Analytics Alerts
Browse the Cortex analytics alert reference.
21 alerts match the current filters. technique: T1547 ✕
Show ATT&CK heatmapA contained executable was executed by an unusual process Medium 3 variations
A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.Variations
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by an unusual process
Medium overridden
A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden
An uncommon file added to startup-related Registry keys Informational 5 variations
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes files or scripts on user login or computer boot.Investigative actions: Verify if the registered file is malicious. Check if the installing software is a malicious binary or script.Variations
An uncommon file added to startup-related Registry keys by an unsigned and unpopular CGO process
Low overridden
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon script added to startup-related Registry keys
Low overridden
An attacker may add a script to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file added to startup-related Registry keys by a commonly known and signed application
Low overridden
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon LOLBIN added to startup-related Registry keys
Low overridden
An attacker may add a LOLBIN to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file added to startup-related Registry keys by a remote actor
Low overridden
A remote attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file was created in the startup folder Informational 4 variations
An uncommon file was created in the startup folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Maintain persistence on the host through automatic execution at startup.Investigative actions: Determine if the file was created as part of a legitimate application installation, and check other files written by the same process. Identify which program opens this file based on its extension. Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.Variations
An executable file with a non-default extension was added to the startup folder
Medium overridden
An executable file with a non-default extension was added to the startup folder. overridden
An executable or script was added to the startup folder
Low overridden
An executable or script was added to the startup folder. This may occur during a legitimate program installation but could also indicate a malicious program persisting on the system. overridden
A file with an uncommon extension was added to the startup folder
Low overridden
A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden
A new shortcut (lnk) was added to the startup folder
Low overridden
A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden
Execution of an uncommon process at an early startup stage Informational 2 variations
Uncommon execution of an executable found in an early startup stage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup. Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.Variations
Execution of an uncommon process at an early startup stage with suspicious characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage. overridden
Execution of an uncommon process at an early startup stage with uncommon characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage. overridden
Execution of an uncommon process at an early startup stage by Windows system binary Low 2 variations
Uncommon execution of an executable found in an early startup stage by Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.Variations
Execution of an uncommon process at an early startup stage by Windows system binary with suspicious characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden
Execution of an uncommon process at an early startup stage by Windows system binary with uncommon characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage Informational 2 variations
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the CGO (causality group owner) is familiar and if any configuration, parameters, or registry keys have been modified.Variations
Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with uncommon characteristics
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary Low 3 variations
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.Variations
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary - Explorer CGO
Informational overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with a suspicious characteristics by Windows system binary
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with an uncommon characteristics by Windows system binary
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Microsoft Office adds a value to autostart Registry key Low
Microsoft Office adds a value to a registry entry (run keys, startup folders) to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain persistence on the host using the Window's autostart Mechanism.Investigative actions: Check the registry key and determine what process it'll run. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Office process accessed an unusual .LNK file Low
An attacker may embed a .LNK file in an Office document to execute malicious code.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Modify or create a shortcut to gain code or program execution.Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.Possible Persistence via group policy Registry keys Medium
Group Policy registry keys were read during system startup. This behavior may indicate a persistence mechanism that triggers on reboot to execute malicious code.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Establish persistence on the host using Windows Group Policy mechanisms.Investigative actions: Inspect the registry keys and determine which process or command is configured to run. Verify whether the executing process is benign and expected as part of normal system behavior.Script file added to startup-related Registry keys Medium
An attacker may add a script file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes commands on user login or computer boot.Investigative actions: Verify if the registered script is malicious. Check if the installed software is a malicious binary or script.Setting Windows Auto Logon by uncommon process Low
Setting Windows Auto Logon by uncommon process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to set auto logon for persistence and privilege escalation.Investigative actions: Investigate the process that set or create the registry key.Suspicious RunOnce Parent Process Low
Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user login events.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR AgentAttacker's goals: An attacker is trying to perform an action on the system at a later point, achieving persistence.Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use RunOnce in its operation.Suspicious Udev driver rule execution manipulation Low 1 variation
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual Udev driver rule execution manipulation
Low overridden
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden
Suspicious active setup registered Informational
The endpoint registered a new active setup, which may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Active Setup (T1547.014)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain persistence using the legitimate windows active setup mechanism, which executes binary on system startup.Investigative actions: Verify if the registered binary is malicious. Check if the installing software is a malicious binary.Suspicious authentication package registered Medium
The endpoint registered a suspicious authentication package, which may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Authentication Package (T1547.002)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate Windows authentication package mechanism, which loads libraries into Windows services.Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from "lsass.exe".Suspicious print processor registered Medium
The endpoint registered a new print processor, which may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Print Processors (T1547.012)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate windows print processor mechanism, which loads libraries into Windows services.Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from svchost.exe or spoolsv.exe.Suspicious runonce.exe parent process Low
Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user logon events.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR AgentAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious time provider registered Medium 2 variations
The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Time Providers (T1547.003)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate Windows time provider mechanism, which loads libraries into Windows services.Investigative actions: Verify if the registered library is malicious. Check if the software performing the installation is a malicious binary. Check for any network activity from a "svchost.exe -k LocalService" process that seems suspicious.Variations
Suspicious time provider registered manually by reg.exe
High overridden
The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden
Suspicious time provider registered using an uncommon provider name
High overridden
The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden
Uncommon Security Support Provider (SSP) registered via a registry key Low
Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain clear text passwords and persistency in the network.Investigative actions: Audit the specific key values to verify that the additional values are trusted.Uncommon login item persistency was registered or modified Informational 4 variations
An uncommon login item persistence mechanism was registered/modified on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547) Boot or Logon Autostart Execution: Login Items (T1547.015)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Establish persistent access to the compromised host by registering malicious code.Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.Variations
Uncommon login item persistency was registered or modified by a security testing tool
High overridden
An uncommon login item persistence mechanism was registered/modified on the system by a security testing tool. overridden
Uncommon login item persistency was registered or modified while using osascript
Low overridden
An uncommon login item persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden
Uncommon login item persistency was registered or modified by an invalidly signed actor process
Low overridden
An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed actor process. overridden
Uncommon login item persistency was registered or modified by an invalidly signed causality process
Low overridden
An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed causality process. overridden