Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapUncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations
A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host in the context of another process.Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.Variations
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process
High overridden
An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread
Medium overridden
An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process
Medium overridden
A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process
Medium overridden
An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden
Uncommon PowerShell commands used to create or alter scheduled task parameters Low
Attackers may create or alter scheduled task parameters to gain higher privileges or persistence on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Create a new scheduled task or alter an existing one to gain persistence in the system or to gain higher privileges.Investigative actions: Examine the PowerShell command to identify suspicious scheduled task creation or modification. Inspect the system for suspicious activity that is triggered by a scheduled task.Uncommon RDP connection Informational
RDP is used by attackers to laterally move to new hosts. Standard processes do not usually implement RDP on their own, and attackers might inject or tunnel using a non-standard process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Validate if the process is a legitimate IT software. Verify if the process is known to be malicious. Look into actions done on the remote host.Uncommon SQL like command line Informational 3 variations
Uncommon SQL query in command line of an executed process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: An attacker may use SQL queries to steal information stored at the target databases.Investigative actions: Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.Variations
Uncommon SQL like command line executed by a remote actor
Medium overridden
Uncommon SQL query in command line of a process which executed remotely. overridden
Uncommon SQL like command line executed by an RMM tool
Medium overridden
Uncommon SQL query in command line of a process executed by a Remote Monitoring & Management tool. overridden
Uncommon SQL like command line executed by an uncommon CGO
Low overridden
Uncommon SQL query in command line of an executed process. overridden
Uncommon SSH session was established Low 14 variations
An uncommon SSH session was established.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.Variations
An Uncommon SSH session was established using a rare server HASSH for the ssh server
Low overridden
An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden
An Uncommon SSH session was established using a rare client HASSH for the agent
Low overridden
An uncommon SSH session was established using a rare client HASSH for the agent. overridden
An Uncommon SSH session was established using a rare request banner for the agent
Low overridden
An Uncommon SSH session was established using a rare request banner for the agent. overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server
Low overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden
An Uncommon SSH session was established using a rare Response banner
Low overridden
An Uncommon SSH session was established using a rare Response banner. overridden
An Uncommon SSH session was established using a rare request banner
Low overridden
An Uncommon SSH session was established using a rare request banner. overridden
An Uncommon SSH session was established using a rare Client HASSH
Low overridden
An uncommon SSH session was established using a rare client HASSH. overridden
An Uncommon SSH session was established using a rare Server HASSH
Low overridden
An Uncommon SSH session was established using a rare Server HASSH. overridden
A suspicious SSH session was established
Low overridden
A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden
An Uncommon SSH session was established to a rare IP address
Low overridden
An uncommon SSH session was established to a rare remote IP address. overridden
An Uncommon SSH session was established using a nonstandard SSH port
Low overridden
An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden
Uncommon SSH session was established to a rare internal IP
Low overridden
An uncommon SSH session was established to a rare internal IP. overridden
Uncommon SSH session was established that involved a higher than usual volume
Low overridden
Uncommon SSH session was established that involved a higher than usual volume. overridden
Uncommon SSH session was established to an internal IP
Informational overridden
An uncommon SSH session was established to an internal IP. overridden
Uncommon Security Support Provider (SSP) registered via a registry key Low
Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.An attacker may register SSP to try and gain access to clear text passwords.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Boot or Logon Autostart Execution: Security Support Provider (T1547.005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain clear text passwords and persistency in the network.Investigative actions: Audit the specific key values to verify that the additional values are trusted.Uncommon Service Create/Config Medium
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Evading security controls and possibly persisting malware.Investigative actions: Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.Uncommon SetWindowsHookEx API invocation of a possible keylogger Medium
A process installed a Windows desktop hook by calling the SetWindowsHookEx API function with an unpopular module. This behavior is commonly seen in keyloggers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Input Capture: Keylogging (T1056.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can monitor keyboard events as another way for credential gathering or to collect more user data over time for espionage purposes.Investigative actions: Check if the process has a user interface (a visible window). Check if the process has an option to set or modify keyboard hot-keys. Check if the process is part of a remote control tool. Check if the process is a known user application that was updated recently. Check if the process is built with AutoHotkey and is known to the user. If the process is a scripting engine or a hosting executable, check the actor process command line. Investigate the endpoint if the process writes files to disk.Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations
We have identified unpopular domain(s) in URL(s) within this email.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
External email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Internal email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Outbound email with a first-seen URL domain(s) in your organization in the last 30 days
Informational overridden
We have identified unpopular domain(s) in URL(s) within this email. overridden
Uncommon VNC server communication Low 4 variations
Uncommon VNC server network traffic was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Variations
Uncommon VNC scanning activity detected from a scanning tool
Medium overridden
An uncommon VNC scanning network traffic was observed from a scanning tool. overridden
Uncommon VNC server communication from an unmanaged previously unseen external host
Low overridden
Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden
Partially uncommon VNC server communication
Informational overridden
Uncommon VNC server network traffic was observed. overridden
Uncommon VNC server connection
Informational overridden
An uncommon VNC Server network connection was observed. overridden
Uncommon WPAD queries Informational 3 variations
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Adversary-in-the-Middle (T1557)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in WPAD.Investigative actions: Verify that the source host is legitimate. Examine the legitimacy of the application that produced this uncommon WPAD. Examine the parent process of this application.Variations
Uncommon WPAD queries to a external domain
Informational overridden
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden
Suspicious WPAD queries
Low overridden
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden
Uncommon WPAD queries using an uncommon port
Informational overridden
There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity. overridden
Uncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to Microsoft Teams cookies files Informational Identity Analytics 1 variation
Sensitive Microsoft Teams cookies files were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555) Steal Application Access Token (T1528)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft TeamsAttacker's goals: Attacker may access credentials files and steal application access tokens to gain remote access.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Review the host for any additional unusual activity. Investigate the Graph API calls followed by the user that might be related.Variations
Suspicious uncommon access to Microsoft Teams cookies files
Low overridden
Sensitive Microsoft Teams cookies files were accessed by a suspicious process. overridden
Uncommon access to Microsoft Teams credential files Low 1 variation
Sensitive Microsoft Teams credential files were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Accessing these files is done by attackers to collect user credentials.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.Variations
Uncommon access to Microsoft Teams credential files by an unsigned and unpopular process
Low overridden
Sensitive Microsoft Teams credential files were accessed. by an unsigned and unpopular process. overridden
Uncommon access to cloud platforms' sensitive files by a scripting engine Informational 1 variation
A scripting engine has accessed sensitive cloud platforms' files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access/control over internal cloud platforms or repositories.Investigative actions: Investigate if the behavior is known to the user or part of known product's procedure. Investigate if the actor processes command line contains malicious indicators or a script file.Variations
Uncommon access to cloud platforms' sensitive files by an uncommon script or utility
Low overridden
A scripting engine has accessed sensitive cloud platforms' files. overridden
Uncommon attempt at discovering a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at discovering /etc/hosts
Informational overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a security testing tool
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file Informational 8 variations
A process made an uncommon attempt to access a file that may contain sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Unsecured Credentials: Credentials In Files (T1552.001) Unsecured Credentials (T1552) Credentials from Password Stores (T1555) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon attempt at grabbing credentials from a sensitive file by a security testing tool
High overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from an SSH private key
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a potential Webshell
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a script that was executed by a rare causality
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a rare process that was executed by cron
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt at grabbing credentials from a sensitive file by a non-GTFOBIN process
Low overridden
A process made an uncommon attempt to access a file that may contain sensitive information. overridden
Uncommon attempt to clear shell history Low 1 variation
An attempt to clear or manipulate shell history files was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: XDR AgentAttacker's goals: Attackers may clear or modify shell history files to remove traces of their activities.Investigative actions: Investigate the user and process that executed the command. Examine other related activities on the host to understand the context of this action.Variations
Globally uncommon attempt to clear shell history
Medium overridden
An attempt to clear or manipulate shell history files was detected. overridden
Uncommon browser extension loaded Informational
An uncommon browser extension was loaded by a Chromium-based browser.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Gain persistency on a machine and steal sensitive browsing data.Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.Uncommon cloud CLI tool usage Informational Cloud 4 variations
An uncommon execution of a cloud CLI tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: XDR AgentAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Check what cloud CLI commands were executed. Verify which cloud resources may have been affected.Variations
Uncommon cloud CLI tool usage within a web server pod
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a web server
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a cloud instance
Low overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon cloud CLI tool usage within a Kubernetes pod
Informational overridden
An uncommon execution of a cloud CLI tool. overridden
Uncommon communication to an instant messaging server Informational 2 variations
A rare communication between a process to a known instant messaging server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: XDR AgentAttacker's goals: Data exfiltration or attack tool staging through a trusted service.Investigative actions: Examine the legitimacy of the application that made the communication with the provider's server. Examine the parent process of this application. Check for anomalies regarding the time frame where the communication occurred.Variations
Uncommon communication to an instant messaging server by a suspicious process
Low overridden
A rare communication by a suspicious process to a known instant messaging server. overridden
Uncommon communication to an instant messaging server by an uncommon scripting engine execution
Low overridden
A rare communication by an uncommon execution of a scripting engine to a known instant messaging server. overridden
Uncommon creation or access operation of sensitive shadow copy Low 2 variations
An uncommon creation or access of a sensitive Shadow Copy volume path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to copy sensitive data or dump OS credentials from the host file system by using Shadow Copy volume utilities.Investigative actions: Verify if the shadow copy operation is part of an IT activity. Look for other hosts performing the same shadow copy event with similar causality process behavior. Inspect the causality process and its characteristics as they appear on other hosts.Variations
Uncommon creation or access operation of sensitive shadow copy by a remote actor
Low overridden
An uncommon creation or access of a sensitive Shadow Copy volume path. overridden
Uncommon creation or access operation of sensitive shadow copy by a high-risk process
High overridden
An uncommon creation or access of a sensitive Shadow Copy volume path by a high-risk process. overridden
Uncommon driver loaded Low 3 variations
An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Rootkit (T1014)Required data: XDR AgentAttacker's goals: Install rootkit to gain kernel-level to gain full control over the machine or disable security products.Investigative actions: Investigate which process created the driver or how it has been loaded.Variations
Uncommon driver loaded by a Web server process
High overridden
An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit by a Web server process. overridden
Globally rare and unsigned driver loaded
Medium overridden
Globally rare and unsigned driver loaded. overridden
Uncommon driver with a globally rare vendor loaded as a service
Medium overridden
An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit. overridden
Uncommon execution of ODBCConf Low 1 variation
Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Odbcconf (T1218.008)Required data: XDR AgentAttacker's goals: Execute arbitrary code or load malicious DLL modules undetected within Microsoft signed program from Microsoft signed process.Investigative actions: Check the execution command-line, in case of 'REGSVR' points to a DLL, then check it. If the command-line contains '/f' argument (for script file) check the content of the script.Variations
Uncommon execution of ODBCConf to load dll directly
High overridden
Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files. overridden
Uncommon file access over WebDAV Low 1 variation
Uncommon file access over WebDAV.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Threat actors may use the WebDAV to blend in existing network traffic.Investigative actions: Investigate the process {actor_process_image_name} which tried to access the remote file. Investigate the remote host {webdav_dst_from_file_event}.Variations
High-risk file read over WebDAV by a LOLBIN process
High overridden
High-risk file read over WebDAV by a LOLBIN process. overridden
Uncommon increase in Azure Microsoft Graph API request sizes Informational Cloud 3 variations
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Exfiltrate data over Microsoft Graph API.Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.Variations
Unusual Azure high-volume data transfer
Medium overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Suspicious Azure data transfer by identity
Medium overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Unusual data transfer from multiple Azure tenants
Low overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Uncommon jsp file write by a Java process Medium
An uncommon jsp file was written by a Java process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence on the host.Investigative actions: Check if the file was added during regular java process actions. Check if the jsp file contains malicious content.Uncommon kernel module load Informational 1 variation
Loading of a kernel module using the modprobe command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Rootkit (T1014)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Gain persistence using the kernel module.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Uncommon kernel module load in a Kubernetes pod
Informational overridden
Loading of a kernel module using the modprobe command. overridden
Uncommon local scheduled task creation via schtasks.exe Informational 4 variations
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process that creates the schedule task. Investigate the specific scheduled task execution chain.Variations
Uncommon local scheduled task creation via schtasks.exe by a remote actor
Informational overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon scheduled task created by an unsigned and rare actor via schtasks.exe
Low overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon scheduled task created by an unsigned actor via schtasks.exe
Low overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon scheduled task created by a signed actor from a rare vendor via schtasks.exe
Low overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to gain persistence on this host using scheduled tasks. overridden
Uncommon login item persistency was registered or modified Informational 4 variations
An uncommon login item persistence mechanism was registered/modified on the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547) Boot or Logon Autostart Execution: Login Items (T1547.015)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Establish persistent access to the compromised host by registering malicious code.Investigative actions: Analyze the persistency item and determine whether it performs any malicious or suspicious actions. Analyze the registered process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior.Variations
Uncommon login item persistency was registered or modified by a security testing tool
High overridden
An uncommon login item persistence mechanism was registered/modified on the system by a security testing tool. overridden
Uncommon login item persistency was registered or modified while using osascript
Low overridden
An uncommon login item persistence mechanism was registered/modified on the system while using osascript for persistency registration or as a persistency triggered execution. overridden
Uncommon login item persistency was registered or modified by an invalidly signed actor process
Low overridden
An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed actor process. overridden
Uncommon login item persistency was registered or modified by an invalidly signed causality process
Low overridden
An uncommon login item persistence mechanism was registered/modified on the system by an invalidly signed causality process. overridden
Uncommon macOS process communication to a rare external host Informational 11 variations
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also contacting the suspicious host. Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Uncommon macOS process communication to a rare external host by security testing tool
High overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host with a frequently abused TLD
Medium overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility to establish a connection with a messaging service API
Medium overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host related to LOTTunnels
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host with a rare TLD
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and piping to script
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility to download and change permission
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility running by an unsigned process
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and saving data to a temporary folder
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and downloading a script
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS shell command execution Informational 10 variations
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon macOS shell command execution by a BAS solution
High overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution running a curl / wget in an uncommon way
High overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution trying to gather information about the system
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution loading a kernel extension
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution, possibly granting file execution permissions
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution executed an AppleScript
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution from an unsigned process
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon macOS shell command execution of an exceedingly rare process
Low overridden
An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon msiexec execution of an arbitrary file from a remote location Low 1 variation
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)Required data: XDR AgentAttacker's goals: Evading security controls and executing arbitrary files from the web.Investigative actions: Check if the the URL that is encoded in the command line is trusted. Determine if the executed DLL or MSI file is known as legitimate. Confirm whether the initiating process is legitimate and if the user running it knows of its use.Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.Variations
Suspicious msiexec execution on an internet-facing endpoint
Low overridden
Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server. overridden
Uncommon net group command execution Informational 7 variations
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon unsigned net group administrators command execution
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon unsigned net group administrators command execution - fixed localization issues
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group administrators command execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group administrators command execution
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon administrator net group execution by scripting engine or command prompt
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net localgroup command execution Informational 7 variations
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup administrators command execution by a web server process or CGO
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden
Uncommon unsigned net localgroup administrators command execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon unsigned net localgroup administrators command execution - fixed localization issues
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup administrators command execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon remote net localgroup execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon administrator net localgroup execution by scripting engine or command prompt
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution Informational 1 variation
The 'net localgroup' command is used to add, display, or modify groups local to the host. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery (T1069)Required data: XDR AgentAttacker's goals: Attackers can attempt to use the command to find endpoint groups and permissions settings or modify local group memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup execution by an untrusted CGO
Low overridden
The 'net localgroup' command is used to add, display, or modify groups local to the host by an untrusted CGO. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships. overridden
Uncommon network tunnel creation Informational 3 variations
An uncommon network tunnel was established.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 12 Hours
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Url LogsAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.Variations
Uncommon network tunnel creation
Informational overridden
An uncommon network tunnel was established using ACS_ssh.exe. overridden
Uncommon SSH tunnel to unpopular IP address
Low overridden
An uncommon SSH tunnel was established to an unpopular remote IP address at the organization. overridden
An uncommon network tunnel was established over the default SSH port
Low overridden
An unpopular process and command line created a network tunnel over the default SSH port. overridden
Uncommon recurring rare external host access Informational 6 variations
A process has established recurring connections to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.Variations
Uncommon recurring rare external host access by an automated penetration testing tool
High overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access to a dynamic DNS domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access initiated by a cron job
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a rare top-level domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access using an exfiltration tool
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a sensitive file in actor or causality command line
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon remote monitoring and management tool Low 4 variations
An uncommon Remote Monitoring and Management (RMM) product was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Remote Access Tools (T1219)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Ask the owners of the machine if they knowingly used this software. Investigate why the software was being used. Check if it was executed remotely or locally.Variations
Uncommon renamed remote monitoring and management tool
Medium overridden
An uncommon renamed Remote Monitoring and Management (RMM) product was observed. overridden
Uncommon remote monitoring and management tool (browser origin)
Informational overridden
An uncommon Remote Monitoring and Management (RMM) product was observed. (browser origin). overridden
Uncommon remote monitoring and management tool extracted from an internet-downloaded archive and executed
Low overridden
An uncommon Remote Monitoring and Management (RMM) product extracted from an internet-downloaded archive and executed. overridden
Uncommon remote monitoring and management tool downloaded from an uncommon source and executed
Medium overridden
An uncommon Remote Monitoring and Management (RMM) product downloaded from an uncommon source and executed. overridden
Uncommon remote scheduled task creation Low 1 variation
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.Variations
Uncommon remote scheduled task creation by a remote actor via RDP
High overridden
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden
Uncommon remote service start via sc.exe Low
The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.Investigative actions: Check whether the executed process is benign and if this was desired behavior as part of its normal execution flow. Check the remote host for any evidence of the executed service and investigate it.Uncommon reverse SSH tunnel to external domain/ip Low 1 variation
An uncommon reverse SSH tunnel might have been created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external ip/domain. Investigate the causality of the process.Variations
Uncommon reverse SSH tunnel to external domain/ip using a sensitive port
Low overridden
An uncommon reverse SSH tunnel might have been created. overridden
Uncommon routing table listing via route.exe Low
The route.exe command is used to display and modify entries in the local IP routing table. Adversaries may attempt to use the command to discover remote systems they could compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Network Configuration Discovery (T1016)Required data: XDR AgentAttacker's goals: Attackers can attempt to use the command to discover remote systems they could compromise.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it (e.g. an IT script).Uncommon sensitive filesystem registry hive access Informational 4 variations
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: Security Account Manager (T1003.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.Investigative actions: Investigate the process that tried to access the registry hive file. Investigate the actions of the user, for which his credentials were stored in the registry hive file.Variations
Uncommon filesystem registry SAM hive access by a lolbin actor in a shadow copy folder
High overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a lolbin actor in a shadow copy folder
Medium overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a rare unsigned actor in a shadow copy folder
Medium overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive filesystem registry hive access by a rare unsigned actor
Low overridden
A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping. overridden
Uncommon sensitive registry hive dump Low 4 variations
A sensitive registry hive was extracted, which is used for accessing credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to extract credentials from the Windows Registry Credentials can then be used to perform lateral movement and access restricted information.Investigative actions: Investigate the process that tried to access the registry hive. Investigate the actions of the user for which his credentials were stored in the registry hive.Variations
Uncommon sensitive registry hive dump by unsigned and rare process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by injected process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by reg.exe lolbin process which was executed by rare causality process
High overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon sensitive registry hive dump by reg.exe lolbin process
Medium overridden
A sensitive registry hive was extracted, which is used for accessing credentials. overridden
Uncommon service stop operation Informational
An attempt to stop a service was made using an unusual shell command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: XDR AgentAttacker's goals: Attackers may disable services to disrupt system functionality and weaken security defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Uncommon signed process execution by scheduled task Informational 3 variations
An uncommon process was executed by a scheduled task.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain. Check if the vendor is known in the organization for creating scheduled tasks to execute his product.Variations
Uncommon Microsoft signed process execution by scheduled task
Informational overridden
An uncommon process was executed by a scheduled task. overridden
Uncommon signed process execution by scheduled task on a sensitive server
Low overridden
An uncommon process was executed by a scheduled task. overridden
Rare signed process execution by scheduled task
Low overridden
A rare process was executed by a scheduled task. overridden
Uncommon user management via net.exe Informational 1 variation
The net.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Account Discovery (T1087) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to discover or add local and domain user accounts. The created accounts are to gain additional access to endpoints within your network.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.Variations
Uncommon user management via net.exe by an untrusted CGO
Low overridden
The net by an untrusted CGO.exe command is used to add, delete, and otherwise manage the users on a computer. Adversaries may attempt to use the command to discover or add local and domain user accounts. overridden
Unicode RTL Override Character High
An attacker may use a special right-to-left (RTL) override character to trick users into executing malicious files that look like benign file types.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Trick users into executing malicious files by making their file types seem benign.Investigative actions: Investigate the executed process. There is no reason for benign files to contain the Unicode right-to-left override character in their name.Unique client computer model was detected via MS-Update protocol Informational
A unique client computer model was detected via MS-Update protocol.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Hardware Additions (T1200)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server while providing the necessary client characteristics to install the suitable client version and build. Characteristics may consist of computer model, BIOS version and architecture. A unique computer model in the network may indicate an unauthorized and unmanaged connection to the internal network.Investigative actions: Inspect the legitimacy of the host and its hardware components. Verify that this host is not a newly deployed end-point or virtual machine as part of a legitimate IT activity.Unknown DLL was added to the AD FS Global Assembly Cache path Informational Identity Analytics 1 variation
A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow (T1574)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Identify the user or process responsible for the file creation. Verify if the DLL is digitally signed by Microsoft. Compare the modification timestamp of this DLL against others in the same directory.Variations
Suspicious DLL was added to the AD FS Global Assembly Cache path
Low overridden
A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment. overridden
Unpopular domains detected in email URLs for a recipient Informational Email 1 variation
We have identified unpopular domain(s) within these email URLs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Highly unpopular URL domain(s) for mailbox detected in email
Informational overridden
We have identified unpopular domain(s) within these email URLs. overridden
Unpopular rsync process execution Informational 1 variation
An unpopular rsync process was executed on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may attempt to transfer tools or other files to a compromised host.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Unpopular rsync process execution in a Kubernetes Pod
Informational overridden
An unpopular rsync process was executed on the host. overridden
Unprivileged process opened a registry hive Low
An unprivileged process opened a registry hive directly.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Unrecognized internal address (AAD mismatch) Informational Email
An email was received from an address using an internal domain, but the sender is not found in Active Directory. This may indicate an impersonation attempt or domain spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: The attacker aims to impersonate an internal user to gain trust, bypass security controls, and potentially extract sensitive information or distribute malicious content through internal-looking emails.Investigative actions: Verify if the sender address exists in Active Directory. Check historical email activity from the spoofed address. Review email headers for spoofing indicators (SPF, DKIM, DMARC failures). Identify if recipients engaged with the email (clicked links, downloaded attachments). Correlate with other alerts involving the same sender or domain.Unsigned DLL Hijack into a Microsoft process Informational 7 variations
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden
Rare and unsigned DLL into an injected Microsoft process
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a low entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a high entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a recently created Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Side-Loading Informational 6 variations
A signed process loaded an unsigned and rare module from the same folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
DLL Side-Loading of module bearing an invalid Microsoft signature
High overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor
Medium overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading - DLL downloaded from an uncommon source
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned high entropy DLL Side-Loading by untrusted causality actor
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading which was executed by a scheduled task
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned and unpopular process performed a DLL injection Low 5 variations
An unsigned process with low popularity injected a dll into another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject DLLs into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned and unpopular process performed process hollowing DLL injection
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed queue APC DLL injection
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a sensitive process
Medium overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a commonly abused process
High overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed a DLL injection to a security vendor signed process
Medium overridden
An unsigned process with low popularity injected a dll into another process. overridden
Unsigned and unpopular process performed an injection Low 7 variations
An unsigned process with low popularity injected code to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned and unpopular process performed process hollowing injection
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed queue APC injection
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into a sensitive process
Medium overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into svchost.exe
High overridden
An unsigned process with low popularity injected code to another process. This process attempted to obtain System user permissions. overridden
Unsigned and unpopular process performed injection into a commonly abused process
High overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process performed injection into a process signed by a security vendor
Medium overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned and unpopular process executed by a scheduled task performed an injection
Low overridden
An unsigned process with low popularity injected code to another process. overridden
Unsigned process creates a scheduled task via file access Low 1 variation
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.Variations
Unsigned process creates a scheduled task via file access on a sensitive server
Medium overridden
A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden
Unsigned process injecting into a Windows system binary with no command line Medium
An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Untrusted process contacted LLM API Informational 1 variation
An untrusted process contacted an LLM API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Obtain Capabilities: Artificial Intelligence (T1588.007)Required data: XDR AgentAttacker's goals: Adversaries may use LLM APIs to create malicious payload dynamically. Each payload will be slightly different making detection more complex.Investigative actions: Investigate the process that contacted the LLM API. Check if this LLM API access is legitimate and expected. Analyze the data potentially sent to the LLM service.Variations
Untrusted process contacted a rare LLM API
Low overridden
An untrusted process contacted a rare LLM API. overridden
Unusual ADConnect database file access Informational 2 variations
An unusual process accessed the ADConnect database files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.Variations
Suspicious access to ADConnect database file
Medium overridden
An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious. overridden
Access to ADConnect database file by an unsigned or unusual process
Low overridden
An unusual process accessed the ADConnect database files with some suspicious characteristics that flagged this access attempt as a suspicious access. overridden
Unusual ADFS Remote Synchronization network connections from non-ADFS server Low
Detected an unauthorized configuration sync request to the ADFS Policy Store from a non-ADFS server, step for forging SAML tokens in a Golden SAML attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002) Exploitation of Remote Services (T1210)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.Investigative actions: Correlate this network event with AD FS service account activity. The attacker must use the service account's credentials to authenticate this request. Check for a possible DCSync alerts. Check alerts that related to ADFS server. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Inspect the source machine for the presence of tools like AADInternals or custom SOAP-based scripts.Unusual AI Knowledge Base Modification Low Cloud 1 variation
An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.Variations
Suspicious AI Knowledge Base Modification
Medium overridden
An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases, adding a new data source type. overridden
Unusual AI RAG Knowledge Base Modification Low Cloud
AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.Unusual AI dataset modification Low Cloud 1 variation
A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Poison datasets used by ML models.Investigative actions: Examine changed datasets and determine which ML models were affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual AI dataset modification from an internal IP address
Informational overridden
A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning. overridden
Unusual AI model invocation Informational Cloud
A cloud identity invoked an AI model for the first time.MITRE ATLAS Technique: AML.T0050 - Command and Scripting Interpreter.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to AI models.Investigative actions: Examine which AI models were invoked. Investigate any unusual activity originating from the suspected identity.Unusual AWS Bedrock model access request Informational Cloud
A cloud identity requested access to an AWS Bedrock model.MITRE ATLAS Technique: AML.T0012 - Valid Accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to cloud AI/ML resources and services.Investigative actions: Examine which AWS Bedrock models were affected. Investigate any unusual activity originating from the suspected identity.Unusual AWS CLI/SDK activity Informational Cloud
A cloud identity invoked an API using AWS CLI/SDK for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Investigate any unusual activity originating from the suspected identity.Unusual AWS S3 objects deletion Informational Cloud 2 variations
An identity deleted multiple S3 bucket objects from the project, considerably more than usual.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490) Data Destruction (T1485)Required data: AWS Audit LogAttacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system. They may also aim to interrupt availability to resources.Investigative actions: Identify the deleted objects and their containing bucket. Investigate the identity that performed the deletion and review recent related activity.Variations
A non administrative identity deleted multiple S3 objects from a project
Low overridden
An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden
An identity permanently deleted multiple S3 objects from a project
Medium overridden
An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden
Unusual AWS SageMaker notebook access Informational Cloud
A cloud identity accessed an AWS SageMaker notebook for the first time.MITRE ATLAS Technique: AML.T0008 - Acquire Infrastructure: AI Development Workspaces.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to AI/ML resources and services.Investigative actions: Examine which AWS SageMaker notebooks were accessed. Investigate any unusual activity originating from the suspected identity.Unusual AWS credentials creation Low
AWS utility was used to create an access key and a secret key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: XDR AgentAttacker's goals: Maintain access to an AWS provider.Investigative actions: Check the machine timeline and look for abnormal activity. Investigate what other calls were made to the AWS account.Unusual AWS systems manager activity Informational Cloud
A cloud identity performed an SSM operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Lateral Movement (TA0008)ATT&CK techniques: Cloud Service Discovery (T1526) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Manipulate SSM operations to take control over EC2 instances and strengthen the foothold in the cloud environment of the organization, by running critical operating system commands, manipulating the parameters store, and patch management configuration.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive SSM operation that it shouldn't.Unusual AWS user added to group Low 1 variation
AWS user added to AWS group, possibly to elevate privileges and gain more access to resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Gain persistence and elevate privileges.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual AWS user added to group from a Kubernetes Pod
Low overridden
AWS user added to AWS group, possibly to elevate privileges and gain more access to resources. overridden
Unusual Azure AD sync module load Low Identity Threat Module 1 variation
A process that does not usually load the Azure AD Sync mcrypt.dll loaded the module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR AgentAttacker's goals: Attackers can abuse the Azure AD Connect database files to get access to the AD Sync account. The AD Sync account is a highly privileged account that can perform a DCSync and get access to on-premise password hashes.Investigative actions: See whether this was a legitimate action. Follow process/user/host activities. Follow unusual actions of the AD Sync user. Check for unusual Azure AD authentications. Check for a possible DCSync.Variations
Unusual Azure AD sync module load by suspicious process
Medium overridden
A suspicious process that does not usually load the Azure AD Sync mcrypt.dll loaded the module. overridden
Unusual CIM repository file access Low 1 variation
An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2). If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems. Determine whether this was a legitimate action.Investigative actions: Follow process, user, and host activities. Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources. Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption. Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.Variations
Suspicious CIM repository file access
Medium overridden
An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious. overridden
Unusual CertLog Remote File Write Low Identity Analytics 1 variation
A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may be attempting to exploit AD CS misconfigurations and obtain forged authentication certificates for privilege escalation or persistence.Investigative actions: Determine whether this was a legitimate certificate request or an unauthorized write operation. Review logs for preceding and subsequent authentication attempts. Investigate the remote host for any suspicious activity. Identify any subsequent Kerberos ticket usage, such as forging or relaying attacks.Variations
Suspicious CertLog Remote File Write
Medium overridden
A remote host wrote to a certificate log file via RPC over SMB, which may indicate the use of an AD CS attack tool like Certipy. This behavior is commonly associated with certificate-based authentication attacks. overridden
Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation
An identity attempted to add or update an Azure AD Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.Variations
Suspicious Conditional Access operation for an identity
Low overridden
An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden
Unusual DB process spawning a shell Informational 3 variations
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Lateral Movement (TA0008)ATT&CK techniques: Exploit Public-Facing Application (T1190) Exploitation of Remote Services (T1210)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.Investigative actions: Review the commands/processes executed by the shell for malicious actions. Check if and what else the DB process has executed. Check for any additional alerts raised in the context of the DB process. Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).Variations
Unusual DB process spawning a shell with a possible reconnaissance command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with a possible web download/access command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with an unusual command line
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual Encrypting File System Remote call (EFSRPC) to domain controller Low Identity Analytics 3 variations
An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse the Encrypting File System Remote Protocol to coerce authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Check for unusual connections from the server of the requested file location (it may be a relay server). Look for unusual AD CS certificate requests. Look for following suspicious connections using the DC machine account. Check for possible DCSync alerts.Variations
A suspicious Encrypting File System Remote call (EFSRPC) was made to a domain controller
Medium overridden
An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden
Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo for the first time
Low overridden
An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller for the first time. overridden
Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo
Informational overridden
An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller. overridden
Unusual IAM enumeration activity by a non-user Identity Informational Cloud
An unusual command which may be related to an IAM recon enumeration was executed by a non-user identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: Gcp Audit LogAttacker's goals: Collect information on the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Check if the API call was made by the identity.Check if there are additional unusual API calls from the identity.Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations
A cloud identity performed an unusual IAM operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.Variations
Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance
Medium overridden
A cloud Internet facing instance performed an unusual IAM operation. overridden
Unusual Identity and Access Management (IAM) activity
Low overridden
A cloud non-user identity performed an unusual IAM operation. overridden
Unusual Kubernetes dashboard communication from a pod Low 1 variation
The Kubernetes dashboard was accessed by an unusual pod within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes dashboard to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual Kubernetes dashboard communication from a new pod
Informational overridden
The Kubernetes dashboard was accessed by an unusual pod within the environment. overridden
Unusual Kubernetes secret access Informational Cloud
Suspicious Kubernetes secret access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes Credentials Theft AnalyticsAttacker's goals: Access sensitive data on Kubernetes cluster.Investigative actions: Check if {identity_name} should access any Kubernetes secrets and restrict permissions if needed. The event was originated from {caller_ip} using {user_agent}.Unusual Kubernetes service account file read Informational 7 variations
An unusual process opened a Kubernetes service account file for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Utilize the Kubernetes service account files to perform additional actions on the cluster.Investigative actions: Check the exposed Kubernetes service account usage in the cluster. Check if any other suspicious activity was performed inside the pod.Variations
Unusual Kubernetes service account file read within a new pod
Informational overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Kubernetes service account file read
Informational overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account file read from the projected volume path
Medium overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read via an interactive shell
Medium overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read by an unusual process
Low overridden
An unusual process opened the Kubernetes service account token file for the first time. overridden
Suspicious Kubernetes service account file read by an unusual process
Low overridden
An unusual process opened a Kubernetes service account file for the first time. overridden
Suspicious Kubernetes service account token read
Low overridden
An unusual process opened the Kubernetes service account token file for the first time. overridden
Unusual Lolbins Process Spawned by InstallUtil.exe Low
An unusual process was spawned by InstallUtil.exe, possibly indicating malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: InstallUtil (T1218.004)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Unusual Netsh PortProxy rule Low 2 variations
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unusual Netsh PortProxy rule by non-netsh process
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual Netsh PortProxy rule by an unsigned causality actor
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation
Unusual Process Spawned by Nginx in Ingress-Nginx pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.Variations
Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload
High overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden
Unusual SSH Activity Informational 2 variations
Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the client IP/Agent for using known intelligence tools. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.Variations
Unusual, long SSH activity with tunnel characteristics
Low overridden
Unusual SSH activity was detected that involved a high volume of data transfer and abnormal session duration. overridden
Unusual SSH activity with tunnel characteristics to external destination
Low overridden
Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session. overridden
Unusual SSH activity that resembles SSH proxy Informational 3 variations
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Internal Proxy (T1090.001)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.Investigative actions: Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.Variations
High Volume Unusual SSH activity that resembles SSH proxy
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Suspicious SSH activity that resembles SSH proxy
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Unusual SSH activity that resembles SSH proxy detected
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Unusual access to Microsoft 365 storage services Informational Cloud 1 variation
Unusual access was detected to a Microsoft 365 storage service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Extract sensitive information stored in Microsoft 365 storage services.Investigative actions: Determine which items were accessed. Identify whether they contained any sensitive information. Check for signs of a compromised identity, such as abnormal login activity or unusual behavior. Verify if the identity is authorized to access these drives. Monitor the identity for any further suspicious actions.Variations
Unusual access to Microsoft 365 storage services from an uncommon IP
Low overridden
Unusual access was detected to a Microsoft 365 storage service. overridden
Unusual access to the AD Sync credential files Informational Cloud 2 variations
The AD Sync credential files were accessed in an unusual way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Extracting and decrypting stored Azure AD and Active Directory credentials from Azure AD Connect servers.Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Follow unusual actions of the AD Sync user. Check for remote SMB connections to the agent. Check for unusual Azure AD authentications. Check if this happened on other endpoints. Check for unusual logins.Variations
Suspicious process access to the AD Sync credential files
Medium overridden
The AD Sync credential files were accessed in an unusual way. overridden
An abnormal process accessed the AD Sync credential files
Low overridden
The AD Sync credential files were accessed in an unusual way. overridden
Unusual access to the Windows Internal Database on an ADFS server Informational 1 variation
The Windows Internal Database (WID) was queried in an unusual way on an ADFS server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can attempt to extract and decrypt the ADFS certificate that is used to sign SAML tokens, and fabricate a new SAML token.Investigative actions: See whether this was a legitimate action. Follow the causality chain/user/host activities. Monitor suspicious LDAP queries to the ADFS container in Active Directory. Check the possibility of a compromised ADFS server. Check for unusual Azure AD authentications. Check for unusual logins.Variations
Suspicious access to the Windows Internal Database on an ADFS server
Low overridden
The Windows Internal Database (WID) was queried in an unusual way on an ADFS server. overridden
Unusual attachment volume in outbound emails Informational Email 2 variations
Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Unusual attachment volume in outbound emails to a single external recipient
Informational overridden
Numerous emails with substantial attachments sent by internal sender to one external recipient within a short timeframe. overridden
Unusual attachment amount and size in outbound emails
Informational overridden
Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe. overridden
Unusual certificate management activity Informational Cloud
A cloud identity performed a certificate management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse certificate management functionalities to generate valid signed certificates, which enable to launch man-in-the-middle attacks against different services.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive certificate management operation that it shouldn't.Unusual cloud Instance Metadata Service (IMDS) access Informational Cloud 6 variations
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Cloud Instance Metadata API (T1552.005)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Extract sensitive cloud compute tokens to access restricted cloud resources.Investigative actions: Determine whether a web service was involved and if it was exploited to execute this technique. Identify any additional commands that were executed. Review the permissions assigned to the target machine to identify which resources may be affected. Examine related compute activity in the cloud audit logs.Variations
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows web service
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known web service
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows shell process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known shell process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known Windows scripting process
Medium overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud Instance Metadata Service (IMDS) access from an unusual known scripting process
Low overridden
A request to cloud Instance Metadata Service (IMDS) was made by an unusual process.This process does not usually access the Instance Metadata Service.An attacker may extract cloud compute tokens to gain access to a cloud environment. overridden
Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden
Unusual compressed file password protection Low 1 variation
An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Exfiltrate or hide sensitive data.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual compressed file password protection in a Kubernetes pod
Low overridden
An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them. overridden
Unusual cross projects activity Low Cloud 1 variation
A suspicious activity between different cloud projects.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse an existing connection and pivot through multiple projects to find their target.Investigative actions: Check if the identity intended to perform actions on the project. Check the operations that were performed on the project {caller_project}. Check if the identity performed additional operations in the cloud environment that might be malicious.Variations
Suspicious cross projects activity
Medium overridden
A suspicious activity between different cloud projects. overridden