Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. technique: T1197 ✕

Show ATT&CK heatmap
  • Bitsadmin.exe persistence using command-line callback Medium

    BITSAdmin.exe was used with a command-line that may indicate malware trying to gain persistence on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: BITS Jobs (T1197)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate bitsadmin 'setnotifycmdline' mechanism, which triggers process executions once a Bits job is done or fails.
    Investigative actions: Check if the command line contains any malicious indicators. Check if the parent process is suspicious. Check if the command-line used to persist is malicious or references a malicious binary.