Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapSuspicious LDAP search query executed Low 2 variations
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious LDAP search query executed
High overridden
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Suspicious LDAP search query executed
Low overridden
A suspicious and unpopular LDAP search query was executed. This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Suspicious MFA request reported by user in Entra ID Informational Identity Threat Module 1 variation
A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker may attempt to gain unauthorized access to the account.Investigative actions: Check if the authentication attempt was legitimate. Investigate any recent unusual login behavior or IP addresses associated with the account. Verify whether the user has recently changed their authentication methods or account settings. Follow the account for possible suspicious or unusual logins.Variations
Suspicious MFA request reported by a sensitive user in Entra ID
Low overridden
A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt. overridden
Suspicious ML Model Download Informational Cloud 1 variation
A model artifact was accessed from cloud storage by an identity that typically doesn't interact with model files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Adversaries may collect ML artifacts for exfiltration or for use in ML Attack Staging.Investigative actions: Examine the bucket to determine which model was accessed. Verify that this command was executed by a trusted source.Variations
Suspicious First-Time AI Model Download by Identity
Medium overridden
A model artifact was accessed from cloud storage by an identity that did not interact with model files recently. overridden
Suspicious NTLM authentication with machine account Informational Identity Analytics 1 variation
A suspicious NTLM authentication attempt was made by a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: An attacker aims to exploit authentication protocols to steal credentials and enable lateral movement within the network.Investigative actions: Identify the source and target users and hosts involved in the NTLM authentication attempt. Monitor the users associated with the authentication for any further suspicious activities or unauthorized actions. Look for earlier connections to the source which may cause it to initiate the session. Investigate the root cause of the behavior and determine if it can be mitigated or blocked in the future.Variations
Rare and sensitive NTLM authentication with machine account
Low overridden
A rare and sensitive NTLM authentication attempt was made by a machine account. overridden
Suspicious PowerShell Command Line Low
Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.Suspicious PowerShell Enumeration of Running Processes Low
Attackers often enumerate running processes to find and disable security tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Process Discovery (T1057)Required data: XDR AgentAttacker's goals: Understand the type of host according to the processes running on it; find and disable security tools.Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).Suspicious PowerSploit's recon module (PowerView) net function was executed Medium
An attacker may use PowerSploit to reconnaissance the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify that the relevant function was indeed run by PowerSploit (https://powersploit.readthedocs.io/#recon). Understand what information the attacker had gathered from the command and investigate relevant assets.Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts Medium
An attacker may use PowerSploit to reconnaissance the network for exposed hosts to move laterally to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify that the relevant function was indeed run by PowerSploit (https://powersploit.readthedocs.io/#recon). Understand what information the attacker had gathered from the command and investigate relevant assets.Suspicious Print System Remote Protocol usage by a process Low Identity Analytics
A host which is trusted for unconstrained delegation initiated an SMB connection to a DC using the Print System Remote Protocol. An attacker can abuse such sessions for relay attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if the suspected account is compromised. Check if the source machine is trusted for unconstrained delegation and verify that the machine's configuration should stay that way. Follow actions by the account and if it performed a DCSync.Suspicious Process Spawned by Adobe Reader Low
Unusual process spawned by Adobe Reader with an uncommon command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001)Required data: XDR AgentAttacker's goals: An attacker attempts to gain code execution via a phishing document.Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.Suspicious Process Spawned by wininit.exe Medium
An unusual process was spawned by wininit.exe, possibly indicating malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious RunOnce Parent Process Low
Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user login events.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR AgentAttacker's goals: An attacker is trying to perform an action on the system at a later point, achieving persistence.Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use RunOnce in its operation.Suspicious SMB connection from domain controller Low
A domain controller has initiated an SMB connection to another host. The domain controllers usually communicate over SMB only with other domain controllers. An attacker can abuse such sessions for relay attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Check if the destination is domain controller, if it is, exclude it. Look for earlier connections to the DC, which may cause it to initiate the session.Suspicious SPF Result Informational Email 3 variations
The email has a suspicious SPF result of fail, soft fail, or policy, which may indicate a potential domain misconfiguration or spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Trick users into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify the domain's connection to the IP address and investigate the reason SPF didn't pass. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Internal domain SPF deviation
Informational overridden
An email was sent from an internal root domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a trusted internal sender, a tactic commonly associated with BEC and internal phishing. Such a sudden SPF outcome from a typically trusted domain warrants further investigation. overridden
Known domain SPF deviation
Informational overridden
An email was sent from a commonly seen domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such a sudden SPF outcome from a previously trusted external domain warrants further investigation. overridden
Known domain unusual SPF result
Informational overridden
A commonly seen root domain has returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. While other suspicious SPF outcomes may have occurred previously for this domain, this is the first instance of this particular SPF result. Such a shift in SPF behavior may signal evolving abuse tactics, domain misconfiguration, or an attempted spoof using unauthorized infrastructure. overridden
Suspicious SSH Downgrade Low 2 variations
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.Variations
A Host Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden
A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden
Suspicious SSO access from ASN Informational Identity Analytics 1 variation
A suspicious SSO authentication was made by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
Google Workspace - Suspicious SSO access from ASN
Informational overridden
A suspicious SSO authentication was made by a user. overridden
Suspicious SSO authentication Informational Identity Analytics 2 variations
A suspicious SSO authentication was made by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: OktaAttacker's goals: Achieve initial access to a company's resources.Investigative actions: See whether this was a legitimate action. Review the external IP/domain involved in the alert. Contact the user whose account is being accessed and verify that they are actually attempting to log in. Check if the login attempt is coming from an unfamiliar location or device. Look for unusual login patterns, such as login attempts at odd hours. Monitor the user's account for further unusual activity.Variations
Successful SSO authentication with suspicious characteristics
Medium overridden
A user successfully accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden
SSO authentication attempt with suspicious characteristics
Low overridden
A user accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden
Suspicious SaaS API call from a Tor exit node High Identity Threat Module 2 variations
A SaaS API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
A Failed API call from a Tor exit node
Informational overridden
A SaaS API was called from a Tor exit node. overridden
Suspicious SaaS API call from a Tor exit node via Mobile Device
Medium overridden
A SaaS API was called from a Tor exit node. overridden
Suspicious SearchProtocolHost.exe parent process Medium
SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious Udev driver rule execution manipulation Low 1 variation
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries can use this technique to execute arbitrary commands once the machine boots.Investigative actions: Check if the action was done using an automation service. Check the rule modification content and look for any suspicious payloads. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual Udev driver rule execution manipulation
Low overridden
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers. overridden
Suspicious Unicode character detected in email Informational Email 3 variations
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Embedding suspicious Unicode characters in the email to appear legitimate, evade security filters and bypass detection mechanisms.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Phishing terms obfuscation using Unicode characters detected in email
Low overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Words obfuscation using Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Multiple suspicious Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Suspicious access of the System Management Container Low Identity Analytics
A user accessed the System Management container, which may be an indication of a reconnaissance for site servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Gather Victim Network Information (T1590)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager and identify accessible site servers.Investigative actions: Look for the suspicious LDAP query that may trigger this event. Check if the process executes LDAP search queries as part of its normal behavior. Investigate any other potentially suspicious behavior from the compromised user. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Suspicious access to Kubernetes API with kubelet credentials from unusual pod
Medium overridden
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden
Suspicious access to cloud credential files Informational Cloud 6 variations
A process accessed multiple cloud credential files, which may indicate a credential theft activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gain initial access to the cloud environment.Investigative actions: Verify if the executing process is doing more suspicious activities. Verify if the exposed credential files were used to access to the cloud environment. Verify which operations were used against the cloud environment with the exposed credentials.Variations
Suspicious access to cloud credential files of various cloud providers within a cloud instance
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files within a cloud instance
Informational overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to Windows cloud credential files of various cloud providers
Medium overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to Windows cloud credential files by an unusual process
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files of various cloud providers
Medium overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to cloud credential files by an unusual process
Low overridden
A process accessed multiple cloud credential files, which may indicate a credential theft activity. overridden
Suspicious access to shadow file Informational 4 variations
An unpopular process accessed the shadow file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.Investigative actions: Check the process for more suspicious activity. Check whether this was a legitimate action.Variations
Suspicious access to shadow file in a Kubernetes Pod using a known text editor
Medium overridden
An unpopular process accessed the shadow file in a Kubernetes Pod. overridden
Suspicious access to shadow file using a known text editor
Medium overridden
An unpopular process accessed the shadow file. overridden
Suspicious access to shadow file in a Kubernetes Pod
Low overridden
An unpopular process accessed the shadow file. overridden
Suspicious access to shadow file
Low overridden
An unpopular process accessed the shadow file. overridden
Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation
Suspicious account attribute modification that matches that of another account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.Variations
Suspicious account attribute modification that matches that of a sensitive machine account
Medium overridden
Suspicious account attribute modification that matches that of another account. overridden
Suspicious active setup registered Informational
The endpoint registered a new active setup, which may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Active Setup (T1547.014)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain persistence using the legitimate windows active setup mechanism, which executes binary on system startup.Investigative actions: Verify if the registered binary is malicious. Check if the installing software is a malicious binary.Suspicious activity indicating a potential abuse of a cloud-native email service Low Cloud 2 variations
A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Adversaries may use cloud-based email services to send phishing or spread malware, abusing legitimate email domains.Investigative actions: Check if the identity intended to preform these actions or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery, weaponization, and impact
High overridden
A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations, attack preparation and actual email sending.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden
Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery and weaponization
Medium overridden
A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations and attack weaponization.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden
Suspicious activity on logging bucket Informational Cloud 1 variation
An identity performed a suspicious activity on bucket used to store logs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by tampering the logs.Investigative actions: Verify whether the identity attempted to access the bucket. Verify no logs were modified in the bucket.Variations
Suspicious deletion on CloudTrail logging bucket
Medium overridden
An identity performed a suspicious activity on bucket used to store CloudTrail logs. overridden
Suspicious authentication package registered Medium
The endpoint registered a suspicious authentication package, which may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Authentication Package (T1547.002)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate Windows authentication package mechanism, which loads libraries into Windows services.Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from "lsass.exe".Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics
Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)Required data: AzureADAttacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.Investigative actions: Follow further actions done by the account.Suspicious certificate template modification Informational Identity Analytics 2 variations
A certificate template was updated with a possible misconfiguration. This may indicate the exploitation of misconfigured certificate template access control (ESC4).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes.Variations
Certificate template was updated to be vulnerable to AD CS ESC attack
Medium overridden
A certificate template was updated, making it vulnerable to an AD CS ESC attack. This may indicate the potential abuse of AD CS ESC4. overridden
Certificate template was updated with a misconfiguration configuration
Low overridden
A certificate template was updated with new misconfiguration. This may indicate a potential AD CS ESC4 attack. overridden
Suspicious certutil command line Medium
An attacker may use certutil to download malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: An attacker may use certutil to download malware.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations
An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.Variations
Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity
Informational overridden
An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Instance SSH keys were modified for the first time in the cloud provider
High overridden
An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification by a service account
Medium overridden
A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification
Informational overridden
An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious GCP project level metadata modification by a service account
Low overridden
A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification attempt
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious cloud user data modification attempt followed by VM restart Low Cloud
Suspicious user data modification followed by VM restart, possibly an attempt to run altered startup scripts at boot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Cloud Administration Command (T1651)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Execute arbitrary code, establish persistence, or alter instance startup behavior through modified user data.Investigative actions: Review the identity who modified the instance user data. Inspect the user data script for malicious content.Suspicious container orchestration job Low
A suspicious orchestration job ran with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: XDR AgentAttacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.Investigative actions: Investigate The process activities and impact on the relevant container.Suspicious container reconnaissance activity in a Kubernetes pod Informational 2 variations
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Suspicious container reconnaissance activity in a Kubernetes pod
Medium overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
Suspicious container reconnaissance activity in a Kubernetes pod
Low overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
Suspicious container runtime connection from within a Kubernetes Pod Informational 2 variations
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609) Deploy Container (T1610)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Escape from a container to the host machine and expand the foothold in the network.Investigative actions: Change the container socket configuration. Check if the default Docker daemon binding to TCP changed. If so, non-root users may gain access to the container.Variations
Suspicious container runtime connection from within a Kubernetes Pod using the curl client
Low overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden
Suspicious container runtime connection from within a Kubernetes Pod using the docker client
Medium overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden
Suspicious curl user agent Informational 1 variation
Suspicious user agent provided to curl command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Impairing host defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Suspicious curl user agent from within a Kubernetes Pod
Low overridden
Suspicious user agent provided to curl command. overridden
Suspicious dNSHostName attribute change to DC name Medium Identity Analytics
The dNSHostName attribute of a machine account was changed to a Domain Controller server name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Suspicious data encryption Low
Known applications were used to encrypt data within a machine's local file system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)Required data: XDR AgentAttacker's goals: Damage or hide data on the local file system.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Suspicious disablement of the Windows Firewall Low
The Windows Firewall has been disabled. Malware may turn it off to exfiltrate data and communicate with C2 servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if the process is legitimately disabling the firewall.Suspicious disablement of the Windows Firewall using PowerShell commands Medium
The Windows Firewall has been disabled using PowerShell. Malware may turn it off to exfiltrate data and communicate with C2 servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.Investigative actions: Check Windows event logs to see the PowerShell command or script that was executed. Check whether the PowerShell command is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that disabled the firewall.Suspicious docker image download from an unusual repository Informational 2 variations
The agent has pulled a docker image from a repository for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution: Malicious Image (T1204.003)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Adversaries may rely on a user running a malicious image to facilitate execution.Investigative actions: Scan the docker image that was pulled. Check the repository designation. Check on which other agents the docker image is being used.Variations
Suspicious docker image download from an unrecognized registry
Low overridden
The agent has pulled a docker image from a registry that has never been used in the organization. overridden
Suspicious docker image download from an unrecognized repository
Low overridden
The agent has pulled a docker image from a repository that has never been used in the organization. overridden
Suspicious domain user account creation Informational Identity Analytics
A user was observed creating a rare domain account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Domain Account (T1136.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who created the account and verify its activity.Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin High
Attackers may attempt to dump the ntds.dit file, which stores all Active Directory account information, to later extract passwords and hashes from it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: NTDS (T1003.003)Required data: XDR AgentAttacker's goals: Retrieve Active Directory data, to perform malicious activities such as lateral movement.Investigative actions: Check the initiator process for additional suspicious activity.Suspicious failed HTTP request - potential Spring4Shell exploit Low 1 variation
A potentially malicious failed HTTP request was received, possibly as part of a Spring4Shell exploitation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Exploit Public-Facing Application (T1190)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Gain the ability to execute code remotely or drop malware.Investigative actions: Check if suspicious process executions occurred after the request. Consider limiting access to the vulnerable server.Variations
Suspicious HTTP request - potential Spring4Shell exploit
Medium overridden
A potentially malicious HTTP request was received, possibly as part of a Spring4Shell exploitation attempt. overridden
Suspicious heavy allocation of compute resources - possible mining activity Medium Cloud 3 variations
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to earn virtual currency.Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. access key, service account, etc.Variations
Suspicious heavy allocation of compute resources - possible mining activity
Low overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
High overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
Medium overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious hidden user created Medium Identity Analytics
A user account was created with a name that mimics a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user account created and verify its activity.Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
Suspicious identity with DevOps behavior downloaded multiple objects from a bucket
Informational overridden
An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Suspicious identity downloaded multiple objects from a bucket that contains sensitive files
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden
Suspicious identity downloaded multiple objects from a backup storage bucket
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Suspicious modification of the AdminSDHolder's ACL Low Identity Analytics
A user modified the AdminSDHolder ACL, which may be an indication of a privilege escalation attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers attempt to obtain full control privileges and then move laterally.Investigative actions: Check if a new user was added to the AdminSDHolder object. Check if a suspicious user account was recently created. Check if a user was added to a privileged group (e.g. Domain Admins). Investigate any other potentially suspicious behavior from the compromised user. Search for actions that may trigger SDProp, such as modifying the registry or executing an LDAP query.Suspicious module load using direct syscall Low 1 variation
A module was loaded to a process using a direct syscall.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Native API (T1106)Required data: XDR AgentDetector tags: Direct Syscall AnalyticsAttacker's goals: An attacker might try to use direct syscalls to evade detection and load a malicious module to a legitimate program.Investigative actions: Investigate the direct syscall mapped image to verify if it is malicious. Investigate the loaded module to verify if it is malicious.Variations
A module was loaded to an unsigned process by using a direct syscall
Medium overridden
A module was loaded to an unsigned process using a direct syscall. overridden
Suspicious objects encryption in an AWS bucket High Cloud
An AWS KMS key from a non-organization account was used to encrypt multiple objects in a bucket for the first time.This may indicate an attacker attempting to perform a ransomware attack against the organization's cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Gain monetary compensation in exchange for decryption or the decryption key. Permanently deny access to important storage objects.Investigative actions: Check if the external KMS service is a legit encryption service. Check if the identity performed enumeration activity to detect insecure S3 buckets, which are configured without the versioning and MFA Delete mechanisms. Detect additional buckets that were encrypted using the same external KMS service. Disable the identity from which the external service was configured. Enable versioning on every critical bucket. Enable MFA Delete on every critical bucket.Suspicious print processor registered Medium
The endpoint registered a new print processor, which may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Print Processors (T1547.012)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate windows print processor mechanism, which loads libraries into Windows services.Investigative actions: Verify if the registered library is malicious. Check if the installing software is a malicious binary. Check for any suspicious network activity from svchost.exe or spoolsv.exe.Suspicious process accessed a site masquerading as Google Informational 1 variation
A suspicious process accessed a site masquerading as Google.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)Required data: XDR AgentAttacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.Variations
Suspicious process resolved the DNS name of a site masquerading as Google
Informational overridden
A suspicious process resolved the DNS name of a site masquerading as Google. overridden
Suspicious process accessed certificate files Low
A suspicious process accessed certificate files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may search for local certificate files for authentication, persistence or NTLM extraction.Investigative actions: See whether this was a legitimate action. Follow process/user activities.Suspicious process executed with a high integrity level Informational 1 variation
A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Variations
Suspicious process executed with a high integrity level
Low overridden
A suspicious process was spawned with a High or System integrity level, which is higher than its parent process. This may indicate malicious privilege escalation. overridden
Suspicious process execution from tmp folder Informational 4 variations
An unpopular process was executed from the tmp folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
A web server process executed an unpopular application from the tmp folder
Medium overridden
An executable application ran from the tmp folder by a web server process. overridden
Suspicious cron job task execution of a binary from the tmp folder
Medium overridden
An unpopular process was executed from the tmp folder. overridden
Suspicious interactive execution of a binary from the tmp folder
Medium overridden
An unpopular process was executed from the tmp folder. overridden
Suspicious process execution from tmp folder in a Kubernetes pod
Informational overridden
An unpopular process was executed from the tmp folder. overridden
Suspicious process execution in a privileged container Informational 1 variation
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.Variations
Suspicious process execution in a new privileged container
Informational overridden
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden
Suspicious process loads a known PowerShell module Informational 2 variations
A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 8 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.Variations
Suspicious unsigned process loads a known PowerShell module
Low overridden
A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary. overridden
Office process loads a known PowerShell DLL
High overridden
A Microsoft Office process loaded a known PowerShell module. This image load may be a sign of PowerShell execution without directly invoking the PowerShell.exe binary. overridden
Suspicious process modified RC script file Low 1 variation
A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Initialization Scripts: RC Scripts (T1037.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.Investigative actions: Check the modified RC script file and try to understand the impact of the file modification.Variations
Suspicious process modified RC script file in a Kubernetes pod
Low overridden
A suspicious process modified an RC script file. These files allow system administrators to map and start custom services at startup for different run levels. This may be done to establish persistence. overridden
Suspicious proxy environment variable setting Informational
Suspicious proxy environment variable change or definition with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Internal Proxy (T1090.001)Required data: XDR AgentAttacker's goals: Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.Investigative actions: Investigate the process activities and try to understand the network impact os the new proxy setting.Suspicious reconnaissance using LDAP Informational 1 variation
A process executed multiple suspicious LDAP search queries. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.Variations
Suspicious reconnaissance using LDAP from untrusted process
Low overridden
A process executed multiple suspicious LDAP search queries. This may be indicative of LDAP enumeration. overridden
Suspicious runonce.exe parent process Low
Runonce.exe executes commands under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, typically on computer boot and user logon events.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR AgentAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious sAMAccountName change Low Identity Analytics 1 variation
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Variations
Suspicious sAMAccountName change to DC hostname
Medium overridden
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden
Suspicious secrets dump activity Informational Cloud 2 variations
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity extracted every secret within the organization across multiple regions
Medium overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious sender exhibiting automated sending patterns Informational Email 1 variation
Multiple messages from a single sender were observed over a short period, all having the same subject and differing body content.This repetitive pattern may indicate automated or scripted behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: PhishingAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Suspicious sender with high-volume automated sending patterns
Informational overridden
A high volume of messages was observed from a single sender address within a short time period, all sharing the same subject line but containing different body content.This elevated and repetitive pattern may indicate automated or scripted behavior at scale. overridden
Suspicious sending domain with sender address randomization Informational Email 1 variation
Multiple messages from a single sender domain were observed over a short period, each using a unique sender address.This per-message sender randomization is uncommon for legitimate senders and suggests automated behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: PhishingAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
High-volume sender domain with per-message sender randomization
Informational overridden
A high volume of emails was observed from a single sending domain over a short time period, each using a unique sender address.This high volume per-message sender randomization is uncommon for legitimate senders and suggests automated behavior. overridden
Suspicious setspn.exe execution Low
A Service Principal Name (SPN) is a unique identifier for a service, mapped to a specific account. Setspn.exe can be used to retrieve SPN information, which may indicate an attacker's attempt to "Kerberoast".
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)Required data: XDR AgentAttacker's goals: Retrieving SPN information to perform related attacks like 'Kerberoast'.Investigative actions: Investigate the user who executed setspn.exe and find out if the act was malicious.Suspicious sshpass command execution Low 1 variation
The sshpass command was executed, This could be an attempt to check for credential stuffing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Credential Stuffing (T1110.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to check and reuse credentials on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Suspicious sshpass command execution in a Kubernetes pod
Low overridden
The sshpass command was executed, This could be an attempt to check for credential stuffing. overridden
Suspicious successful RDP connection to localhost Informational Identity Analytics 2 variations
An unusual process created a successful RDP connection to localhost. This may indicate the use of a tunnel to bypass a firewall.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: The attacker attempts to gain access to the accounts through RDP from an external source.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Identify the user performing RDP and check that it is authorized. Follow further actions done by the user.Variations
Suspicious successful RDP connection to localhost via reverse SSH tunnel
Low overridden
An unusual process created a successful RDP connection to localhost.The command line indicates the usage of SSH tunnel to bypass the firewall. overridden
Suspicious successful RDP connection to localhost on DC server
Low overridden
An unusual process created a successful RDP connection to localhost on a DC server. This may indicate the use of a tunnel to bypass a firewall. overridden
Suspicious systemd timer activity Low
Suspicious systemd timer activity, which may indicate an attempt to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)Required data: XDR AgentAttacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.Suspicious theme and sentiment in email Informational Email
The email's body has a theme and sentiment that may indicate a malicious attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Financial Theft (T1657)Required data: Box Audit Log DropBox Google Workspace Audit Logs Microsoft 365 Emails Office 365 Audit Okta Audit Log Salesforce Slack Audit LogDetector tags: PhishingAttacker's goals: Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.Investigative actions: Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming. Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk. Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.Suspicious time provider registered Medium 2 variations
The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Time Providers (T1547.003)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate Windows time provider mechanism, which loads libraries into Windows services.Investigative actions: Verify if the registered library is malicious. Check if the software performing the installation is a malicious binary. Check for any network activity from a "svchost.exe -k LocalService" process that seems suspicious.Variations
Suspicious time provider registered manually by reg.exe
High overridden
The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden
Suspicious time provider registered using an uncommon provider name
High overridden
The endpoint time provider has been tampered, this change may be used to gain persistence on the host by loading libraries into the time management service. overridden
Suspicious usage of EC2 token Low Cloud 1 variation
An AWS EC2 STS token was used externally from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.Variations
Suspicious usage of EC2 token
Medium overridden
An AWS EC2 STS token was used externally from an EC2 instance. overridden
Suspicious usage of File Server Remote VSS Protocol (FSRVP) High
A suspicious usage of File Server Remote VSS Protocol (FSRVP) was done.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: XDR AgentAttacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Check for suspicious processes on the source host. Check if the source host is a vulnerability scanner. Look for additional suspicious activities by users.Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet Informational
An attacker may use one of Microsoft's Active Directory PowerShell module remote discovery cmdlet to reconnaissance the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Understand what information the attacker had gathered from the command and investigate relevant assets.Svchost.exe loads a rare unsigned module Low
Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.System information discovery via psinfo.exe Low
Using psinfo.exe, the attacker can gather information about the network, and gain an in-depth understanding of which devices are relevant to attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Information Discovery (T1082)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.System profiling WMI query execution Informational
Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.System shutdown or reboot Informational
System shutdown or reboot using shutdown, reboot, halt or poweroff.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: System Shutdown/Reboot (T1529)Required data: XDR AgentAttacker's goals: Attackers may shut down or reboot hosts to disturb access to those hosts.Investigative actions: Verify that this isn't IT activity.TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.Tampering with Internet Explorer Protected Mode configuration Informational 2 variations
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR AgentAttacker's goals: When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched. Attackers may change this value to make the process launch with higher privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Tampering with Internet Explorer Protected Mode default configuration
Medium overridden
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden
Tampering with Internet Explorer Protected Mode specific app configuration
Informational overridden
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden
Tampering with the Windows User Account Controls (UAC) configuration Informational 3 variations
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Tampering with the Windows User Account Controls (UAC) configuration by a remote host
Medium overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
Tampering with the Windows User Account Controls (UAC) configuration
Low overridden
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden
The CA policy EditFlags was queried Medium
The CA policy EditFlags was queried.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Querying this registry value can indicate an attacker is looking for an enabled EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When this flag is enabled, it allows users to request certificates with a Subject Alternate Name(SAN). This can allow an attacker to obtain a certificate with higher privileges.Investigative actions: Check if the action was allowed by the user. Monitor certificate enrollments with Subject Alternate Names. Check for unusual high privilege users certificate authentications.The Linux system firewall was disabled Low
The system firewall was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: Exfiltrate data or move laterally in the organization.Investigative actions: Examine the command to understand which ip or port were affected. Check the communication allowed by the created firewall rule.Training simulation email detected Medium Email
This email was flagged as part of a training simulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: PhishingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Examine the sender's IP address and reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Uncommon ARP cache listing via arp.exe Low
The arp.exe command is used to display and modify entries in the Address Resolution Protocol (ARP) cache. Adversaries may attempt to use the command to discover remote systems they could compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Network Configuration Discovery (T1016)Required data: XDR AgentAttacker's goals: Adversaries may attempt to use the command to discover remote systems they could compromise.Investigative actions: Check whether the initiating process is allowed in your organization. (If the parent process is cmd.exe, check the process that spawned it).Uncommon AT task-job creation by user Low 2 variations
An unpopular AT task-job was created by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job: At (T1053.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may use at task-jobs for persistence or executing malicious files.Investigative actions: Check the AT job task for suspicious activity.Variations
Uncommon AT task-job creation by user from a web server process
Medium overridden
A web process used the AT command to create a new AT task-job. overridden
Uncommon AT task-job creation by user from unpopular process
Low overridden
An unpopular process created an AT task-job on the host, which is not popular in the organization. overridden
Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium
A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.Uncommon DotNet module load relationship Informational
A signed process that usually doesn't use DotNet loaded a common DotNet module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Reflective Code Loading (T1620)Required data: XDR AgentAttacker's goals: Adversaries may reflectively load DotNet code into a process to conceal execution of malicious payloads.Investigative actions: Investigate the actor process for potential malicious activity. Check for recently installed services that may load DotNet modules.Uncommon GetClipboardData API function invocation of a possible information stealer Informational
An unpopular process accessed clipboard content by calling the GetClipboardData API function. This behavior may indicate potential threats such as a keylogger or a RAT.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Clipboard Data (T1115)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can monitor the clipboard as another way for credential gathering or to collect more user data over time for espionage purposes.Investigative actions: Check if the process has a user interface (a visible window). Check if the process is a known user application that was updated recently.Uncommon IP Configuration Listing via ipconfig.exe Low
The 'ipconfig' command is used to display TCP/IP network configuration information and refresh the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Adversaries may use the command to discover network configuration details.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Network Configuration Discovery (T1016)Required data: XDR AgentAttacker's goals: Attackers can use the ipconfig command to discover network configuration details.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional discovery commands were executed from the same process.Uncommon Launch Agent persistency was registered or modified Informational 9 variations
An uncommon Launch Agent persistence mechanism was registered/modified on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Agent (T1543.001)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Establish persistent access to the compromised host by registering malicious code.Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.Variations
Uncommon Launch Agent persistency was registered or modified by a security testing tool
High overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by a security testing tool. overridden
Uncommon Launch Agent persistency was registered or modified by a tool with possible web access
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by a tool with possible web access. overridden
Uncommon Launch Agent persistency was registered or modified while using a data communication tool
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency-triggered execution. overridden
Uncommon Launch Agent persistency was registered or modified while using osascript
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency-triggered execution. overridden
Uncommon Launch Agent persistency was registered or modified using Plist Buddy with Run-At-Load key
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden
Uncommon Launch Agent persistency was registered or modified with an uncommon path containing a known vendor name
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden
Uncommon Launch Agent persistency was registered or modified with an unusual persistency executable path
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden
Uncommon Launch Agent persistency was registered or modified by a non validly signed process
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by a non validly signed process. overridden
Uncommon Launch Agent persistency was registered or modified by an unsigned process
Low overridden
An uncommon Launch Agent persistence mechanism was registered/modified on the system by an unsigned process. overridden
Uncommon Launch Daemon persistency was registered or modified Informational 9 variations
An uncommon Launch Daemon persistence mechanism was registered/modified on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create or Modify System Process (T1543) Create or Modify System Process: Launch Daemon (T1543.004)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Establish persistent access to the compromised host by registering malicious code.Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.Variations
Uncommon Launch Daemon persistency was registered or modified by a security testing tool
High overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a security testing tool. overridden
Uncommon Launch Daemon persistency was registered or modified by a tool with possible web access
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a tool with possible web access. overridden
Uncommon Launch Daemon persistency was registered or modified while using a data communication tool
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using a data communication tool for persistency registration or as a persistency triggered execution. overridden
Uncommon Launch Daemon persistency was registered or modified while using osascript
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden
Uncommon Launch Daemon persistency was registered or modified using Plist Buddy with Run-At-Load key
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system using Plist Buddy with Run-At-Load key set to True. overridden
Uncommon Launch Daemon persistency was registered or modified with an uncommon path containing a known vendor name
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an uncommon path containing a known vendor name. overridden
Uncommon Launch Daemon persistency was registered or modified with an unusual persistency executable path
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system with an unusual persistency executable path. overridden
Uncommon Launch Daemon persistency was registered or modified by a non validly signed process
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by a non validly signed process. overridden
Uncommon Launch Daemon persistency was registered or modified by an unsigned process
Low overridden
An uncommon Launch Daemon persistence mechanism was registered/modified on the system by an unsigned process. overridden
Uncommon Linux process communication to a rare external host Informational 6 variations
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are alsocontacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Uncommon Linux process communication to a rare external host by an automated penetration testing tool
Medium overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host involving a code sharing website
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host involving a low-prevalence process connecting to a rare Top-Level Domain
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host with an external IP in the command line
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host using a data transfer tool
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host identified as global anomaly
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux remote shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux remote shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution using an exploitation tool
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution executing a reverse interactive shell
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution downloading a shell script
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution disabling firewall
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution possibly running from an XZ backdoor
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running as root
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution loading a kernel module
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a network tool
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution trying to gather information about the system
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution, possibly granting file execution permissions
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux shell command execution by a BAS solution
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution disabling firewall
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution using exploitation tool
High overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution trying to gather information about the system
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution loading a kernel module
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution, possibly granting file execution permissions
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution running a network tool
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution with su/sudo elevation
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution accessing history (e.g. bash history or login records)
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution from a scripting language interpreter
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux shell command execution executed from within a web server
Informational overridden
An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Managed Object Format (MOF) compiler usage Informational
The mofcomp.exe WMI MOF compiled is used to compile code into the WMI repository that in turn may enable attackers to run scheduled or triggered code from the context of a Microsoft-signed binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR AgentAttacker's goals: Run code via triggers from the context of the WMI executor.Investigative actions: Verify if the executing process is suspicious. Check if the MOF file being compiled has any malicious indicators within it.