Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. technique: T1620 ✕
Show ATT&CK heatmapSuspicious DotNet log file created Low 3 variations
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Run/Inject DotNet code in the context of a signed process.Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.Variations
DotNet log file created by svchost from 'Absolute software Corp' causality
Informational overridden
Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden
Suspicious DotNet log file created from an injected thread
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Suspicious DotNet log file created
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Uncommon DotNet module load relationship Informational
A signed process that usually doesn't use DotNet loaded a common DotNet module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Reflective Code Loading (T1620)Required data: XDR AgentAttacker's goals: Adversaries may reflectively load DotNet code into a process to conceal execution of malicious payloads.Investigative actions: Investigate the actor process for potential malicious activity. Check for recently installed services that may load DotNet modules.