Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. technique: T1620 ✕

Show ATT&CK heatmap
  • Suspicious DotNet log file created Low 3 variations

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Run/Inject DotNet code in the context of a signed process.
    Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.

    Variations

    DotNet log file created by svchost from 'Absolute software Corp' causality

    Informational overridden

    Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden

    Suspicious DotNet log file created from an injected thread

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

    Suspicious DotNet log file created

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

  • Uncommon DotNet module load relationship Informational

    A signed process that usually doesn't use DotNet loaded a common DotNet module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Reflective Code Loading (T1620)
    Required data: XDR Agent
    Attacker's goals: Adversaries may reflectively load DotNet code into a process to conceal execution of malicious payloads.
    Investigative actions: Investigate the actor process for potential malicious activity. Check for recently installed services that may load DotNet modules.