Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
3 Hours |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A process was executed with an uncommon GitHub URL in its command line. This may have legitimate uses, but it might also be used by attackers to download malicious payloads.
Attacker's Goals
Download a second stage payload for execution.
Investigative actions
- Check if the initiator process is malicious.
- Check the user activity on the same agent at that time.
- Check if the host is a development server.
- Check if this installation was related to more installations at the same time.
- Check for additional file/network operations by the same process instance.