Rare signature signed executable executed in the network

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

30 Days

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Subvert Trust Controls: Code Signing (T1553.002)

Severity

Informational

Description

Attackers may use signed executables by less known vendors to bypass security features.

Attacker's Goals

Adversaries may use signed binaries to bypass security features.

Investigative actions

Check if this is legitimate software installed by a legitimate user and intentionally.

Variations

Rare signature signed forensic tool remotely executed in the network

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Subvert Trust Controls: Code Signing (T1553.002)

Severity

Medium

Description

Attackers may use signed executables by less known vendors to bypass security features.

Attacker's Goals

Adversaries may use signed binaries to bypass security features.

Investigative actions

  • Check the capabilities of the forensic tool, for example if it can read data directly from the disk.
  • Check other activities seen from the same remote IP address.


Rare signature signed forensic tool executed in the network

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Subvert Trust Controls: Code Signing (T1553.002)

Severity

Low

Description

Attackers may use signed executables by less known vendors to bypass security features.

Attacker's Goals

Adversaries may use signed binaries to bypass security features.

Investigative actions

  • Check the capabilities of the forensic tool, for example if it can read data directly from the disk.