Execution of an uncommon process at an early startup stage

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Generic Persistence Analytics

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Informational

Response playbooks

Variations of this detector that create incidents have an OOTB response playbook included in the Cortex Response and Remediation Pack

Description

Uncommon execution of an executable found in an early startup stage.

Attacker's Goals

  • Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup.
  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.

Variations

Execution of an uncommon process at an early startup stage with suspicious characteristics

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Medium

Response playbooks

Execution of an uncommon process at an early startup stage

Description

Uncommon execution of an executable found in an early startup stage.

Attacker's Goals

  • Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup.
  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.


Execution of an uncommon process at an early startup stage with uncommon characteristics

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Boot or Logon Autostart Execution (T1547)

Severity

Low

Description

Uncommon execution of an executable found in an early startup stage.

Attacker's Goals

  • Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup.
  • Attackers aim to get persistence to continue operating even after a reboot.

Investigative actions

  • Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.