A contained executable was executed by an unusual process

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A docker contained executable from a mounted share was executed on a host.
Running a contained executable is highly dangerous and atypical.

Attacker's Goals

Gain high privileged command execution on the host machine via one of its running containers.

Investigative actions

  • Check what actions were made after the suspicious file execution.
  • Investigate the contained process and its process tree.

Variations

A contained executable was executed by the Linux kernel thread daemon

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

A contained executable in a cloud machine was executed by the Linux kernel thread daemon.
This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only.

Attacker's Goals

Gain high privileged command execution on the host machine via one of its running containers.

Investigative actions

  • Check what actions were made after the suspicious file execution.
  • Investigate the contained process and its process tree.


A contained executable was executed by the Linux kernel thread daemon

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

A contained executable was executed by the Linux kernel thread daemon.
This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only.

Attacker's Goals

Gain high privileged command execution on the host machine via one of its running containers.

Investigative actions

  • Check what actions were made after the suspicious file execution.
  • Investigate the contained process and its process tree.


A contained executable was executed by an unusual process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A docker contained executable from a mounted share on a cloud machine was executed on a host.
Running a contained executable is highly dangerous and atypical.

Attacker's Goals

Gain high privileged command execution on the host machine via one of its running containers.

Investigative actions

  • Check what actions were made after the suspicious file execution.
  • Investigate the contained process and its process tree.