Execution of an uncommon process at an early startup stage by Windows system binary

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Generic Persistence Analytics

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Low

Description

Uncommon execution of an executable found in an early startup stage by Windows system binary.

Attacker's Goals

  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.

Variations

Execution of an uncommon process at an early startup stage by Windows system binary with suspicious characteristics

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Medium

Description

Uncommon execution of an executable found in an early startup stage by Windows system binary.

Attacker's Goals

  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.


Execution of an uncommon process at an early startup stage by Windows system binary with uncommon characteristics

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Low

Description

Uncommon execution of an executable found in an early startup stage by Windows system binary.

Attacker's Goals

  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.