Executable created to disk by lsass.exe

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

6 Hours

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Process Injection (T1055)

Severity

Medium

Description

Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.

Attacker's Goals

This activity was an important stage for several exploits.

Investigative actions

Check the file that was written to the disk for malicious activities.