Modified Logic - Content Update Release Notes - Cortex - Cortex

Analytics Content Version: 2025.12.03
Product
Cortex
Creation date
2026-01-04
Last date published
2026-01-04
Category
Content Update Release Notes

[Medium] RDP Connection to localhost

[Informational] Unsigned DLL Hijack into a Microsoft process

  • [Medium] Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed - Added

[Informational] Unusual cloud Instance Metadata Service (IMDS) access

  • [Low -> Medium] Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process - Modified Logic

  • [Low -> Medium] Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service - Modified Logic

  • [Low] Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known shell or scripting process in a Kubernetes pod - Removed

  • [Low] Cloud Unusual Instance Metadata Service (IMDS) access from an unusual known web service in a Kubernetes pod - Removed

  • [Low] Cloud Unusual internet-facing Instance Metadata Service (IMDS) access - Removed

  • [Low] Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process - Added

  • [Informational] Cloud Unusual Instance Metadata Service (IMDS) access in a Kubernetes pod - Removed

[Low] WmiPrvSe.exe Rare Child Command Line

  • [Medium] 551a388d-0221-44b0-af36-de4c36bbef81 - Modified Logic

[Informational] A process connected to a rare external host

  • [Low] VSCode extension process connected to a rare external host - Modified Logic

[Informational] Common third-party software name masquerading

  • [Low] Common third-party software name masquerading which was downloaded from an unexpected source - Modified Logic

[Low] Possible network sniffing attempt via tcpdump or tshark

[Low] Risk indicators detected in email

[Low] Suspicious PowerShell Enumeration of Running Processes

[Informational] Suspicious Unicode character detected in email

  • [Low] Phishing terms obfuscation using Unicode characters detected in email - Modified Logic

  • [Informational] Multiple suspicious Unicode characters detected in email - Modified Logic

[Informational] Suspicious secrets dump activity

  • [Low] An identity extracted multiple secrets within the organization across multiple regions - Modified Logic

[Low] Uncommon ARP cache listing via arp.exe

[Informational] Uncommon net localgroup command execution

  • [Low] Uncommon net localgroup execution - Modified Logic

[Informational] Email has a short body or subject and was sent from an external source

[Informational] Email mimics replies or forwards without an actual ongoing conversation

[Informational] Executable moved to Windows system folder

[Informational] External email display name impersonation of internal personnel

[Informational] First-seen email from mailbox owner to external recipient's address in the last 30 days

[Informational] IAM Enumeration sequence

[Informational] Potential spoofing of internal domain spotted

[Informational] Unusual IAM enumeration activity by a non-user Identity

[Informational] Unusual Identity and Access Management (IAM) activity

[Informational] Usage of homograph characters detected in an email