Remote Command Execution

The Cortex XDR – Analytics Remote Command Execution alert indicates that an account is performing remote command execution from a endpoint that historically does not perform that activity.

Synopsis

10 minutes.
14 days.
14 days.
30 days.
Traffic logs.
Lateral movement.

Description

An account is performing remote command execution from a endpoint that historically does not perform that activity.

Attacker's Goals

The attacker is expanding his reach into your network by executing commands on a remote endpoint.

Investigative Actions

  • Examine Alert DetailsOverview to identify the source endpoint, process running the command execution, process owner, and execution destination.

Related Documentation