A process is masquerading as a common Microsoft product

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

EDR Windows Disguised Processes

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Masquerading (T1036)

Severity

Informational

Description

An attacker might leverage common Microsoft Software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

  • Investigate the executed process image and check if it is malicious.
  • Investigate the actor process which executed the process and check if it is malicious.

Variations

An unsigned actor executed masqueraded process which was downloaded from unexpected source

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Masquerading (T1036)

Severity

High

Description

An attacker might leverage common Microsoft Software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

  • Investigate the executed process image and check if it is malicious.
  • Investigate the actor process which executed the process and check if it is malicious.