Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

21 alerts match the current filters. technique: T1547 ✕

Show ATT&CK heatmap
  • A contained executable was executed by an unusual process Medium 3 variations

    A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.

    Variations

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by an unusual process

    Medium overridden

    A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden

  • An uncommon file added to startup-related Registry keys Informational 5 variations

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes files or scripts on user login or computer boot.
    Investigative actions: Verify if the registered file is malicious. Check if the installing software is a malicious binary or script.

    Variations

    An uncommon file added to startup-related Registry keys by an unsigned and unpopular CGO process

    Low overridden

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon script added to startup-related Registry keys

    Low overridden

    An attacker may add a script to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon file added to startup-related Registry keys by a commonly known and signed application

    Low overridden

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon LOLBIN added to startup-related Registry keys

    Low overridden

    An attacker may add a LOLBIN to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon file added to startup-related Registry keys by a remote actor

    Low overridden

    A remote attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

  • An uncommon file was created in the startup folder Informational 4 variations

    An uncommon file was created in the startup folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Maintain persistence on the host through automatic execution at startup.
    Investigative actions: Determine if the file was created as part of a legitimate application installation, and check other files written by the same process. Identify which program opens this file based on its extension. Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.

    Variations

    An executable file with a non-default extension was added to the startup folder

    Medium overridden

    An executable file with a non-default extension was added to the startup folder. overridden

    An executable or script was added to the startup folder

    Low overridden

    An executable or script was added to the startup folder. This may occur during a legitimate program installation but could also indicate a malicious program persisting on the system. overridden

    A file with an uncommon extension was added to the startup folder

    Low overridden

    A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden

    A new shortcut (lnk) was added to the startup folder

    Low overridden

    A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden

  • Execution of an uncommon process at an early startup stage Informational 2 variations

    Uncommon execution of an executable found in an early startup stage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup. Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.

    Variations

    Execution of an uncommon process at an early startup stage with suspicious characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage. overridden

    Execution of an uncommon process at an early startup stage with uncommon characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage. overridden

  • Execution of an uncommon process at an early startup stage by Windows system binary Low 2 variations

    Uncommon execution of an executable found in an early startup stage by Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.

    Variations

    Execution of an uncommon process at an early startup stage by Windows system binary with suspicious characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden

    Execution of an uncommon process at an early startup stage by Windows system binary with uncommon characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden

  • Execution of an uncommon process with a local/domain user SID at an early startup stage Informational 2 variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the CGO (causality group owner) is familiar and if any configuration, parameters, or registry keys have been modified.

    Variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with uncommon characteristics

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden

  • Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary Low 3 variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.

    Variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary - Explorer CGO

    Informational overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with a suspicious characteristics by Windows system binary

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with an uncommon characteristics by Windows system binary

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

  • Microsoft Office adds a value to autostart Registry key Low

    Microsoft Office adds a value to a registry entry (run keys, startup folders) to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence on the host using the Window's autostart Mechanism.
    Investigative actions: Check the registry key and determine what process it'll run. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Office process accessed an unusual .LNK file Low

    An attacker may embed a .LNK file in an Office document to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Modify or create a shortcut to gain code or program execution.
    Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.
  • Possible Persistence via group policy Registry keys Medium

    Group Policy registry keys were read during system startup. This behavior may indicate a persistence mechanism that triggers on reboot to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Establish persistence on the host using Windows Group Policy mechanisms.
    Investigative actions: Inspect the registry keys and determine which process or command is configured to run. Verify whether the executing process is benign and expected as part of normal system behavior.
  • Script file added to startup-related Registry keys Medium

    An attacker may add a script file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes commands on user login or computer boot.
    Investigative actions: Verify if the registered script is malicious. Check if the installed software is a malicious binary or script.
  • Setting Windows Auto Logon by uncommon process Low

    Setting Windows Auto Logon by uncommon process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to set auto logon for persistence and privilege escalation.
    Investigative actions: Investigate the process that set or create the registry key.
  • Suspicious RunOnce Parent Process Low

    Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user login events.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to perform an action on the system at a later point, achieving persistence.
    Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use RunOnce in its operation.
  • Suspicious Udev driver rule execution manipulation Low 1 variation

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.
    Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual Udev driver rule execution manipulation

    Low overridden

    Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden

  • Suspicious active setup registered Informational

    The endpoint registered a new active setup, which may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Active Setup (T1547.014)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence using the legitimate windows active setup mechanism, which executes binary on system startup.
    Investigative actions: Verify if the registered binary is malicious. Check if the installing software is a malicious binary.
  • Suspicious authentication package registered Medium

    The endpoint registered a suspicious authentication package, which may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Authentication Package (T1547.002)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate Windows authentication package mechanism, which loads libraries into Windows services.
    Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from "lsass.exe".
  • Suspicious print processor registered Medium

    The endpoint registered a new print processor, which may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Print Processors (T1547.012)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate windows print processor mechanism, which loads libraries into Windows services.
    Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from svchost.exe or spoolsv.exe.
  • Suspicious runonce.exe parent process Low

    Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user logon events.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious time provider registered Medium 2 variations

    The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Time Providers (T1547.003)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate Windows time provider mechanism, which loads libraries into Windows services.
    Investigative actions: Verify if the registered library is malicious. Check if the software performing the installation is a malicious binary. Check for any network activity from a "svchost.exe -k LocalService" process that seems suspicious.

    Variations

    Suspicious time provider registered manually by reg.exe

    High overridden

    The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden

    Suspicious time provider registered using an uncommon provider name

    High overridden

    The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden

  • Uncommon Security Support Provider (SSP) registered via a registry key Low

    Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain clear text passwords and persistency in the network.
    Investigative actions: Audit the specific key values to verify that the additional values are trusted.
  • Uncommon login item persistency was registered or modified Informational 4 variations

    An uncommon login item persistence mechanism was registered/modified on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547) Boot or Logon Autostart Execution: Login Items (T1547.015)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Establish persistent access to the compromised host by registering malicious code.
    Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.

    Variations

    Uncommon login item persistency was registered or modified by a security testing tool

    High overridden

    An uncommon login item persistence mechanism was registered/modified on the system by a security testing tool. overridden

    Uncommon login item persistency was registered or modified while using osascript

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden

    Uncommon login item persistency was registered or modified by an invalidly signed actor process

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed actor process. overridden

    Uncommon login item persistency was registered or modified by an invalidly signed causality process

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed causality process. overridden