Analytics Alerts
Browse the Cortex analytics alert reference.
14 alerts match the current filters. technique: T1569 ✕
Show ATT&CK heatmapA remote service was created via RPC over SMB Low 1 variation
A remote service was created via RPC over SMB.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Process creation on a remote host.Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.Variations
A remote service with an uncommon name was created via RPC over SMB
Medium overridden
A remote service was created via RPC over SMB. overridden
Attempt to execute a command on a remote host using PsExec.exe Low 1 variation
There was an attempt to run a command on a remote host using PsExec.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run processes remotely.Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.Variations
Attempt to execute a command on a remote host using PsExec.exe
Low overridden
There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden
Commonly abused process launched as a system service Informational
This commonly abused host process has been launched by a services.exe parent, indicating it has been installed as a system service. This behavior can have legitimate uses, but often used by malware as a persistence mechanism.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentAttacker's goals: Attackers may use services to persist or execute commands on remote hosts.Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.Elevation to SYSTEM via services Low 2 variations
Services were affected by a non SYSTEM integrity level process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Escalate privileges to system and execute commands.Investigative actions: Investigate the service being spawned on the host for malicious activities.Variations
Elevation to SYSTEM via service creation
Low overridden
A service was created from a non SYSTEM integrity level process. overridden
Elevation to SYSTEM via service modification
Low overridden
An existing service was modified from a non SYSTEM integrity level process. overridden
Known service display name with uncommon image-path Low 3 variations
Service created with a known display name but has an uncommon image-path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Execution (TA0002)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Run malicious code with seemingly trustworthy services.Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.Variations
Known service display name with uncommon image-path created by an untrusted CGO
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known Palo Alto service display name with uncommon image-path
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known service display name with uncommon image-path in a suspicious folder
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known service name with an uncommon image-path Low 2 variations
A Service with a known service name has an uncommon image-path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Execution (TA0002)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Run malicious code within seemingly trustworthy services.Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.Variations
Known Palo Alto service name with an uncommon image-path
Medium overridden
A Service with a known service name has an uncommon image-path. overridden
Known service name with an uncommon image-path in a suspicious folder
Medium overridden
A Service with a known service name has an uncommon image-path. overridden
PsExec was executed with a suspicious command line Informational 4 variations
PsExec.exe was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.Variations
PsExec was executed with a suspicious command line by a LOLBIN
Low overridden
PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden
PsExec was executed with a suspicious command line by an unsigned actor
Medium overridden
PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with NT/System privilege level. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with plain-text credentials. overridden
Rare process spawned by srvany.exe Informational
Unusual process spawned by srvany.exe, which allows applications to run as services with system privileges, this might be an indication of malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentAttacker's goals: Execute malware on the host in a manner that doesn't leave event logs within the system.Investigative actions: Validate if the binary that srvany.exe executed is malicious. Track down the source of the srvany.exe binary and the executed process. Validate if this is a legitimate software installed by IT.Remote PsExec-like command execution Informational 5 variations
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Variations
Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service
High overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from an unsigned non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from a signed non-standard PsExec service
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec command execution
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote service command execution from an uncommon source High
A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote service start from an uncommon source Low
A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Service execution via sc.exe Informational
Sc.exe has the ability to start services on local and remote hosts. An attacker may abuse it to execute malicious services on a host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run code on local or remote hosts.Investigative actions: Check whether the service that was created via sc.exe is benign and if this was a desired behavior as part of its normal execution flow.Uncommon Service Create/Config Medium
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Evading security controls and possibly persisting malware.Investigative actions: Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.Uncommon remote service start via sc.exe Low
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.Investigative actions: Check whether the executed process is benign and if this was desired behavior as part of its normal execution flow. Check the remote host for any evidence of the executed service and investigate it.