Rare process spawned by srvany.exe

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

System Services: Service Execution (T1569.002)

Severity

Informational

Description

Unusual process spawned by srvany.exe, which allows applications to run as services with system privileges, this might be an indication of malicious local or remote code execution.

Attacker's Goals

Execute malware on the host in a manner that doesn't leave event logs within the system.

Investigative actions

  • Validate if the binary that srvany.exe executed is malicious.
  • Track down the source of the srvany.exe binary and the executed process.
  • Validate if this is a legitimate software installed by IT.