Suspicious DotNet log file created

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent
  • Requires:
    • eXtended Threat Hunting (XTH)

Detection Modules

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Severity

Low

Description

Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.

Attacker's Goals

Run/Inject DotNet code in the context of a signed process.

Investigative actions

  • Verify if the actor process is using DotNet in a valid way.
  • Check if a new application was recently installed on the host at the time of the alert.

Variations

DotNet log file created by svchost from 'Absolute software Corp' causality

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Severity

Informational

Description

Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files.

Attacker's Goals

Run/Inject DotNet code in the context of a signed process.

Investigative actions

  • Verify if the actor process is using DotNet in a valid way.
  • Check if a new application was recently installed on the host at the time of the alert.


Suspicious DotNet log file created from an injected thread

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Severity

Low

Description

Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.

Attacker's Goals

Run/Inject DotNet code in the context of a signed process.

Investigative actions

  • Verify if the actor process is using DotNet in a valid way.
  • Check if a new application was recently installed on the host at the time of the alert.


Suspicious DotNet log file created

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Severity

Low

Description

Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.

Attacker's Goals

Run/Inject DotNet code in the context of a signed process.

Investigative actions

  • Verify if the actor process is using DotNet in a valid way.
  • Check if a new application was recently installed on the host at the time of the alert.