonly abused AutoIT script connects to an external domain Medium
AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)Required data: XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.Commonly abused AutoIT script drops an executable file to disk Informational
AutoIT scripts have legitimate uses but are often abused by malware to execute in a signed process context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Command and Scripting Interpreter: Windows Command Shell (T1059.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.Download a script using the python requests module Low
Download a shell script from a remote location using the Python requests module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Python (T1059.006)Required data: XDR AgentAttacker's goals: Adversaries may abuse Python commands and scripts to download additional malicious files or for exfiltration.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Google Workspace automation was created Informational Identity Threat Module 1 variation
Google Workspace automation was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.Variations
Google Workspace automation was created for a public document
Low overridden
The document that the automation was created for is publicly shared. overridden
LOLBIN created a PSScriptPolicyTest PowerShell script file Informational 1 variation
A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Executing PowerShell scripts in a stealthy manner.Investigative actions: Investigate the process and command line that created the file and whether it's benign or normal for this host. Investigate the created PowerShell file for potential malicious commands.Variations
LOLBIN created a larger than usual PSScriptPolicyTest PowerShell script file
Medium overridden
A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary. overridden
Linux process execution with a rare GitHub URL Informational
A process was executed with an uncommon GitHub URL in its command line. This may have legitimate uses, but it might also be used by attackers to download malicious payloads.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter (T1059)Required data: XDR AgentAttacker's goals: Download a second stage payload for execution.Investigative actions: Check if the initiator process is malicious. Check the user activity on the same agent at that time. Check if the host is a development server. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.Okta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden
PowerShell Initiates a Network Connection to GitHub Low 1 variation
PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: Palo Alto Networks Url LogsAttacker's goals: Download a second stage payload for execution.Investigative actions: Check if the initiator process is malicious. Check for additional file/network operations by the same PowerShell instance.Variations
PowerShell Initiates a Network Connection to GitHub from a sensitive server
Medium overridden
PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads. overridden
PowerShell runs suspicious base64-encoded commands Low 2 variations
Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Run code to perform actions or download other malicious programs.Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.Variations
PowerShell runs rare base64-encoded command via remote causality actor
Medium overridden
Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden
PowerShell runs rare base64-encoded command by windows built-in scripting engine
High overridden
Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden
PowerShell suspicious flags Medium
Abbreviated flags in PowerShell indicate malicious intent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Run code to perform actions or download other malicious programs.Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.PowerShell used to remove mailbox export request logs High
An attacker may use PowerShell to remove evidence of an export request for a mailbox as part of the clean-up stage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Remove evidence for mailbox export commands.Investigative actions: Examine the PowerShell command to identify which mailbox has been compromised. Investigate the host that executes the command for potential further exploitation.Rare process executed by an AppleScript Low
An uncommon process has been executed by the AppleScript interpreter process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)Required data: XDR AgentDetector tags: AppleScript AnalyticsAttacker's goals: Use the AppleScript interpreter to execute a second-stage payload.Investigative actions: Analyze the AppleScript and executed process to determine whether they perform any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the AppleScript was executed in an unusual way.Run downloaded script using pipe Informational 1 variation
Downloading a script using wget or curl and executing it using a pipe to a shell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to download a script using wget or curl.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Run downloaded script using pipe in a Kubernetes pod
Informational overridden
Downloading a script using wget or curl and executing it using a pipe to a shell. overridden
Scripting engine connected to a rare external host Low 3 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.Variations
Scripting engine failed to connect to a rare external host
Informational overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Scripting engine with a modified image name connected to a rare external host
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN scripting engine connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Suspicious PowerShell Command Line Low
Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.Suspicious process loads a known PowerShell module Informational 2 variations
A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 8 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.Variations
Suspicious unsigned process loads a known PowerShell module
Low overridden
A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary. overridden
Office process loads a known PowerShell DLL
High overridden
A Microsoft Office process loaded a known PowerShell module. This image load may be a sign of PowerShell execution without directly invoking the PowerShell.exe binary. overridden
Uncommon Linux remote shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux remote shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution using an exploitation tool
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution executing a reverse interactive shell
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution downloading a shell script
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution disabling firewall
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution possibly running from an XZ backdoor
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running as root
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution loading a kernel module
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a network tool
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution trying to gather information about the system
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution, possibly granting file execution permissions
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux shell command execution by a BAS solution
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution disabling firewall
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution using exploitation tool
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution trying to gather information about the system
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution loading a kernel module
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution, possibly granting file execution permissions
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution running a network tool
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution with su/sudo elevation
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution accessing history (e.g. bash history or login records)
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution from a scripting language interpreter
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution executed from within a web server
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon cloud CLI tool usage Informational Cloud 4 variations
An uncommon execution of a cloud CLI tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: XDR AgentAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Check what cloud CLI commands were executed. Verify which cloud resources may have been affected.Variations
Uncommon cloud CLI tool usage within a web server pod
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a web server
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a cloud instance
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a Kubernetes pod
Informational overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon macOS shell command execution Informational 10 variations
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon macOS shell command execution by a BAS solution
High overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution running a curl / wget in an uncommon way
High overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution trying to gather information about the system
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution loading a kernel extension
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution, possibly granting file execution permissions
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution executed an AppleScript
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution from an unsigned process
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution of an exceedingly rare process
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Unusual AI model invocation Informational Cloud
A cloud identity invoked an AI model for the first time.MITRE ATLAS Technique: AML.T0050 - Command and Scripting Interpreter.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to AI models.Investigative actions: Examine which AI models were invoked. Investigate any unusual activity originating from the suspected identity.Unusual AWS CLI/SDK activity Informational Cloud
A cloud identity invoked an API using AWS CLI/SDK for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Investigate any unusual activity originating from the suspected identity.Unusual AWS SageMaker notebook access Informational Cloud
A cloud identity accessed an AWS SageMaker notebook for the first time.MITRE ATLAS Technique: AML.T0008 - Acquire Infrastructure: AI Development Workspaces.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to AI/ML resources and services.Investigative actions: Examine which AWS SageMaker notebooks were accessed. Investigate any unusual activity originating from the suspected identity.Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation
Unusual Process Spawned by Nginx in Ingress-Nginx pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.Variations
Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload
High overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden
Unusual process accessed the PowerShell history file Informational
An abnormal process accessed the PowerShell console history file.This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: An attacker is attempting to run PowerShell without powershell.exe to evade detection.Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.Wsmprovhost.exe Rare Child Process Low
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.