Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations

    A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host in the context of another process.
    Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.

    Variations

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process

    High overridden

    An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread

    Medium overridden

    An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process

    Medium overridden

    A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process

    Medium overridden

    An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

  • Uncommon PowerShell commands used to create or alter scheduled task parameters Low

    Attackers may create or alter scheduled task parameters to gain higher privileges or persistence on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Create a new scheduled task or alter an existing one to gain persistence in the system or to gain higher privileges.
    Investigative actions: Examine the PowerShell command to identify suspicious scheduled task creation or modification. Inspect the system for suspicious activity that is triggered by a scheduled task.
  • Uncommon RDP connection Informational

    RDP is used by attackers to laterally move to new hosts. Standard processes do not usually implement RDP on their own, and attackers might inject or tunnel using a non-standard process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Validate if the process is a legitimate IT software. Verify if the process is known to be malicious. Look into actions done on the remote host.
  • Uncommon SQL like command line Informational 3 variations

    Uncommon SQL query in command line of an executed process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: An attacker may use SQL queries to steal information stored at the target databases.
    Investigative actions: Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.

    Variations

    Uncommon SQL like command line executed by a remote actor

    Medium overridden

    Uncommon SQL query in command line of a process which executed remotely. overridden

    Uncommon SQL like command line executed by an RMM tool

    Medium overridden

    Uncommon SQL query in command line of a process executed by a Remote Monitoring & Management tool. overridden

    Uncommon SQL like command line executed by an uncommon CGO

    Low overridden

    Uncommon SQL query in command line of an executed process. overridden

  • Uncommon SSH session was established Low 14 variations

    An uncommon SSH session was established.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.

    Variations

    An Uncommon SSH session was established using a rare server HASSH for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden

    An Uncommon SSH session was established using a rare client HASSH for the agent

    Low overridden

    An uncommon SSH session was established using a rare client HASSH for the agent. overridden

    An Uncommon SSH session was established using a rare request banner for the agent

    Low overridden

    An Uncommon SSH session was established using a rare request banner for the agent. overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden

    An Uncommon SSH session was established using a rare Response banner

    Low overridden

    An Uncommon SSH session was established using a rare Response banner. overridden

    An Uncommon SSH session was established using a rare request banner

    Low overridden

    An Uncommon SSH session was established using a rare request banner. overridden

    An Uncommon SSH session was established using a rare Client HASSH

    Low overridden

    An uncommon SSH session was established using a rare client HASSH. overridden

    An Uncommon SSH session was established using a rare Server HASSH

    Low overridden

    An Uncommon SSH session was established using a rare Server HASSH. overridden

    A suspicious SSH session was established

    Low overridden

    A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden

    An Uncommon SSH session was established to a rare IP address

    Low overridden

    An uncommon SSH session was established to a rare remote IP address. overridden

    An Uncommon SSH session was established using a nonstandard SSH port

    Low overridden

    An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden

    Uncommon SSH session was established to a rare internal IP

    Low overridden

    An uncommon SSH session was established to a rare internal IP. overridden

    Uncommon SSH session was established that involved a higher than usual volume

    Low overridden

    Uncommon SSH session was established that involved a higher than usual volume. overridden

    Uncommon SSH session was established to an internal IP

    Informational overridden

    An uncommon SSH session was established to an internal IP. overridden

  • Uncommon Security Support Provider (SSP) registered via a registry key Low

    Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain clear text passwords and persistency in the network.
    Investigative actions: Audit the specific key values to verify that the additional values are trusted.
  • Uncommon Service Create/Config Medium

    The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading security controls and possibly persisting malware.
    Investigative actions: Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.
  • Uncommon SetWindowsHookEx API invocation of a possible keylogger Medium

    A process installed a Windows desktop hook by calling the SetWindowsHookEx API function with an unpopular module. This behavior is commonly seen in keyloggers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Input Capture: Keylogging (T1056.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can monitor keyboard events as another way for credential gathering or to collect more user data over time for espionage purposes.
    Investigative actions: Check if the process has a user interface (a visible window). Check if the process has an option to set or modify keyboard hot-keys. Check if the process is part of a remote control tool. Check if the process is a known user application that was updated recently. Check if the process is built with AutoHotkey and is known to the user. If the process is a scripting engine or a hosting executable, check the actor process command line. Investigate the endpoint if the process writes files to disk.
  • Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations

    We have identified unpopular domain(s) in URL(s) within this email.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    External email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Internal email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Outbound email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

  • Uncommon VNC server communication Low 4 variations

    Uncommon VNC server network traffic was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.

    Variations

    Uncommon VNC scanning activity detected from a scanning tool

    Medium overridden

    An uncommon VNC scanning network traffic was observed from a scanning tool. overridden

    Uncommon VNC server communication from an unmanaged previously unseen external host

    Low overridden

    Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden

    Partially uncommon VNC server communication

    Informational overridden

    Uncommon VNC server network traffic was observed. overridden

    Uncommon VNC server connection

    Informational overridden

    An uncommon VNC Server network connection was observed. overridden

  • Uncommon WPAD queries Informational 3 variations

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Adversary-in-the-Middle (T1557)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in WPAD.
    Investigative actions: Verify that the source host is legitimate. Examine the legitimacy of the application that produced this uncommon WPAD. Examine the parent process of this application.

    Variations

    Uncommon WPAD queries to a external domain

    Informational overridden

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden

    Suspicious WPAD queries

    Low overridden

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden

    Uncommon WPAD queries using an uncommon port

    Informational overridden

    There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden

  • Uncommon access to /etc/passwd Informational 11 variations

    A process made an uncommon attempt to access /etc/passwd.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics, Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon access to /etc/passwd by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd by a potential Webshell

    Medium overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon link creation to /etc/passwd

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd, involving a network utility

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd with additional sensitive files in the command line

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd via a new inline bash script

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive binary

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

    Uncommon access to /etc/passwd using an interactive shell

    Low overridden

    A process made an uncommon attempt to access /etc/passwd. overridden

  • Uncommon access to Microsoft Teams cookies files Informational Identity Analytics 1 variation

    Sensitive Microsoft Teams cookies files were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555) Steal Application Access Token (T1528)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft Teams
    Attacker's goals: Attacker may access credentials files and steal application access tokens to gain remote access.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Review the host for any additional unusual activity. Investigate the Graph API calls followed by the user that might be related.

    Variations

    Suspicious uncommon access to Microsoft Teams cookies files

    Low overridden

    Sensitive Microsoft Teams cookies files were accessed by a suspicious process. overridden

  • Uncommon access to Microsoft Teams credential files Low 1 variation

    Sensitive Microsoft Teams credential files were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Accessing these files is done by attackers to collect user credentials.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.

    Variations

    Uncommon access to Microsoft Teams credential files by an unsigned and unpopular process

    Low overridden

    Sensitive Microsoft Teams credential files were accessed. by an unsigned and unpopular process. overridden

  • Uncommon access to cloud platforms' sensitive files by a scripting engine Informational 1 variation

    A scripting engine has accessed sensitive cloud platforms' files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access/control over internal cloud platforms or repositories.
    Investigative actions: Investigate if the behavior is known to the user or part of known product's procedure. Investigate if the actor processes command line contains malicious indicators or a script file.

    Variations

    Uncommon access to cloud platforms' sensitive files by an uncommon script or utility

    Low overridden

    A scripting engine has accessed sensitive cloud platforms' files. overridden

  • Uncommon attempt at discovering a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at discovering /etc/hosts

    Informational overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

  • Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool

    High overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from an SSH private key

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

  • Uncommon attempt to clear shell history Low 1 variation

    An attempt to clear or manipulate shell history files was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: XDR Agent
    Attacker's goals: Attackers may clear or modify shell history files to remove traces of their activities.
    Investigative actions: Investigate the user and process that executed the command. Examine other related activities on the host to understand the context of this action.

    Variations

    Globally uncommon attempt to clear shell history

    Medium overridden

    An attempt to clear or manipulate shell history files was detected. overridden

  • Uncommon browser extension loaded Informational

    An uncommon browser extension was loaded by a Chromium-based browser.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Gain persistency on a machine and steal sensitive browsing data.
    Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.
  • Uncommon cloud CLI tool usage Informational Cloud 4 variations

    An uncommon execution of a cloud CLI tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: XDR Agent
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Check what cloud CLI commands were executed. Verify which cloud resources may have been affected.

    Variations

    Uncommon cloud CLI tool usage within a web server pod

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a web server

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a cloud instance

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a Kubernetes pod

    Informational overridden

    An uncommon execution of a cloud CLI tool. overridden

  • Uncommon communication to an instant messaging server Informational 2 variations

    A rare communication between a process to a known instant messaging server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: XDR Agent
    Attacker's goals: Data exfiltration or attack tool staging through a trusted service.
    Investigative actions: Examine the legitimacy of the application that made the communication with the provider's server. Examine the parent process of this application. Check for anomalies regarding the time frame where the communication occurred.

    Variations

    Uncommon communication to an instant messaging server by a suspicious process

    Low overridden

    A rare communication by a suspicious process to a known instant messaging server. overridden

    Uncommon communication to an instant messaging server by an uncommon scripting engine execution

    Low overridden

    A rare communication by an uncommon execution of a scripting engine to a known instant messaging server. overridden

  • Uncommon creation or access operation of sensitive shadow copy Low 2 variations

    An uncommon creation or access of a sensitive Shadow Copy volume path.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.
    Investigative actions: Verify if the shadow copy operation is part of an IT activity. Look for other hosts performing the same shadow copy event with similar causality process behavior. Inspect the causality process and its characteristics as they appear on other hosts.

    Variations

    Uncommon creation or access operation of sensitive shadow copy by a remote actor

    Low overridden

    An uncommon creation or access of a sensitive Shadow Copy volume path. overridden

    Uncommon creation or access operation of sensitive shadow copy by a high-risk process

    High overridden

    An uncommon creation or access of a sensitive Shadow Copy volume path by a high-risk process. overridden

  • Uncommon driver loaded Low 3 variations

    An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Rootkit (T1014)
    Required data: XDR Agent
    Attacker's goals: Install rootkit to gain kernel-level to gain full control over the machine or disable security products.
    Investigative actions: Investigate which process created the driver or how it has been loaded.

    Variations

    Uncommon driver loaded by a Web server process

    High overridden

    An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit by a Web server process. overridden

    Globally rare and unsigned driver loaded

    Medium overridden

    Globally rare and unsigned driver loaded. overridden

    Uncommon driver with a globally rare vendor loaded as a service

    Medium overridden

    An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit. overridden

  • Uncommon execution of ODBCConf Low 1 variation

    Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Odbcconf (T1218.008)
    Required data: XDR Agent
    Attacker's goals: Execute arbitrary code or load malicious DLL modules undetected within Microsoft signed program from Microsoft signed process.
    Investigative actions: Check the execution command-line, in case of 'REGSVR' points to a DLL, then check it. If the command-line contains '/f' argument (for script file) check the content of the script.

    Variations

    Uncommon execution of ODBCConf to load dll directly

    High overridden

    Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files. overridden

  • Uncommon file access over WebDAV Low 1 variation

    Uncommon file access over WebDAV.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Threat actors may use the WebDAV to blend in existing network traffic.
    Investigative actions: Investigate the process {actor_process_image_name} which tried to access the remote file. Investigate the remote host {webdav_dst_from_file_event}.

    Variations

    High-risk file read over WebDAV by a LOLBIN process

    High overridden

    High-risk file read over WebDAV by a LOLBIN process. overridden

  • Uncommon increase in Azure Microsoft Graph API request sizes Informational Cloud 3 variations

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Exfiltrate data over Microsoft Graph API.
    Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.

    Variations

    Unusual Azure high-volume data transfer

    Medium overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

    Suspicious Azure data transfer by identity

    Medium overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

    Unusual data transfer from multiple Azure tenants

    Low overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

  • Uncommon jsp file write by a Java process Medium

    An uncommon jsp file was written by a Java process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence on the host.
    Investigative actions: Check if the file was added during regular java process actions. Check if the jsp file contains malicious content.
  • Uncommon kernel module load Informational 1 variation

    Loading of a kernel module using the modprobe command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Rootkit (T1014)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Gain persistence using the kernel module.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Uncommon kernel module load in a Kubernetes pod

    Informational overridden

    Loading of a kernel module using the modprobe command. overridden

  • Uncommon local scheduled task creation via schtasks.exe Informational 4 variations

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process that creates the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Uncommon local scheduled task creation via schtasks.exe by a remote actor

    Informational overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by an unsigned and rare actor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by an unsigned actor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

    Uncommon scheduled task created by a signed actor from a rare vendor via schtasks.exe

    Low overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden

  • Uncommon login item persistency was registered or modified Informational 4 variations

    An uncommon login item persistence mechanism was registered/modified on the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547) Boot or Logon Autostart Execution: Login Items (T1547.015)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Establish persistent access to the compromised host by registering malicious code.
    Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.

    Variations

    Uncommon login item persistency was registered or modified by a security testing tool

    High overridden

    An uncommon login item persistence mechanism was registered/modified on the system by a security testing tool. overridden

    Uncommon login item persistency was registered or modified while using osascript

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden

    Uncommon login item persistency was registered or modified by an invalidly signed actor process

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed actor process. overridden

    Uncommon login item persistency was registered or modified by an invalidly signed causality process

    Low overridden

    An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed causality process. overridden

  • Uncommon macOS process communication to a rare external host Informational 11 variations

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also contacting the suspicious host. Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Uncommon macOS process communication to a rare external host by security testing tool

    High overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host with a frequently abused TLD

    Medium overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility to establish a connection with a messaging service API

    Medium overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host related to LOTTunnels

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host with a rare TLD

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and piping to script

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility to download and change permission

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility running by an unsigned process

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and saving data to a temporary folder

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and downloading a script

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

  • Uncommon macOS shell command execution Informational 10 variations

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon macOS shell command execution by a BAS solution

    High overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution running a curl / wget in an uncommon way

    High overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution trying to gather information about the system

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution loading a kernel extension

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution, possibly granting file execution permissions

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution executed an AppleScript

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution from an unsigned process

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution of an exceedingly rare process

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Uncommon msiexec execution of an arbitrary file from a remote location Low 1 variation

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and executing arbitrary files from the web.
    Investigative actions: Check if the the URL that is encoded in the command line is trusted. Determine if the executed DLL or MSI file is known as legitimate. Confirm whether the initiating process is legitimate and if the user running it knows of its use.Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.

    Variations

    Suspicious msiexec execution on an internet-facing endpoint

    Low overridden

    Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server. overridden

  • Uncommon net group command execution Informational 7 variations

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon unsigned net group administrators command execution

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon unsigned net group administrators command execution - fixed localization issues

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group administrators command execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group administrators command execution

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon administrator net group execution by scripting engine or command prompt

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

  • Uncommon net localgroup command execution Informational 7 variations

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon net localgroup administrators command execution by a web server process or CGO

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden

    Uncommon unsigned net localgroup administrators command execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon unsigned net localgroup administrators command execution - fixed localization issues

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup administrators command execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon remote net localgroup execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon administrator net localgroup execution by scripting engine or command prompt

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

  • Uncommon net localgroup execution Informational 1 variation

    The 'net localgroup' command is used to add, display, or modify groups local to the host. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery (T1069)
    Required data: XDR Agent
    Attacker's goals: Attackers can attempt to use the command to find endpoint groups and permissions settings or modify local group memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon net localgroup execution by an untrusted CGO

    Low overridden

    The 'net localgroup' command is used to add, display, or modify groups local to the host by an untrusted CGO. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships. overridden

  • Uncommon network tunnel creation Informational 3 variations

    An uncommon network tunnel was established.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    12 Hours
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.

    Variations

    Uncommon network tunnel creation

    Informational overridden

    An uncommon network tunnel was established using ACS_ssh.exe. overridden

    Uncommon SSH tunnel to unpopular IP address

    Low overridden

    An uncommon SSH tunnel was established to an unpopular remote IP address at the organization. overridden

    An uncommon network tunnel was established over the default SSH port

    Low overridden

    An unpopular process and command line created a network tunnel over the default SSH port. overridden

  • Uncommon recurring rare external host access Informational 6 variations

    A process has established recurring connections to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.

    Variations

    Uncommon recurring rare external host access by an automated penetration testing tool

    High overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access to a dynamic DNS domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access initiated by a cron job

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a rare top-level domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access using an exfiltration tool

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a sensitive file in actor or causality command line

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

  • Uncommon remote monitoring and management tool Low 4 variations

    An uncommon Remote Monitoring and Management (RMM) product was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Remote Access Tools (T1219)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Ask the owners of the machine if they knowingly used this software. Investigate why the software was being used. Check if it was executed remotely or locally.

    Variations

    Uncommon renamed remote monitoring and management tool

    Medium overridden

    An uncommon renamed Remote Monitoring and Management (RMM) product was observed. overridden

    Uncommon remote monitoring and management tool (browser origin)

    Informational overridden

    An uncommon Remote Monitoring and Management (RMM) product was observed. (browser origin). overridden

    Uncommon remote monitoring and management tool extracted from an internet-downloaded archive and executed

    Low overridden

    An uncommon Remote Monitoring and Management (RMM) product extracted from an internet-downloaded archive and executed. overridden

    Uncommon remote monitoring and management tool downloaded from an uncommon source and executed

    Medium overridden

    An uncommon Remote Monitoring and Management (RMM) product downloaded from an uncommon source and executed. overridden

  • Uncommon remote scheduled task creation Low 1 variation

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.
    Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.

    Variations

    Uncommon remote scheduled task creation by a remote actor via RDP

    High overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden

  • Uncommon remote service start via sc.exe Low

    The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.
    Investigative actions: Check whether the executed process is benign and if this was desired behavior as part of its normal execution flow. Check the remote host for any evidence of the executed service and investigate it.
  • Uncommon reverse SSH tunnel to external domain/ip Low 1 variation

    An uncommon reverse SSH tunnel might have been created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external ip/domain. Investigate the causality of the process.

    Variations

    Uncommon reverse SSH tunnel to external domain/ip using a sensitive port

    Low overridden

    An uncommon reverse SSH tunnel might have been created. overridden

  • Uncommon routing table listing via route.exe Low

    The route.exe command is used to display and modify entries in the local IP routing table. Adversaries may attempt to use the command to discover remote systems they could compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Network Configuration Discovery (T1016)
    Required data: XDR Agent
    Attacker's goals: Attackers can attempt to use the command to discover remote systems they could compromise.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it (e.g. an IT script).
  • Uncommon sensitive filesystem registry hive access Informational 4 variations

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: Security Account Manager (T1003.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.
    Investigative actions: Investigate the process that tried to access the registry hive file. Investigate the actions of the user, for which his credentials were stored in the registry hive file.

    Variations

    Uncommon filesystem registry SAM hive access by a lolbin actor in a shadow copy folder

    High overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a lolbin actor in a shadow copy folder

    Medium overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a rare unsigned actor in a shadow copy folder

    Medium overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

    Uncommon sensitive filesystem registry hive access by a rare unsigned actor

    Low overridden

    A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden

  • Uncommon sensitive registry hive dump Low 4 variations

    A sensitive registry hive was extracted, which is used for accessing credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.
    Investigative actions: Investigate the process that tried to access the registry hive. Investigate the actions of the user for which his credentials were stored in the registry hive.

    Variations

    Uncommon sensitive registry hive dump by unsigned and rare process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by injected process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by reg.exe lolbin process which was executed by rare causality process

    High overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

    Uncommon sensitive registry hive dump by reg.exe lolbin process

    Medium overridden

    A sensitive registry hive was extracted, which is used for accessing credentials. overridden

  • Uncommon service stop operation Informational

    An attempt to stop a service was made using an unusual shell command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: XDR Agent
    Attacker's goals: Attackers may disable services to disrupt system functionality and weaken security defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Uncommon signed process execution by scheduled task Informational 3 variations

    An uncommon process was executed by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain. Check if the vendor is known in the organization for creating scheduled tasks to execute his product.

    Variations

    Uncommon Microsoft signed process execution by scheduled task

    Informational overridden

    An uncommon process was executed by a scheduled task. overridden

    Uncommon signed process execution by scheduled task on a sensitive server

    Low overridden

    An uncommon process was executed by a scheduled task. overridden

    Rare signed process execution by scheduled task

    Low overridden

    A rare process was executed by a scheduled task. overridden

  • Uncommon user management via net.exe Informational 1 variation

    The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.

    Variations

    Uncommon user management via net.exe by an untrusted CGO

    Low overridden

    The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden

  • Unicode RTL Override Character High

    An attacker may use a special right-to-left (RTL) override character to trick users into executing malicious files that look like benign file types.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Trick users into executing malicious files by making their file types seem benign.
    Investigative actions: Investigate the executed process. There is no reason for benign files to contain the Unicode right-to-left override character in their name.
  • Unique client computer model was detected via MS-Update protocol Informational

    A unique client computer model was detected via MS-Update protocol.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Hardware Additions (T1200)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server while providing the necessary client characteristics to install the suitable client version and build. Characteristics may consist of computer model, BIOS version and architecture. A unique computer model in the network may indicate an unauthorized and unmanaged connection to the internal network.
    Investigative actions: Inspect the legitimacy of the host and its hardware components. Verify that this host is not a newly deployed end-point or virtual machine as part of a legitimate IT activity.
  • Unknown DLL was added to the AD FS Global Assembly Cache path Informational Identity Analytics 1 variation

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow (T1574)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.
    Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Identify the user or process responsible for the file creation. Verify if the DLL is digitally signed by Microsoft. Compare the modification timestamp of this DLL against others in the same directory.

    Variations

    Suspicious DLL was added to the AD FS Global Assembly Cache path

    Low overridden

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment. overridden

  • Unpopular domains detected in email URLs for a recipient Informational Email 1 variation

    We have identified unpopular domain(s) within these email URLs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Highly unpopular URL domain(s) for mailbox detected in email

    Informational overridden

    We have identified unpopular domain(s) within these email URLs. overridden

  • Unpopular rsync process execution Informational 1 variation

    An unpopular rsync process was executed on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may attempt to transfer tools or other files to a compromised host.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Unpopular rsync process execution in a Kubernetes Pod

    Informational overridden

    An unpopular rsync process was executed on the host. overridden

  • Unprivileged process opened a registry hive Low

    An unprivileged process opened a registry hive directly.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.
  • Unrecognized internal address (AAD mismatch) Informational Email

    An email was received from an address using an internal domain, but the sender is not found in Active Directory. This may indicate an impersonation attempt or domain spoofing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: The attacker aims to impersonate an internal user to gain trust, bypass security controls, and potentially extract sensitive information or distribute malicious content through internal-looking emails.
    Investigative actions: Verify if the sender address exists in Active Directory. Check historical email activity from the spoofed address. Review email headers for spoofing indicators (SPF, DKIM, DMARC failures). Identify if recipients engaged with the email (clicked links, downloaded attachments). Correlate with other alerts involving the same sender or domain.
  • Unsigned DLL Hijack into a Microsoft process Informational 7 variations

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden

    Rare and unsigned DLL into an injected Microsoft process

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a low entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a high entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a recently created Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

  • Unsigned DLL Side-Loading Informational 6 variations

    A signed process loaded an unsigned and rare module from the same folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    DLL Side-Loading of module bearing an invalid Microsoft signature

    High overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor

    Medium overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading - DLL downloaded from an uncommon source

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned high entropy DLL Side-Loading by untrusted causality actor

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading which was executed by a scheduled task

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

  • Unsigned and unpopular process performed a DLL injection Low 5 variations

    An unsigned process with low popularity injected a dll into another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject DLLs into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned and unpopular process performed process hollowing DLL injection

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed queue APC DLL injection

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a sensitive process

    Medium overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a commonly abused process

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a security vendor signed process

    Medium overridden

    An unsigned process with low popularity injected a dll into another process. overridden

  • Unsigned and unpopular process performed an injection Low 7 variations

    An unsigned process with low popularity injected code to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned and unpopular process performed process hollowing injection

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed queue APC injection

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into a sensitive process

    Medium overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into svchost.exe

    High overridden

    An unsigned process with low popularity injected code to another process. This process attempted to obtain System user permissions. overridden

    Unsigned and unpopular process performed injection into a commonly abused process

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into a process signed by a security vendor

    Medium overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process executed by a scheduled task performed an injection

    Low overridden

    An unsigned process with low popularity injected code to another process. overridden

  • Unsigned process creates a scheduled task via file access Low 1 variation

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Unsigned process creates a scheduled task via file access on a sensitive server

    Medium overridden

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden

  • Unsigned process injecting into a Windows system binary with no command line Medium

    An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.
  • Untrusted process contacted LLM API Informational 1 variation

    An untrusted process contacted an LLM API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Resource Development (TA0042)
    ATT&CK techniques: Obtain Capabilities: Artificial Intelligence (T1588.007)
    Required data: XDR Agent
    Attacker's goals: Adversaries may use LLM APIs to create malicious payload dynamically. Each payload will be slightly different making detection more complex.
    Investigative actions: Investigate the process that contacted the LLM API. Check if this LLM API access is legitimate and expected. Analyze the data potentially sent to the LLM service.

    Variations

    Untrusted process contacted a rare LLM API

    Low overridden

    An untrusted process contacted a rare LLM API. overridden

  • Unusual ADConnect database file access Informational 2 variations

    An unusual process accessed the ADConnect database files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.
    Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.

    Variations

    Suspicious access to ADConnect database file

    Medium overridden

    An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious. overridden

    Access to ADConnect database file by an unsigned or unusual process

    Low overridden

    An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious access. overridden

  • Unusual ADFS Remote Synchronization network connections from non-ADFS server Low

    Detected an unauthorized configuration sync request to the ADFS Policy Store from a non-ADFS server, step for forging SAML tokens in a Golden SAML attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002) Exploitation of Remote Services (T1210)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.
    Investigative actions: Correlate this network event with AD FS service account activity. The attacker must use the service account's credentials to authenticate this request. Check for a possible DCSync alerts. Check alerts that related to ADFS server. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Inspect the source machine for the presence of tools like AADInternals or custom SOAP-based scripts.
  • Unusual AI Knowledge Base Modification Low Cloud 1 variation

    An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.
    Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.

    Variations

    Suspicious AI Knowledge Base Modification

    Medium overridden

    An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases, adding a new data source type. overridden

  • Unusual AI RAG Knowledge Base Modification Low Cloud

    AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.
    Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.
  • Unusual AI dataset modification Low Cloud 1 variation

    A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Poison datasets used by ML models.
    Investigative actions: Examine changed datasets and determine which ML models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual AI dataset modification from an internal IP address

    Informational overridden

    A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning. overridden

  • Unusual AI model invocation Informational Cloud

    A cloud identity invoked an AI model for the first time.MITRE ATLAS Technique: AML.T0050 - Command and Scripting Interpreter.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to AI models.
    Investigative actions: Examine which AI models were invoked. Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS Bedrock model access request Informational Cloud

    A cloud identity requested access to an AWS Bedrock model.MITRE ATLAS Technique: AML.T0012 - Valid Accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to cloud AI/ML resources and services.
    Investigative actions: Examine which AWS Bedrock models were affected. Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS CLI/SDK activity Informational Cloud

    A cloud identity invoked an API using AWS CLI/SDK for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS S3 objects deletion Informational Cloud 2 variations

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490) Data Destruction (T1485)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system. They may also aim to interrupt availability to resources.
    Investigative actions: Identify the deleted objects and their containing bucket. Investigate the identity that performed the deletion and review recent related activity.

    Variations

    A non administrative identity deleted multiple S3 objects from a project

    Low overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

    An identity permanently deleted multiple S3 objects from a project

    Medium overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

  • Unusual AWS SageMaker notebook access Informational Cloud

    A cloud identity accessed an AWS SageMaker notebook for the first time.MITRE ATLAS Technique: AML.T0008 - Acquire Infrastructure: AI Development Workspaces.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to AI/ML resources and services.
    Investigative actions: Examine which AWS SageMaker notebooks were accessed. Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS credentials creation Low

    AWS utility was used to create an access key and a secret key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: XDR Agent
    Attacker's goals: Maintain access to an AWS provider.
    Investigative actions: Check the machine timeline and look for abnormal activity. Investigate what other calls were made to the AWS account.
  • Unusual AWS systems manager activity Informational Cloud

    A cloud identity performed an SSM operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Service Discovery (T1526) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Manipulate SSM operations to take control over EC2 instances and strengthen the foothold in the cloud environment of the organization, by running critical operating system commands, manipulating the parameters store, and patch management configuration.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive SSM operation that it shouldn't.
  • Unusual AWS user added to group Low 1 variation

    AWS user added to AWS group, possibly to elevate privileges and gain more access to resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Gain persistence and elevate privileges.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual AWS user added to group from a Kubernetes Pod

    Low overridden

    AWS user added to AWS group, possibly to elevate privileges and gain more access to resources. overridden

  • Unusual Azure AD sync module load Low Identity Threat Module 1 variation

    A process that does not usually load the Azure AD Sync mcrypt.dll loaded the module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent
    Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.
    Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.

    Variations

    Unusual Azure AD sync module load by suspicious process

    Medium overridden

    A suspicious process that does not usually load the Azure AD Sync mcrypt.dll loaded the module. overridden

  • Unusual CIM repository file access Low 1 variation

    An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2). If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems. Determine whether this was a legitimate action.
    Investigative actions: Follow process, user, and host activities. Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources. Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption. Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.

    Variations

    Suspicious CIM repository file access

    Medium overridden

    An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious. overridden

  • Unusual CertLog Remote File Write Low Identity Analytics 1 variation

    A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may be attempting to exploit AD CS misconfigurations and obtain forged authentication certificates for privilege escalation or persistence.
    Investigative actions: Determine whether this was a legitimate certificate request or an unauthorized write operation. Review logs for preceding and subsequent authentication attempts. Investigate the remote host for any suspicious activity. Identify any subsequent Kerberos ticket usage, such as forging or relaying attacks.

    Variations

    Suspicious CertLog Remote File Write

    Medium overridden

    A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks. overridden

  • Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation

    An identity attempted to add or update an Azure AD Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    Suspicious Conditional Access operation for an identity

    Low overridden

    An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden

  • Unusual DB process spawning a shell Informational 3 variations

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Lateral Movement (TA0008)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Exploitation of Remote Services (T1210)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.
    Investigative actions: Review the commands/processes executed by the shell for malicious actions. Check if and what else the DB process has executed. Check for any additional alerts raised in the context of the DB process. Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).

    Variations

    Unusual DB process spawning a shell with a possible reconnaissance command

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

    Unusual DB process spawning a shell with a possible web download/access command

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

    Unusual DB process spawning a shell with an unusual command line

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

  • Unusual Encrypting File System Remote call (EFSRPC) to domain controller Low Identity Analytics 3 variations

    An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse the Encrypting File System Remote Protocol to coerce authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from the server of the requested file location (it may be a relay server). Look for unusual AD CS certificate requests. Look for following suspicious connections using the DC machine account. Check for possible DCSync alerts.

    Variations

    A suspicious Encrypting File System Remote call (EFSRPC) was made to a domain controller

    Medium overridden

    An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden

    Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo for the first time

    Low overridden

    An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller for the first time. overridden

    Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo

    Informational overridden

    An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden

  • Unusual IAM enumeration activity by a non-user Identity Informational Cloud

    An unusual command which may be related to an IAM recon enumeration was executed by a non-user identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)
    Required data: Gcp Audit Log
    Attacker's goals: Collect information on the cloud environment, including IAM users, groups, roles, and policies.
    Investigative actions: Check if the API call was made by the identity.Check if there are additional unusual API calls from the identity.
  • Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations

    A cloud identity performed an unusual IAM operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

    Variations

    Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance

    Medium overridden

    A cloud Internet facing instance performed an unusual IAM operation. overridden

    Unusual Identity and Access Management (IAM) activity

    Low overridden

    A cloud non-user identity performed an unusual IAM operation. overridden

  • Unusual Kubernetes dashboard communication from a pod Low 1 variation

    The Kubernetes dashboard was accessed by an unusual pod within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes dashboard to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual Kubernetes dashboard communication from a new pod

    Informational overridden

    The Kubernetes dashboard was accessed by an unusual pod within the environment. overridden

  • Unusual Kubernetes secret access Informational Cloud

    Suspicious Kubernetes secret access.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes Credentials Theft Analytics
    Attacker's goals: Access sensitive data on Kubernetes cluster.
    Investigative actions: Check if {identity_name} should access any Kubernetes secrets and restrict permissions if needed. The event was originated from {caller_ip} using {user_agent}.
  • Unusual Kubernetes service account file read Informational 7 variations

    An unusual process opened a Kubernetes service account file for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Utilize the Kubernetes service account files to perform additional actions on the cluster.
    Investigative actions: Check the exposed Kubernetes service account usage in the cluster. Check if any other suspicious activity was performed inside the pod.

    Variations

    Unusual Kubernetes service account file read within a new pod

    Informational overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Kubernetes service account file read

    Informational overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account file read from the projected volume path

    Medium overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account token read via an interactive shell

    Medium overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account token read by an unusual process

    Low overridden

    An unusual process opened the Kubernetes service account token file for the first time. overridden

    Suspicious Kubernetes service account file read by an unusual process

    Low overridden

    An unusual process opened a Kubernetes service account file for the first time. overridden

    Suspicious Kubernetes service account token read

    Low overridden

    An unusual process opened the Kubernetes service account token file for the first time. overridden

  • Unusual Lolbins Process Spawned by InstallUtil.exe Low

    An unusual process was spawned by InstallUtil.exe, possibly indicating malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: InstallUtil (T1218.004)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Unusual Netsh PortProxy rule Low 2 variations

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.
    Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unusual Netsh PortProxy rule by non-netsh process

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

    Unusual Netsh PortProxy rule by an unsigned causality actor

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

  • Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation

    Unusual Process Spawned by Nginx in Ingress-Nginx pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.
    Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.

    Variations

    Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload

    High overridden

    Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden

  • Unusual SSH Activity Informational 2 variations

    Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the client IP/Agent for using known intelligence tools. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.

    Variations

    Unusual, long SSH activity with tunnel characteristics

    Low overridden

    Unusual SSH activity was detected that involved a high volume of data transfer and abnormal session duration. overridden

    Unusual SSH activity with tunnel characteristics to external destination

    Low overridden

    Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session. overridden

  • Unusual SSH activity that resembles SSH proxy Informational 3 variations

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Internal Proxy (T1090.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.
    Investigative actions: Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.

    Variations

    High Volume Unusual SSH activity that resembles SSH proxy

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

    Suspicious SSH activity that resembles SSH proxy

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

    Unusual SSH activity that resembles SSH proxy detected

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

  • Unusual access to Microsoft 365 storage services Informational Cloud 1 variation

    Unusual access was detected to a Microsoft 365 storage service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Extract sensitive information stored in Microsoft 365 storage services.
    Investigative actions: Determine which items were accessed. Identify whether they contained any sensitive information. Check for signs of a compromised identity, such as abnormal login activity or unusual behavior. Verify if the identity is authorized to access these drives. Monitor the identity for any further suspicious actions.

    Variations

    Unusual access to Microsoft 365 storage services from an uncommon IP

    Low overridden

    Unusual access was detected to a Microsoft 365 storage service. overridden

  • Unusual access to the AD Sync credential files Informational Cloud 2 variations

    The AD Sync credential files were accessed in an unusual way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Extracting and decrypting stored Azure AD and Active Directory credentials from Azure AD Connect servers.
    Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Follow unusual actions of the AD Sync user. Check for remote SMB connections to the agent. Check for unusual Azure AD authentications. Check if this happened on other endpoints. Check for unusual logins.

    Variations

    Suspicious process access to the AD Sync credential files

    Medium overridden

    The AD Sync credential files were accessed in an unusual way. overridden

    An abnormal process accessed the AD Sync credential files

    Low overridden

    The AD Sync credential files were accessed in an unusual way. overridden

  • Unusual access to the Windows Internal Database on an ADFS server Informational 1 variation

    The Windows Internal Database (WID) was queried in an unusual way on an ADFS server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can attempt to extract and decrypt the ADFS certificate that is used to sign SAML tokens, and fabricate a new SAML token.
    Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Monitor suspicious LDAP queries to the ADFS container in Active Directory. Check the possibility of a compromised ADFS server. Check for unusual Azure AD authentications. Check for unusual logins.

    Variations

    Suspicious access to the Windows Internal Database on an ADFS server

    Low overridden

    The Windows Internal Database (WID) was queried in an unusual way on an ADFS server. overridden

  • Unusual attachment volume in outbound emails Informational Email 2 variations

    Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Unusual attachment volume in outbound emails to a single external recipient

    Informational overridden

    Numerous emails with substantial attachments sent by internal sender to one external recipient within a short timeframe. overridden

    Unusual attachment amount and size in outbound emails

    Informational overridden

    Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • Unusual certificate management activity Informational Cloud

    A cloud identity performed a certificate management operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse certificate management functionalities to generate valid signed certificates, which enable to launch man-in-the-middle attacks against different services.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive certificate management operation that it shouldn't.
  • Unusual cloud Instance Metadata Service (IMDS) access Informational Cloud 6 variations

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Cloud Instance Metadata API (T1552.005)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Extract sensitive cloud compute tokens to access restricted cloud resources.
    Investigative actions: Determine whether a web service was involved and if it was exploited to execute this technique. Identify any additional commands that were executed. Review the permissions assigned to the target machine to identify which resources may be affected. Examine related compute activity in the cloud audit logs.

    Variations

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows web service

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows shell process

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows scripting process

    Medium overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

    Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process

    Low overridden

    A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden

  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden

  • Unusual compressed file password protection Low 1 variation

    An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Exfiltrate or hide sensitive data.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual compressed file password protection in a Kubernetes pod

    Low overridden

    An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them. overridden

  • Unusual cross projects activity Low Cloud 1 variation

    A suspicious activity between different cloud projects.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse an existing connection and pivot through multiple projects to find their target.
    Investigative actions: Check if the identity intended to perform actions on the project. Check the operations that were performed on the project {caller_project}. Check if the identity performed additional operations in the cloud environment that might be malicious.

    Variations

    Suspicious cross projects activity

    Medium overridden

    A suspicious activity between different cloud projects. overridden