A compromised process accessed a rare cloud resource

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-12-08

Activation Period	14 Days
Training Period	30 Days
Test Period	2 Hours
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Flow Log OR AWS OCSF Flow Logs OR Azure Flow Log OR Gcp Flow Log Requires: XDR Agent Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags	EDR Windows C2 Analytics
ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	Informational

A compromised process accessed a rare cloud resource.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	Medium

A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	Informational

A process compromised by DLL sideloading accessed a rare cloud resource.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol (T1071)
Severity	Informational

An injected process accessed a rare cloud resource.

Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.