Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

35 alerts match the current filters. technique: T1059 ✕

Show ATT&CK heatmap
  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A TCP stream was created directly in a shell Medium

    Attackers may create a TCP stream using the shell command line to generate a reverse shell, enabling remote access to the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Attacker's goals: Attackers may use this device file to create sockets though shell commands as part of a reverse shell.
    Investigative actions: Review the command line used. Search for the corresponding network event. Check the prevalence of the target IP/domain.
  • A cloud identity started a Cloud Shell session Informational Cloud

    A cloud identity started a Cloud Shell session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • Adding execution privileges Informational 1 variation

    A script was granted execution privileges using chmod before being run.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use chmod to grant execution privileges to scripts or binaries for malicious execution.
    Investigative actions: Verify that this activity is not part of normal IT operations. Check for similar commands executed on other hosts.

    Variations

    Adding execution privileges in a Kubernetes pod

    Informational overridden

    A script was granted execution privileges using chmod before being run. overridden

  • AppleScript executed a shell script Informational 2 variations

    An uncommon shell script has been executed by the AppleScript interpreter process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002) Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics, Shell Analytics
    Attacker's goals: Use the AppleScript interpreter to execute a second stage payload.
    Investigative actions: Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the script was executed in an unusual way.

    Variations

    AppleScript executed a shell script using an unsigned, globally rare causality actor

    Low overridden

    An uncommon shell script has been executed by the AppleScript interpreter process. overridden

    AppleScript executed a shell script using an uncommon shell process

    Low overridden

    An uncommon shell script has been executed by the AppleScript interpreter process. overridden

  • AppleScript interpreter dynamic library loaded into a process Informational 2 variations

    The AppleScript interpreter dynamic library was loaded into a process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Stealthily execute AppleScript code while evading script-based detections.
    Investigative actions: Analyze the process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior. Check whether the process was executed in an unusual way.

    Variations

    AppleScript interpreter dynamic library loaded into an unsigned applet

    Low overridden

    The AppleScript interpreter dynamic library was loaded into an unsigned applet. overridden

    AppleScript interpreter dynamic library loaded into a process with an uncommon vendor signature

    Low overridden

    The AppleScript interpreter dynamic library was loaded into a process with an uncommon vendor signature. overridden

  • AppleScript process executed with a rare command line Informational 6 variations

    The AppleScript interpreter process was executed with an uncommon command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.
    Investigative actions: Analyze the command line and determine whether it performs any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the process was executed in an unusual way.

    Variations

    AppleScript process executed with a rare command line possibly using Finder to perform operations

    High overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line with an unusual password prompt

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly injects JavaScript into a browser

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly establishes persistence

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly installs a proxy

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line performing clipboard access

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

  • Azure virtual machine commands execution Informational Cloud

    An Azure virtual machine executed PowerShell commands with System privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: Azure Audit Log
    Attacker's goals: Executing malicious commands for discovery, privilege escalation, etc.
    Investigative actions: Check the VM that executed the commands and their results.
  • Command running with COMSPEC in the command line argument Low

    COMSPEC is an environmental variable that points to cmd.exe. Attackers may use this command to obfuscate their command and avoid detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
    Required data: XDR Agent
    Attacker's goals: Attackers might use environment variables to try and avoid being detected and obfuscate their commands.
    Investigative actions: Investigate the actor and the command line that executed with COMSPEC Verify that the command executed from a trusted source.
  • Commonly abused AutoIT script connects to an external domain Medium

    AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)
    Required data: XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.
  • Commonly abused AutoIT script drops an executable file to disk Informational

    AutoIT scripts have legitimate uses but are often abused by malware to execute in a signed process context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Command and Scripting Interpreter: Windows Command Shell (T1059.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.
  • Download a script using the python requests module Low

    Download a shell script from a remote location using the Python requests module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Python (T1059.006)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse Python commands and scripts to download additional malicious files or for exfiltration.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Google Workspace automation was created Informational Identity Threat Module 1 variation

    Google Workspace automation was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.
    Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.

    Variations

    Google Workspace automation was created for a public document

    Low overridden

    The document that the automation was created for is publicly shared. overridden

  • LOLBIN created a PSScriptPolicyTest PowerShell script file Informational 1 variation

    A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Executing PowerShell scripts in a stealthy manner.
    Investigative actions: Investigate the process and command line that created the file and whether it's benign or normal for this host. Investigate the created PowerShell file for potential malicious commands.

    Variations

    LOLBIN created a larger than usual PSScriptPolicyTest PowerShell script file

    Medium overridden

    A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary. overridden

  • Linux process execution with a rare GitHub URL Informational

    A process was executed with an uncommon GitHub URL in its command line. This may have legitimate uses, but it might also be used by attackers to download malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check the user activity on the same agent at that time. Check if the host is a development server. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.
  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • PowerShell Initiates a Network Connection to GitHub Low 1 variation

    PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check for additional file/network operations by the same PowerShell instance.

    Variations

    PowerShell Initiates a Network Connection to GitHub from a sensitive server

    Medium overridden

    PowerShell initiates a Network Connection to GitHub with an uncommon command line. This may have legitimate uses, but this technique is frequently used by attackers to serve malicious payloads. overridden

  • PowerShell runs suspicious base64-encoded commands Low 2 variations

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Run code to perform actions or download other malicious programs.
    Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.

    Variations

    PowerShell runs rare base64-encoded command via remote causality actor

    Medium overridden

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden

    PowerShell runs rare base64-encoded command by windows built-in scripting engine

    High overridden

    Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection. overridden

  • PowerShell suspicious flags Medium

    Abbreviated flags in PowerShell indicate malicious intent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Run code to perform actions or download other malicious programs.
    Investigative actions: Check if the initiator process is malicious. Check for other operations by the PowerShell instance.
  • PowerShell used to remove mailbox export request logs High

    An attacker may use PowerShell to remove evidence of an export request for a mailbox as part of the clean-up stage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Remove evidence for mailbox export commands.
    Investigative actions: Examine the PowerShell command to identify which mailbox has been compromised. Investigate the host that executes the command for potential further exploitation.
  • Rare process executed by an AppleScript Low

    An uncommon process has been executed by the AppleScript interpreter process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Use the AppleScript interpreter to execute a second-stage payload.
    Investigative actions: Analyze the AppleScript and executed process to determine whether they perform any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the AppleScript was executed in an unusual way.
  • Run downloaded script using pipe Informational 1 variation

    Downloading a script using wget or curl and executing it using a pipe to a shell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to download a script using wget or curl.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Run downloaded script using pipe in a Kubernetes pod

    Informational overridden

    Downloading a script using wget or curl and executing it using a pipe to a shell. overridden

  • Scripting engine connected to a rare external host Low 3 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)
    ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.

    Variations

    Scripting engine failed to connect to a rare external host

    Informational overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Scripting engine with a modified image name connected to a rare external host

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN scripting engine connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

  • Suspicious PowerShell Command Line Low

    Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.
  • Suspicious process loads a known PowerShell module Informational 2 variations

    A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    8 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.
    Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.

    Variations

    Suspicious unsigned process loads a known PowerShell module

    Low overridden

    A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary. overridden

    Office process loads a known PowerShell DLL

    High overridden

    A Microsoft Office process loaded a known PowerShell module. This image load may be a sign of PowerShell execution without directly invoking the PowerShell.exe binary. overridden

  • Uncommon Linux remote shell command execution Informational 15 variations

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon Linux remote shell command execution, possibly running LinPEAS

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution using an exploitation tool

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution executing a reverse interactive shell

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution downloading a shell script

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution disabling firewall

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution possibly running from an XZ backdoor

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running as root

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution setting a scheduled task

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution loading a kernel module

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a network tool

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution trying to gather information about the system

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution, possibly granting file execution permissions

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Uncommon Linux shell command execution Informational 15 variations

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon Linux shell command execution by a BAS solution

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution disabling firewall

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution, possibly running LinPEAS

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution using exploitation tool

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution trying to gather information about the system

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution loading a kernel module

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution, possibly granting file execution permissions

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution running a network tool

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution setting a scheduled task

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution with su/sudo elevation

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution accessing history (e.g. bash history or login records)

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution from a scripting language interpreter

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution executed from within a web server

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Uncommon cloud CLI tool usage Informational Cloud 4 variations

    An uncommon execution of a cloud CLI tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: XDR Agent
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Check what cloud CLI commands were executed. Verify which cloud resources may have been affected.

    Variations

    Uncommon cloud CLI tool usage within a web server pod

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a web server

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a cloud instance

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a Kubernetes pod

    Informational overridden

    An uncommon execution of a cloud CLI tool. overridden

  • Uncommon macOS shell command execution Informational 10 variations

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon macOS shell command execution by a BAS solution

    High overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution running a curl / wget in an uncommon way

    High overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution trying to gather information about the system

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution loading a kernel extension

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution, possibly granting file execution permissions

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution executed an AppleScript

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution from an unsigned process

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution of an exceedingly rare process

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Unusual AI model invocation Informational Cloud

    A cloud identity invoked an AI model for the first time.MITRE ATLAS Technique: AML.T0050 - Command and Scripting Interpreter.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to AI models.
    Investigative actions: Examine which AI models were invoked. Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS CLI/SDK activity Informational Cloud

    A cloud identity invoked an API using AWS CLI/SDK for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS SageMaker notebook access Informational Cloud

    A cloud identity accessed an AWS SageMaker notebook for the first time.MITRE ATLAS Technique: AML.T0008 - Acquire Infrastructure: AI Development Workspaces.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to AI/ML resources and services.
    Investigative actions: Examine which AWS SageMaker notebooks were accessed. Investigate any unusual activity originating from the suspected identity.
  • Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation

    Unusual Process Spawned by Nginx in Ingress-Nginx pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.
    Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.

    Variations

    Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload

    High overridden

    Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden

  • Unusual process accessed the PowerShell history file Informational

    An abnormal process accessed the PowerShell console history file.This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to run PowerShell without powershell.exe to evade detection.
    Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.
  • Wsmprovhost.exe Rare Child Process Low

    The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.