MpCmdRun.exe was used to download files into the system

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Ingress Tool Transfer (T1105)

Severity

Low

Description

Attackers might be using legitimate Windows Defender executables to download malicious code onto the system.

Attacker's Goals

Download malicious tools onto the host for more activities.

Investigative actions

  • Check if the downloaded file malicious.
  • Verify if the process executing the command is malicious.
  • Check for more suspicious actions done by the user and process.