Globally uncommon high entropy process was executed

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-24

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Obfuscated Files or Information (T1027)
Severity	Informational

Description

A process with high entropy and a globally uncommon hash was executed.

Attacker's Goals

Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.

Investigative actions

Check if the process' file is either compressed, encrypted, obfuscated or packed.

Variations

Globally uncommon high entropy process was executed by a web server process or CGO

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process with high entropy and a globally uncommon hash was executed by a web server process or CGO.

Attacker's Goals

Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.

Investigative actions

Check if the process' file is either compressed, encrypted, obfuscated or packed.

Globally uncommon high entropy process was downloaded from an uncommon source and executed

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Obfuscated Files or Information (T1027)
Severity	Low

Description

A process with high entropy and a globally uncommon hash was downloaded from an uncommon source and executed.

Attacker's Goals

Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.

Investigative actions

Check if the process' file is either compressed, encrypted, obfuscated or packed.