Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

145 alerts match the current filters. tactic: TA0002 ✕

Show ATT&CK heatmap
  • Remote command execution via wmic.exe Low 1 variation

    Remote command execution using the Windows Management Instrumentation command-line tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: The attacker is expanding his reach into your network by executing commands on a remote endpoint.
    Investigative actions: Examine Alert Details > Overview to identify the source endpoint, process running the command execution, process owner, and execution destination.

    Variations

    Remote command execution via wmic.exe

    Medium overridden

    Remote command execution using the Windows Management Instrumentation command-line tool. overridden

  • Remote service command execution from an uncommon source High

    A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Remote service start from an uncommon source Low

    A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Run downloaded script using pipe Informational 1 variation

    Downloading a script using wget or curl and executing it using a pipe to a shell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to download a script using wget or curl.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Run downloaded script using pipe in a Kubernetes pod

    Informational overridden

    Downloading a script using wget or curl and executing it using a pipe to a shell. overridden

  • Scrcons.exe Rare Child Process Informational 1 variation

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent
    Attacker's goals: The attacker is trying to gain Persistence via WMI script registration.
    Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".

    Variations

    Scrcons.exe Rare Child Process

    Medium overridden

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden

  • Scripting engine connected to a rare external host Low 3 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)
    ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.

    Variations

    Scripting engine failed to connect to a rare external host

    Informational overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Scripting engine with a modified image name connected to a rare external host

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN scripting engine connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

  • Service execution via sc.exe Informational

    Sc.exe has the ability to start services on local and remote hosts. An attacker may abuse it to execute malicious services on a host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run code on local or remote hosts.
    Investigative actions: Check whether the service that was created via sc.exe is benign and if this was a desired behavior as part of its normal execution flow.
  • Signed process creates a scheduled task via file access Informational 1 variation

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.
    Investigative actions: Check the created task file and look for the action triggered by the task.

    Variations

    Signed process running from an untrusted directory creates a scheduled task via file access

    Low overridden

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden

  • Sudden spike in outbound email volume Informational Email 2 variations

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    2 Hours
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Sudden spike in outbound emails sent to external recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

    Sudden spike in outbound emails sent to internal recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • Suspicious PowerShell Command Line Low

    Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.
  • Suspicious SearchProtocolHost.exe parent process Medium

    SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious activity indicating a potential abuse of a cloud-native email service Low Cloud 2 variations

    A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Adversaries may use cloud-based email services to send phishing or spread malware, abusing legitimate email domains.
    Investigative actions: Check if the identity intended to preform these actions or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery, weaponization, and impact

    High overridden

    A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations, attack preparation and actual email sending.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden

    Suspicious activity indicating a potential abuse of a cloud-native email service involving discovery and weaponization

    Medium overridden

    A cloud identity performed a sequence of activities which might indicate an intent to abuse the email service to send phishing or spam.The behavior that was observed included discovery operations and attack weaponization.These activities might indicate an intent to abuse the email service to send phishing or spam. overridden

  • Suspicious cloud user data modification attempt followed by VM restart Low Cloud

    Suspicious user data modification followed by VM restart, possibly an attempt to run altered startup scripts at boot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Cloud Administration Command (T1651)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute arbitrary code, establish persistence, or alter instance startup behavior through modified user data.
    Investigative actions: Review the identity who modified the instance user data. Inspect the user data script for malicious content.
  • Suspicious container orchestration job Low

    A suspicious orchestration job ran with a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    10 Minutes
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse task scheduling functionality provided by container orchestration tools The adversaries do that to schedule deployment of containers configured to execute malicious code.
    Investigative actions: Investigate The process activities and impact on the relevant container.
  • Suspicious container runtime connection from within a Kubernetes Pod Informational 2 variations

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609) Deploy Container (T1610)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Escape from a container to the host machine and expand the foothold in the network.
    Investigative actions: Change the container socket configuration. Check if the default Docker daemon binding to TCP changed. If so, non-root users may gain access to the container.

    Variations

    Suspicious container runtime connection from within a Kubernetes Pod using the curl client

    Low overridden

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden

    Suspicious container runtime connection from within a Kubernetes Pod using the docker client

    Medium overridden

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden

  • Suspicious docker image download from an unusual repository Informational 2 variations

    The agent has pulled a docker image from a repository for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution: Malicious Image (T1204.003)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Adversaries may rely on a user running a malicious image to facilitate execution.
    Investigative actions: Scan the docker image that was pulled. Check the repository designation. Check on which other agents the docker image is being used.

    Variations

    Suspicious docker image download from an unrecognized registry

    Low overridden

    The agent has pulled a docker image from a registry that has never been used in the organization. overridden

    Suspicious docker image download from an unrecognized repository

    Low overridden

    The agent has pulled a docker image from a repository that has never been used in the organization. overridden

  • Suspicious module load using direct syscall Low 1 variation

    A module was loaded to a process using a direct syscall.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Native API (T1106)
    Required data: XDR Agent
    Detector tags: Direct Syscall Analytics
    Attacker's goals: An attacker might try to use direct syscalls to evade detection and load a malicious module to a legitimate program.
    Investigative actions: Investigate the direct syscall mapped image to verify if it is malicious. Investigate the loaded module to verify if it is malicious.

    Variations

    A module was loaded to an unsigned process by using a direct syscall

    Medium overridden

    A module was loaded to an unsigned process using a direct syscall. overridden

  • Suspicious process execution in a privileged container Informational 1 variation

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.

    Variations

    Suspicious process execution in a new privileged container

    Informational overridden

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden

  • Suspicious process loads a known PowerShell module Informational 2 variations

    A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    8 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.
    Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.

    Variations

    Suspicious unsigned process loads a known PowerShell module

    Low overridden

    A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary. overridden

    Office process loads a known PowerShell DLL

    High overridden

    A Microsoft Office process loaded a known PowerShell module. This image load may be a sign of PowerShell execution without directly invoking the PowerShell.exe binary. overridden

  • Suspicious systemd timer activity Low

    Suspicious systemd timer activity, which may indicate an attempt to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job: Systemd Timers (T1053.006)
    Required data: XDR Agent
    Attacker's goals: An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.
    Investigative actions: Check the systemd timer file change and try to understand the impact of the systemd timers change.
  • System profiling WMI query execution Informational

    Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.
    Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.
  • Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium

    A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.
  • Uncommon Linux remote shell command execution Informational 15 variations

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon Linux remote shell command execution, possibly running LinPEAS

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution using an exploitation tool

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution executing a reverse interactive shell

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution downloading a shell script

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution disabling firewall

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution possibly running from an XZ backdoor

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running as root

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution setting a scheduled task

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution loading a kernel module

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a network tool

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution trying to gather information about the system

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution, possibly granting file execution permissions

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Uncommon Linux shell command execution Informational 15 variations

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon Linux shell command execution by a BAS solution

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution disabling firewall

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution, possibly running LinPEAS

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution using exploitation tool

    High overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution trying to gather information about the system

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution loading a kernel module

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution, possibly granting file execution permissions

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution running a network tool

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution setting a scheduled task

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution with su/sudo elevation

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution accessing history (e.g. bash history or login records)

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution from a scripting language interpreter

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux shell command execution executed from within a web server

    Informational overridden

    An unusual process execution of a shell command on Linux. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Uncommon Service Create/Config Medium

    The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading security controls and possibly persisting malware.
    Investigative actions: Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.
  • Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations

    We have identified unpopular domain(s) in URL(s) within this email.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    External email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Internal email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Outbound email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

  • Uncommon cloud CLI tool usage Informational Cloud 4 variations

    An uncommon execution of a cloud CLI tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: XDR Agent
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Check what cloud CLI commands were executed. Verify which cloud resources may have been affected.

    Variations

    Uncommon cloud CLI tool usage within a web server pod

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a web server

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a cloud instance

    Low overridden

    An uncommon execution of a cloud CLI tool. overridden

    Uncommon cloud CLI tool usage within a Kubernetes pod

    Informational overridden

    An uncommon execution of a cloud CLI tool. overridden

  • Uncommon macOS shell command execution Informational 10 variations

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon macOS shell command execution by a BAS solution

    High overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution running a curl / wget in an uncommon way

    High overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution trying to gather information about the system

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution loading a kernel extension

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution, possibly granting file execution permissions

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution executed an AppleScript

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution from an unsigned process

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon macOS shell command execution of an exceedingly rare process

    Low overridden

    An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Uncommon remote scheduled task creation Low 1 variation

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers can attempt to use the command to execute programs or persist malware on remote endpoints.
    Investigative actions: Investigate the initiator process and whether it should create remote tasks. Investigate the scheduled task execution on the remote machine.

    Variations

    Uncommon remote scheduled task creation by a remote actor via RDP

    High overridden

    The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote computer. Adversaries may attempt to use the command to execute programs or persist malware on remote machines. overridden

  • Uncommon remote service start via sc.exe Low

    The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.
    Investigative actions: Check whether the executed process is benign and if this was desired behavior as part of its normal execution flow. Check the remote host for any evidence of the executed service and investigate it.
  • Unpopular domains detected in email URLs for a recipient Informational Email 1 variation

    We have identified unpopular domain(s) within these email URLs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Highly unpopular URL domain(s) for mailbox detected in email

    Informational overridden

    We have identified unpopular domain(s) within these email URLs. overridden

  • Unsigned process creates a scheduled task via file access Low 1 variation

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence on the endpoint using scheduled tasks.
    Investigative actions: Review the process executed by the schedule task. Investigate the specific scheduled task execution chain.

    Variations

    Unsigned process creates a scheduled task via file access on a sensitive server

    Medium overridden

    A scheduled task was created via file access from an unsigned process. This is uncommon and may indicate malicious activity. overridden

  • Unusual AI model invocation Informational Cloud

    A cloud identity invoked an AI model for the first time.MITRE ATLAS Technique: AML.T0050 - Command and Scripting Interpreter.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to AI models.
    Investigative actions: Examine which AI models were invoked. Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS CLI/SDK activity Informational Cloud

    A cloud identity invoked an API using AWS CLI/SDK for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • Unusual AWS SageMaker notebook access Informational Cloud

    A cloud identity accessed an AWS SageMaker notebook for the first time.MITRE ATLAS Technique: AML.T0008 - Acquire Infrastructure: AI Development Workspaces.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to AI/ML resources and services.
    Investigative actions: Examine which AWS SageMaker notebooks were accessed. Investigate any unusual activity originating from the suspected identity.
  • Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation

    Unusual Process Spawned by Nginx in Ingress-Nginx pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.
    Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.

    Variations

    Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload

    High overridden

    Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden

  • Unusual exec into a Kubernetes Pod Informational Cloud 5 variations

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Execute commands within the Kubernetes Pod. Access any resource the Kubernetes Pod has access to.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Failed exec attempt into a Kubernetes Pod

    Informational overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    First time execution into Kubernetes Pod at the cluster-level

    Medium overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into Kubernetes Pod for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into a Kubernetes namespace for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into a Kubernetes Pod for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

  • Unusual process accessed the PowerShell history file Informational

    An abnormal process accessed the PowerShell console history file.This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to run PowerShell without powershell.exe to evade detection.
    Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.
  • Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation

    Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion, Phishing
    Attacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.

    Variations

    Usage of homograph characters detected in an email attachment(s) extension

    Low overridden

    Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden

  • User discovery via WMI query execution Informational 3 variations

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.
    Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.

    Variations

    User discovery via WMI query execution by an unsigned process

    Low overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden

    User modification via WMIC query execution

    Low overridden

    Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden

    User discovery via WMIC query execution

    Informational overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden

  • Windows CGO, actor and action processes with anomalous characteristics Informational 2 variations

    Windows CGO, actor and action processes with anomalous characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Detector tags: Process Anomaly Analytics
    Attacker's goals: Processes anomalous characteristics which commonly appear in malicious activities.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the CGO and actor processes that executed the process and check if they are malicious.

    Variations

    Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO

    Low overridden

    Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO. overridden

    Windows CGO, actor and action processes with highly anomalous characteristics

    Low overridden

    Windows CGO, actor and action processes with anomalous characteristics. overridden

  • Windows CGO, actor process and action module with anomalous characteristics Informational 1 variation

    Windows CGO, actor process and action module with anomalous characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Loading modules with anomalous characteristics that commonly appear in malicious activities.
    Investigative actions: Investigate the loaded image and check if it is malicious. Investigate the CGO process and actor process that loaded the module and check if they are malicious.

    Variations

    Windows CGO, actor process and action module with very anomalous characteristics

    Low overridden

    Windows CGO, actor process and action module with anomalous characteristics. overridden

  • WmiPrvSe.exe Rare Child Command Line Low 1 variation

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.

    Variations

    WmiPrvSe.exe Rare Child Command Line

    Medium overridden

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden

  • Wsmprovhost.exe Rare Child Process Low

    The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.
  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden