Execution of an uncommon process with a local/domain user SID at an early startup stage

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2025-11-09
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Generic Persistence Analytics

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Informational

Response playbooks

Variations of this detector that create incidents have an OOTB response playbook included in the Cortex Response and Remediation Pack

Description

Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.

Attacker's Goals

  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.

Variations

Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Medium

Response playbooks

Execution of an uncommon process at an early startup stage

Description

Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.

Attacker's Goals

  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.


Execution of an uncommon process with a local/domain user SID at an early startup stage with uncommon characteristics

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Low

Description

Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.

Attacker's Goals

  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.