Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

14 alerts match the current filters. technique: T1569 ✕

Show ATT&CK heatmap
  • A remote service was created via RPC over SMB Low 1 variation

    A remote service was created via RPC over SMB.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Process creation on a remote host.
    Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.

    Variations

    A remote service with an uncommon name was created via RPC over SMB

    Medium overridden

    A remote service was created via RPC over SMB. overridden

  • Attempt to execute a command on a remote host using PsExec.exe Low 1 variation

    There was an attempt to run a command on a remote host using PsExec.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run processes remotely.
    Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.

    Variations

    Attempt to execute a command on a remote host using PsExec.exe

    Low overridden

    There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden

  • Commonly abused process launched as a system service Informational

    This commonly abused host process has been launched by a services.exe parent, indicating it has been installed as a system service. This behavior can have legitimate uses, but often used by malware as a persistence mechanism.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Attacker's goals: Attackers may use services to persist or execute commands on remote hosts.
    Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.
  • Elevation to SYSTEM via services Low 2 variations

    Services were affected by a non SYSTEM integrity level process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Escalate privileges to system and execute commands.
    Investigative actions: Investigate the service being spawned on the host for malicious activities.

    Variations

    Elevation to SYSTEM via service creation

    Low overridden

    A service was created from a non SYSTEM integrity level process. overridden

    Elevation to SYSTEM via service modification

    Low overridden

    An existing service was modified from a non SYSTEM integrity level process. overridden

  • Known service display name with uncommon image-path Low 3 variations

    Service created with a known display name but has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code with seemingly trustworthy services.
    Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known service display name with uncommon image-path created by an untrusted CGO

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known Palo Alto service display name with uncommon image-path

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

    Known service display name with uncommon image-path in a suspicious folder

    Medium overridden

    Service created with a known display name but has an uncommon image-path. overridden

  • Known service name with an uncommon image-path Low 2 variations

    A Service with a known service name has an uncommon image-path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Execution (TA0002)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Run malicious code within seemingly trustworthy services.
    Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.

    Variations

    Known Palo Alto service name with an uncommon image-path

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

    Known service name with an uncommon image-path in a suspicious folder

    Medium overridden

    A Service with a known service name has an uncommon image-path. overridden

  • PsExec was executed with a suspicious command line Informational 4 variations

    PsExec.exe was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.
    Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.

    Variations

    PsExec was executed with a suspicious command line by a LOLBIN

    Low overridden

    PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden

    PsExec was executed with a suspicious command line by an unsigned actor

    Medium overridden

    PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with NT/System privilege level. overridden

    PsExec was executed with a suspicious command line

    Low overridden

    PsExec.exe was executed with plain-text credentials. overridden

  • Rare process spawned by srvany.exe Informational

    Unusual process spawned by srvany.exe, which allows applications to run as services with system privileges, this might be an indication of malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Attacker's goals: Execute malware on the host in a manner that doesn't leave event logs within the system.
    Investigative actions: Validate if the binary that srvany.exe executed is malicious. Track down the source of the srvany.exe binary and the executed process. Validate if this is a legitimate software installed by IT.
  • Remote PsExec-like command execution Informational 5 variations

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.

    Variations

    Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service

    High overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from an unsigned non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from a signed non-standard PsExec service

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec command execution

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

  • Remote service command execution from an uncommon source High

    A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Remote service start from an uncommon source Low

    A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Service execution via sc.exe Informational

    Sc.exe has the ability to start services on local and remote hosts. An attacker may abuse it to execute malicious services on a host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run code on local or remote hosts.
    Investigative actions: Check whether the service that was created via sc.exe is benign and if this was a desired behavior as part of its normal execution flow.
  • Uncommon Service Create/Config Medium

    The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading security controls and possibly persisting malware.
    Investigative actions: Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.
  • Uncommon remote service start via sc.exe Low

    The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.
    Investigative actions: Check whether the executed process is benign and if this was desired behavior as part of its normal execution flow. Check the remote host for any evidence of the executed service and investigate it.