Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

249 alerts match the current filters. tactic: TA0005 ✕

Show ATT&CK heatmap
  • Encoded information using Windows certificate management tool Medium

    Encoding/decoding to/from using certutil.exe could be used to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Encrypted/Encoded File (T1027.013) Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent
    Attacker's goals: Evade detection by executing processes with obfuscated arguments.
    Investigative actions: Check encoded/decoded command content and see whether it is benign or malicious.
  • Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    A recently configured Exchange DKIM signing configuration was disabled

    Informational overridden

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden

  • Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.
  • Exchange Safe Link policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.
  • Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    Recently configured Exchange anti-phish policy disabled or removed

    Informational overridden

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden

  • Exchange audit log disabled Low Identity Threat Module Email

    A user disabled the Exchange audit log. This may indicate an attempt to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Exchange email-hiding inbox rule Informational Identity Threat Module Email 3 variations

    A user configured an Exchange inbox rule that may be used to hide emails.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)
    Required data: Office 365 Audit
    Attacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule keywords look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures inbox rules.

    Variations

    Possible BEC Exchange email-hiding inbox rule

    Medium overridden

    A user configured an Exchange inbox rule that may be used to hide emails. The rule contains characteristics that resemble a business email compromise (BEC) attack. overridden

    Suspicious Exchange email-hiding inbox rule

    Medium overridden

    A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden

    Abnormal Exchange email-hiding inbox rule

    Low overridden

    A user configured an Exchange inbox rule that may be used to hide emails. overridden

  • Exchange email-hiding transport rule Informational Identity Threat Module Email 2 variations

    A user configured an Exchange transport rule that may be used to hide emails in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)
    Required data: Office 365 Audit
    Attacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule contains keywords and if they look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures transport rules.

    Variations

    Suspicious Exchange email-hiding transport rule

    Medium overridden

    A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden

    Exchange email-hiding transport rule based on message keywords

    Low overridden

    A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain certain keywords, which may be a sign of a compromised account. overridden

  • Exchange mailbox audit bypass Low Identity Threat Module Email

    A user added mailbox audit bypass for an account. This will allow the account to perform actions without being logged, and may indicate an attempt to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may abuse the audit bypass mechanism to conceal actions and evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected.
  • Exchange malware filter policy removed Low Identity Threat Module Email

    A user removed an Exchange malware filter policy, which may prevent the detection of malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed. Monitor for signs of malware in future messages.
  • Executable created to disk by lsass.exe Medium

    Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: This activity was an important stage for several exploits.
    Investigative actions: Check the file that was written to the disk for malicious activities.
  • Executable moved to Windows system folder Informational 4 variations

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker may be trying to avoid detection by moving an executable to a Windows system folder.
    Investigative actions: Check if the file is known in organization or malicious. Check if the digital signature of the file is valid and belongs to a known good software vendor. Investigate the process that has moved the file to the system folder.

    Variations

    Rare executable moved to Windows system folder by rare causality actor

    Medium overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Executable moved to Windows system folder by remote causality and a rare actor

    Medium overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Rare executable moved to Windows system folder by rare actor

    Low overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Executable moved to Windows system folder by rare and unsigned actor

    Low overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

  • Execution of dllhost.exe with an empty command line Low 2 variations

    The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Evade detection when running suspicious commands.
    Investigative actions: Check if an entry for dllhost.exe was added in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

    Variations

    Execution of unsigned dllhost from a non-typical path with empty command line

    High overridden

    An unsigned process was executed with the name dllhost.exe from a non-typical path, this behavior is suspicious and maybe performed by a malicious actor in an attempt to hide their actions. overridden

    Globally uncommon execution of dllhost.exe with an empty command line

    Low overridden

    The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection. overridden

  • Execution of masqueraded third-party utility Informational 2 variations

    An attacker may be trying to avoid detection of third-party utility execution by renaming it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file masquerading.
    Investigative actions: Check the process origin or whether it comes with any packages the user has used.

    Variations

    Execution of masqueraded third-party automation utility

    Medium overridden

    An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden

    Execution of significantly masqueraded third-party utility

    Low overridden

    An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden

  • Execution of renamed lolbin Informational 1 variation

    An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file rename.
    Investigative actions: Check the lolbin's origin or whether it comes with any packages the user has used.

    Variations

    Execution of significantly renamed lolbin

    Medium overridden

    An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin. overridden

  • External email display name impersonation of internal personnel Informational Email 1 variation

    The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    External email display name impersonation of internal personnel, using a public provider

    Informational overridden

    The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user. overridden

  • Failed Login For Locked-Out Account Informational

    A locked-out user account (event ID 4725 or 4740) was used in a Kerberos TGT pre-authentication attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Authenticate using the principal in the TGT, not knowing that it has been revoked.
    Investigative actions: Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For example, a user or a script that was not updated that the account has been revoked. The lockout can be temporary, for example, in the case of too many login attempts, and may not be visible after the account was released. Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of the alert.
  • GCP Firewall Rule Modification Informational Cloud

    A GCP firewall rule was modified. An attacker might use this technique to access restricted resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.
  • GCP Firewall Rule creation Informational Cloud

    A GCP VPN firewall rule was created. An attacker might use this technique to block or open access to/from restricted areas.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the created rule. Check the cloud identity activity before and after the rule creation.
  • GCP Logging Bucket Deletion Informational Cloud

    A GCP logging bucket was deleted. An attacker might delete the bucket to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Evade detection.
    Investigative actions: Check which logs were affected by the bucket deletion. Check The cloud identity activity prior/after to the bucket deletion.
  • GCP Storage Bucket Permissions Modification Informational Cloud

    A GCP storage bucket's IAM permissions were modified. An attacker might use this technique to expose sensitive data or cause data loss.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: File and Directory Permissions Modification (T1222)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate information.
    Investigative actions: Check which data exists in the modified bucket and its classification. Look for events that involve actions for the bucket data.
  • GCP VPC Firewall Rule Deletion Informational Cloud

    A GCP VPC firewall rule was deleted. An attacker might use this technique to access restricted resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.
  • GCP data asset shared public Low Cloud

    The GCP data asset was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.
  • GCP logging sink deletion Informational Cloud 1 variation

    A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Identify the logs impacted by the deletion. Review cloud identity activity before and after the deletion.

    Variations

    GCP logging sink deletion

    Low overridden

    A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection. overridden

  • GCP logging sink modification Informational Cloud 2 variations

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Identify the relevant logs impacted by the modification. Review The cloud identity activity before and after the logging sink modification.

    Variations

    GCP logging sink modification

    Medium overridden

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden

    GCP logging sink modification

    Low overridden

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden

  • Globally uncommon IP address connection from a signed process Informational 3 variations

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address connection from an injected thread in a signed process

    Medium overridden

    An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address connection from a signed process from a known vendor

    Medium overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address connection from a signed process

    Low overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon high entropy module was loaded Informational 1 variation

    A module with high entropy and a globally uncommon hash was loaded.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.
    Investigative actions: Check if the module is either compressed, encrypted, obfuscated or packed.

    Variations

    Globally uncommon high entropy module was loaded by process which was executed by a scheduled task

    Low overridden

    A module with high entropy and a globally uncommon hash was loaded. overridden

  • Globally uncommon high entropy process was executed Informational 4 variations

    A process with high entropy and a globally uncommon hash was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.
    Investigative actions: Check if the process' file is either compressed, encrypted, obfuscated or packed.

    Variations

    Globally uncommon high entropy process was executed by an untrusted CGO

    Low overridden

    A process with high entropy and a globally uncommon hash was executed by an untrusted CGO. overridden

    Globally uncommon high entropy process was executed by a web server process or CGO

    Low overridden

    A process with high entropy and a globally uncommon hash was executed by a web server process or CGO. overridden

    Globally uncommon high entropy process was extracted from an internet-downloaded archive and executed

    Low overridden

    A process with high entropy and a globally uncommon hash was extracted from an internet-downloaded archive and executed. overridden

    Globally uncommon high entropy process was downloaded from an uncommon source and executed

    Low overridden

    A process with high entropy and a globally uncommon hash was downloaded from an uncommon source and executed. overridden

  • Globally uncommon image load from a signed process Informational 5 variations

    A signed process loaded a DLL that, on a global level, it usually doesn't load.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics, DLL Hijacking Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon image load from a signed process from a known vendor

    Medium overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon unsigned image side loaded to a signed process

    Medium overridden

    A signed process side loaded an unsigned DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon and very rare image load from a signed process

    Medium overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon image load from an injected thread in a signed process

    Low overridden

    An injected thread in a signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon DLL was downloaded from an uncommon source and loaded by a signed process

    Low overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

  • Globally uncommon injection from a signed process Informational 3 variations

    A signed process injected into another process that it does not normally target at a global level.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)
    Required data: XDR Agent
    Detector tags: Injection Analytics, Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon suspicious injection from a signed process

    Medium overridden

    A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process which was executed by a scheduled task

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

  • Globally uncommon root domain from a signed process Low 4 variations

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root domain from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    Medium overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination from a signed process Low 4 variations

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    Medium overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

  • Hidden Attribute was added to a file using attrib.exe Informational

    Hidden attribute was added to a file using attrib.exe, adversaries may set files to be hidden to evade detection mechanisms.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Attacker's goals: Hide malware or staged files from standard file explorers.
    Investigative actions: Check if the hidden file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.
  • Indicator blocking Informational 1 variation

    Auditing or logging configuration changes on Linux host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Impairing host defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Indicator blocking in a Kubernetes pod

    Low overridden

    Auditing or logging configuration changes on Linux host. overridden

  • Indirect command execution using the Program Compatibility Assistant Medium

    Pcalua.exe (Program Compatibility Assistant) is used for running old programs that have compatibility issues. Attackers can use pcalua.exe to indirectly execute their malicious programs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indirect Command Execution (T1202)
    Required data: XDR Agent
    Attacker's goals: Evading detection by indirectly executing their malicious programs.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Injection into rundll32.exe Informational 1 variation

    A process injected into an instance of rundll32.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Injection into rundll32.exe which was executed by a scheduled task

    Low overridden

    A process injected into an instance of rundll32.exe. overridden

  • Iptables configuration command was executed Informational 7 variations

    The iptables process was executed with a command to add or delete rules on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent
    Attacker's goals: Adding or deleting system firewalls rules to avoid possible detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Rare iptables port forward command was executed

    Low overridden

    An iptables command was executed to perform port forward, This command is unpopular. overridden

    Uncommon iptables port forward command was executed on the host

    Informational overridden

    An iptables command was executed to perform port forward, This command is uncommon for the host. overridden

    Rare iptables delete command was executed

    Low overridden

    An iptables command was executed to delete rule, This command is unpopular. overridden

    A rare iptables delete command was executed on the host

    Informational overridden

    An iptables command was executed to delete rule, This command is uncommon for the host. overridden

    A rare iptables flush all command was executed

    Low overridden

    An iptables command was executed to flush all rules, This command is unpopular. overridden

    A rare iptables flush command was executed

    Low overridden

    An iptables command was executed to flush all rules, This command is unpopular. overridden

    A rare iptables flush command was executed on the host

    Informational overridden

    An iptables command was executed to flush rules, This command is uncommon for the host. overridden

  • Kubernetes cluster events deletion Informational Cloud

    Kubernetes cluster events deletion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Adversaries may delete Kubernetes events to avoid possible detection.
    Investigative actions: Check whether these changes are expected.
  • LOLBAS executable injects into another process Informational 1 variation

    A signed binary, which can be abused to run code, injected code to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.

    Variations

    LOLBAS executable injects into another process under an uncommon CGO

    Low overridden

    A signed binary, which can be abused to run code, injected code to another process. overridden

  • Linux system firewall was modified Low

    The system firewall was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Exfiltrate data or move laterally in the organization.
    Investigative actions: Examine the command to understand which IPs or ports were affected. Check the communication allowed by the modified firewall rule.
  • Logging was impaired via external encryption key Medium Cloud

    The resource was configured with an external key This might be an attempt to disrupt log inspection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Modifying the key used to encrypt the logs to remain undetected.
    Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.
  • Login by a dormant user Informational Identity Analytics 1 variation

    A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use a compromised user account that has not been used for a long time and is therefore less likely to be noticed.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Cached interactive login by a dormant user

    Informational overridden

    A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker. overridden

  • MFA device was removed/deactivated from an IAM user Informational Cloud

    Deactivate an MFA device and disassociate it from an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: This may allow an attacker to gain access to the IAM user.
    Investigative actions: Check if IAM requires MFA to be enabled.
  • MFA was disabled for a Google Workspace user Informational Identity Threat Module 2 variations

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.
    Investigative actions: Verify if the MFA disablement was authorized. Investigate the source IP and User Agent for previous malicious activity or anomalies. Follow further actions done by the user and IP address.

    Variations

    MFA was disabled for a Google Workspace administrative user

    Medium overridden

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden

    MFA was disabled for a Google Workspace user by a different account for the first time

    Low overridden

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden

  • MFA was disabled for an Azure identity Low Identity Threat Module 2 variations

    MFA was disabled for the user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: AzureAD Audit Log
    Attacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.
    Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.

    Variations

    Suspicious MFA was disabled for an Azure identity

    Medium overridden

    MFA was disabled for the user. overridden

    MFA was disabled for an Azure identity regularly by the user

    Informational overridden

    MFA was disabled for the user. overridden

  • MSI accessed a web page running a server-side script Informational 1 variation

    The Microsoft installer command line included a URL to a web page running a server-side script, which is suspicious.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: An attacker may use this technique to install a malicious tool from a remote server.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    MSI accessed a web page running a server-side script

    High overridden

    MSI on an internet-facing server accessed a web page running a server-side script. overridden

  • Masquerading as a default local account Low Identity Analytics 3 variations

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.

    Variations

    Masquerading as a default local account for the first time

    Medium overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

    Potential masquerading as a power user account

    Low overridden

    A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden

    Masquerading as a default Administrator account

    Informational overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

  • Masquerading as the Linux crond process Low 1 variation

    Copies a file and renames it as crond.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may masquerade as the crond executable.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Masquerading as the Linux crond process from a Kubernetes pod

    Low overridden

    Copies a file and renames it as crond. overridden

  • Microsoft 365 DLP policy disabled or removed Informational Identity Threat Module Email 1 variation

    A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass Microsoft 365 Data Loss Prevention (DLP) policies.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Monitor the user's activity for any access to sensitive data or data exfiltration. Investigate if any other security policies have been changed or removed.

    Variations

    Rare Microsoft 365 DLP policy removal

    Low overridden

    A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion. overridden

  • Microsoft Office injects code into a process Low 5 variations

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned Microsoft Office injects code into a process

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to a non-standard PE section

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to an undeclared memory page

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process from an unsigned process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

  • Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams the application setup policy, which is responsible for application management, was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.

    Variations

    A user changed the Microsoft Teams application setup policy for the first time

    Low overridden

    Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden

  • Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams external communication policy was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)
    ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.

    Variations

    Microsoft Teams external communication policy was modified by an unusual user

    Low overridden

    Microsoft Teams external communication policy was modified. overridden

  • Modification of PAM Informational 1 variation

    Modification of PAM configuration files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Credential access, defense evasion or persistence.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Modification of PAM from a Kubernetes pod

    Informational overridden

    Modification of PAM configuration files. overridden

  • Modification of the AD FS IdentityServer configuration file Informational Identity Analytics 1 variation

    The AD FS service configuration file was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow (T1574)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: The attacker's goal is to establish a persistent, high-privilege backdoor by forcing the service to load a malicious configuration that enables remote code execution and the bypass of security controls like MFA.
    Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Investigate the process and user that performed the write operation for signs of compromise.

    Variations

    Suspicious Modification of the AD FS IdentityServer configuration file

    Low overridden

    The AD FS service configuration file was modified. overridden

  • Mshta.exe launched with suspicious arguments Low

    Microsoft HTML application host process has been launched with suspicious arguments, which may indicate malicious intent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Mshta.exe spawns from a browser process Low 1 variation

    Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)
    Required data: XDR Agent
    Attacker's goals: Execute malicious code through system binary proxy execution to bypass application controls and security monitoring.
    Investigative actions: Examine the command line arguments passed to mshta for suspicious URLs or file paths. Check the browser process that spawned mshta for signs of compromise. Review network connections around the time of execution. Analyze any HTML applications (.hta files) that may have been executed.

    Variations

    Mshta.exe spawns from a browser process that executes a script from a URL

    Medium overridden

    Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector. overridden

  • Msiexec execution of an executable from an uncommon remote location Informational 2 variations

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and executing arbitrary files from the web.
    Investigative actions: Check execution of msiexec and the IP/Domain that used. Is the URL that is encoded in the command line trusted. Is executed DLL or MSI file known as legitimate. Is the initiating process legitimate and the user running it knows of its use.

    Variations

    Msiexec execution of an executable from an uncommon remote location with a specific port

    High overridden

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. overridden

    Msiexec execution of an executable from an uncommon remote location without properties

    Medium overridden

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. Execution without properties is more common in malware. overridden

  • Multi region enumeration activity Informational Cloud

    An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.
    Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.
  • New addition to Windows Defender exclusion list Low 1 variation

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.

    Variations

    New addition to Windows Defender exclusion list from an unsigned process

    Medium overridden

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden

  • Office process spawned with suspicious command-line arguments Low 2 variations

    An Office process was executed with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that executes executables from the memory of Word/Excel/PowerPoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection: Process Hollowing (T1055.012)
    Required data: XDR Agent
    Attacker's goals: Execute arbitrary code or run malicious applications undetected.
    Investigative actions: Check the file that spawns the office application and search for macros, formulas, or scripts.

    Variations

    Masqueraded office process spawned with suspicious command-line arguments

    Medium overridden

    An executable masquerading an office process was executed with LOLBIN-like command-line arguments. overridden

    PowerPoint process accesses a suspicious PPAM file

    Low overridden

    A PowerPoint process opened a PPAM file which might be used to execute malicious code. overridden

  • Ping to localhost from an uncommon, unsigned parent process Informational

    Ping is often used by malware and attackers to delay the execution of suspicious commands in sandbox environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Virtualization/Sandbox Evasion (T1497)
    Required data: XDR Agent
    Attacker's goals: Use ping as an easy way to wait to try and evade detection between executions.
    Investigative actions: Validate if the executing process is malicious.
  • Possible DCSync from a non domain controller Low 5 variations

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check whether one of the machines is a new domain controller.

    Variations

    DCSync from a non domain controller from a non-standard process

    High overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller by AppID

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Possible DCSync from an internet-facing server

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    DCSync from a non domain controller

    Low overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

  • Possible DLL Hijack into a Microsoft process Informational 6 variations

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Hijack of a low entropy DLL into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Side-Loading into a Microsoft process from a suspicious folder

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    DLL Hijack into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft development or framework related process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

  • Possible DLL Search Order Hijacking Low 3 variations

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Search Order Hijacking by DLL Substitution

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

  • Possible binary padding using dd Informational

    A suspicious dd command ran and added data to a binary. This may indicate binary padding to change the hash of a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Binary Padding (T1027.001)
    Required data: XDR Agent
    Attacker's goals: An adversary may use binary padding to avoid hash-based blacklists and static antivirus signatures.
    Investigative actions: Check the padded file and try to understand the impact of padding this specific binary.
  • Possible code downloading from a remote host by Regsvr32 Medium

    Regsvr32 may be used to fetch arbitrary code from a remote host and execute it without dropping the payload onto the disk. Known to be used for malicious purposes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Regsvr32 (T1218.010)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible data obfuscation Informational 1 variation

    A command that can be used for file obfuscation was executed with an uncommon command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use obfuscated files to cover their tracks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Possible data obfuscation in a Kubernetes pod

    Low overridden

    A command that can be used for file obfuscation was executed with an uncommon command line. overridden

  • Possible malicious .NET compilation started by a commonly abused process Medium

    Attackers may use csc.exe to compile payloads on a compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Compile After Delivery (T1027.004)
    Required data: XDR Agent
    Attacker's goals: Compile payloads on the host to evade detection.
    Investigative actions: Investigate the payload being compiled. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Potential DCSync by an unusual user Informational Identity Analytics 1 variation

    Attackers may leverage the domain replication process to extract sensitive information (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.

    Variations

    Possible DCSync by an unusual user

    Low overridden

    Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden

  • Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager

    Medium overridden

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden

  • Potential spoofing of internal domain spotted Informational Email

    An external sender is possibly impersonating an employee by spoofing the company's internal address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.
    Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Procdump executed from an atypical directory Medium

    Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Punycode characters detected in URL(s) Informational Email

    Punycode character(s) detected within URL(s) in email content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.
    Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rare security product signed executable executed in the network Low

    Attackers may attempt to install a security product with a known vulnerability to bypass security features.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Exploitation for Defense Evasion (T1211)
    Required data: XDR Agent
    Attacker's goals: Adversaries may exploit the application vulnerability to bypass security features.
    Investigative actions: Check if the security product was installed by a legitimate user and intentionally.
  • Rare service DLL was added to the registry Low 2 variations

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.
    Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rare service DLL was added to the registry from an injected thread

    Medium overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

    Rare service DLL was added to the registry from a rare unsigned actor process

    High overridden

    A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden

  • Rare signature signed executable executed in the network Informational 4 variations

    Attackers may use signed executables by less known vendors to bypass security features.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Subvert Trust Controls: Code Signing (T1553.002)
    Required data: XDR Agent
    Attacker's goals: Adversaries may use signed binaries to bypass security features.
    Investigative actions: Check if this is legitimate software installed by a legitimate user and intentionally.

    Variations

    Rare signature signed forensic tool remotely executed in the network

    Medium overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

    Rare signature signed forensic tool executed in the network

    Low overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

    Rare signature signed executable extracted from an internet-downloaded archive and executed in the network

    Low overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

    Rare signature signed executable downloaded from an uncommon source and executed in the network

    Low overridden

    Attackers may use signed executables by less known vendors to bypass security features. overridden

  • Registration of Uncommon .NET Services and/or Assemblies Informational

    Regasm.exe and regsvcs.exe are used to register .NET COM assemblies, which are typically located in specific paths, attackers might leverage that to execute code within a Microsoft signed binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)
    Required data: XDR Agent
    Attacker's goals: Load untrusted code into a trusted Microsoft context to evade detection.
    Investigative actions: Verify if the loaded dll is known to be malicious. Track down which process dropped the library being loaded. Validate if the actions being done by the regasm.exe process are malicious.
  • Removal of an Azure Owner from an Application or Service Principal Informational Cloud 1 variation

    An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: Azure Audit Log
    Attacker's goals: Remove owners from applications for full control of the application or service principal. Manipulate or delete data stored in the Azure environment.
    Investigative actions: Check the Azure Activity Log to identify which user removed the Azure Owner. Check the Azure Role Assignments to identify the current Azure Owners. Check the Application or Service Principal to identify if any changes have been made.

    Variations

    Removal of an Azure AD privileged user from an Application or Service Principal

    Low overridden

    An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service. overridden

  • Rundll32.exe executes a rare unsigned module Low 2 variations

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rundll32.exe executes a rare unsigned module with very high entropy

    Medium overridden

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. The module executed by Rundll32 has very high entropy. overridden

    Rundll32.exe executes a rare unsigned module with suspicious characteristics

    Medium overridden

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. overridden

  • Rundll32.exe running with no command-line arguments Medium

    Rundll32.exe is meant to run with parameters, so the absence of them is extremely suspicious; this behavior is used in the default configuration of Cobalt Strike.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Run as a signed Microsoft executables to avoid detection. Rundll32 is the default process used by Cobalt Strike for running post-exploitation tools.
    Investigative actions: Check for any injection event to the Rundll32 process. Check the causality of execution for any injections.
  • Rundll32.exe spawns conhost.exe Medium

    This unusual parent-child process relationship may indicate that an attacker has abused rundll32.exe to run a console-based application such as PowerShell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Scheduled Task hidden by registry modification Low

    Attackers may try to hide a Scheduled Task by deleting the Scheduled Task's software descriptor (SD) value in the registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Registry (T1112) Hide Artifacts (T1564)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may hide their malicious Scheduled Task to evade detection.
    Investigative actions: Check the appropriate Scheduled Task to verify its legitimacy. You can also check the executing executable to verify its purpose.
  • Security object deletion in Google Workspace Admin Console Informational Identity Threat Module 1 variation

    A security object was deleted in Google Workspace Admin Console.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may modify or disable security rules to avoid detection of their activities.
    Investigative actions: Investigate the security object name deleted and whether it was intended. Check if the user was recently granted new elevated permissions that allowed them to delete security rules. Follow other administrative or suspicious actions performed by this user around the same time.

    Variations

    Security object deletion in Google Workspace Admin Console for the first time

    Low overridden

    A security object was deleted in Google Workspace Admin Console. overridden

  • Security tools detection attempt Informational

    A script has executed commands that can be used to detect security tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.
    Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.
  • Setuid and Setgid file bit manipulation Low 1 variation

    The setuid or setgid bits were set on a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to run the executable application as a different user.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Setuid and Setgid file bit manipulation in a Kubernetes pod

    Low overridden

    The setuid or setgid bits were set on a file. overridden

  • Short-lived Azure AD user account Informational Identity Threat Module 1 variation

    An Azure AD user was created and deleted within a short period of time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.

    Variations

    Abnormal Short-lived Azure AD user account

    Low overridden

    An Azure AD user was created and deleted within a short period of time. overridden

  • Short-lived user account Low Identity Analytics 2 variations

    A user was created and deleted within a short period of time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.

    Variations

    Abnormal short-lived user account

    Low overridden

    A user was observed creating and deleting an account a short time later. This user does not regularly create and delete accounts. overridden

    Short-lived hidden user account

    Medium overridden

    A user was created with a name that mimics a machine account and later deleted within a short period of time. This may be an attacker's attempt to evade detection. overridden

  • Signed process performed an unpopular DLL injection Informational 4 variations

    A signed process performed an unpopular DLL injection into another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Signed process that got injected performed an unpopular and suspicious dll injection

    High overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process that got injected performed an unpopular and suspicious dll injection

    Medium overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process that got injected performed an unpopular dll injection

    Medium overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process performed an unpopular DLL injection

    Low overridden

    A signed process performed an unpopular DLL injection into another process. overridden

  • Signed process performed an unpopular injection Informational 6 variations

    A signed process performed an unpopular injection to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Signed process that got injected performed an unpopular and suspicious injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process that got injected performed an unpopular and suspicious injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process that got injected performed an unpopular injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Commonly abused signed process performed a globally unpopular injection to a Microsoft signed process

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process performed an unpopular injection

    Low overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process executed by a scheduled task performed an unpopular injection

    Low overridden

    A signed process performed an unpopular injection to another process. overridden

  • Space after filename Informational

    A file was created or renamed to have a space at the end of its name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Space after Filename (T1036.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to change the extension of the file to evade detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.
  • Suspicious .NET process loads an MSBuild DLL Medium

    A suspicious process in the Microsoft .NET directory loaded the Microsoft Build Framework DLL. This may occur if an attacker masquerades a process like MSBuild (PowerLessShell).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious AMSI decode attempt Informational

    A script has executed commands that can be used to decode commands or files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Minute
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid security mitigations and detections.
    Investigative actions: Check the payload for malicious activity.
  • Suspicious DKIM Result Informational Email 4 variations

    The email contains a suspicious DKIM entry, showing either an unexpected verification result (none, fail, or policy) or a mismatched signing domain, which may indicate potential tampering or spoofing activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation, and check why DKIM didn't pass. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Known domain DKIM deviation

    Informational overridden

    An email was sent from a commonly seen domain in the organization, that has historically passed DKIM checks, but returned a suspicious DKIM result of fail This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden

    Lack DKIM signature from typically signing domains

    Informational overridden

    An email was sent from a domain that has historically passed DKIM checks, but returned a suspicious DKIM result of none A none DKIM result implies on an unsigned email, which is atypical for domains with previous signed messages. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden

    DKIM results lacking sender correlation

    Informational overridden

    The email's authentication results have no indication of proper signing from the email's sender This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. overridden

    Known domain suspicious DKIM result

    Informational overridden

    An email was sent from a commonly seen domain that had no other suspicious DKIM outcomes for the past 30 days. This may indicate an attempt to spoof or impersonate a legitimate external sender. overridden

  • Suspicious DMARC result Informational Email 3 variations

    The email has a suspicious DMARC result of either fail or none, which may indicate a potential domain misconfiguration or spoofing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Trick users into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Check the reason DMARC didn't pass and the action. Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    DMARC deviation from historically compliant domain

    Informational overridden

    This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DMARC outcome from a previously trusted external domain warrants further investigation. overridden

    DMARC failure bypassed domain policy

    Informational overridden

    This indicates the message should have been rejected according to the domain owner policy, but was instead accepted and delivered, potentially exposing the user to email spoofing or phishing. This suggests a potential policy bypass or misconfiguration in mail filtering. overridden

    DMARC failed with non-enforcing policy

    Informational overridden

    This may indicate an overly permissive DMARC configuration on the sender side and could allow unauthenticated messages to reach users' inboxes. Such configurations are often exploited in phishing or spoofing campaigns, and should be treated with caution. overridden

  • Suspicious DotNet log file created Low 3 variations

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Run/Inject DotNet code in the context of a signed process.
    Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.

    Variations

    DotNet log file created by svchost from 'Absolute software Corp' causality

    Informational overridden

    Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden

    Suspicious DotNet log file created from an injected thread

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

    Suspicious DotNet log file created

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

  • Suspicious Process Spawned by wininit.exe Medium

    An unusual process was spawned by wininit.exe, possibly indicating malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious SPF Result Informational Email 3 variations

    The email has a suspicious SPF result of fail, soft fail, or policy, which may indicate a potential domain misconfiguration or spoofing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Trick users into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify the domain's connection to the IP address and investigate the reason SPF didn't pass. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Internal domain SPF deviation

    Informational overridden

    An email was sent from an internal root domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a trusted internal sender, a tactic commonly associated with BEC and internal phishing. Such a sudden SPF outcome from a typically trusted domain warrants further investigation. overridden

    Known domain SPF deviation

    Informational overridden

    An email was sent from a commonly seen domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such a sudden SPF outcome from a previously trusted external domain warrants further investigation. overridden

    Known domain unusual SPF result

    Informational overridden

    A commonly seen root domain has returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. While other suspicious SPF outcomes may have occurred previously for this domain, this is the first instance of this particular SPF result. Such a shift in SPF behavior may signal evolving abuse tactics, domain misconfiguration, or an attempted spoof using unauthorized infrastructure. overridden

  • Suspicious SSH Downgrade Low 2 variations

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)
    ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)
    Required data: Palo Alto Networks Firewall EAL Logs
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.
    Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.

    Variations

    A Host Performed an SSH Downgrade For The First Time In The Last 30 Days

    Low overridden

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden

    A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days

    Low overridden

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden

  • Suspicious SearchProtocolHost.exe parent process Medium

    SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious Unicode character detected in email Informational Email 3 variations

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion, Phishing
    Attacker's goals: Embedding suspicious Unicode characters in the email to appear legitimate, evade security filters and bypass detection mechanisms.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Phishing terms obfuscation using Unicode characters detected in email

    Low overridden

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden

    Words obfuscation using Unicode characters detected in email

    Informational overridden

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden

    Multiple suspicious Unicode characters detected in email

    Informational overridden

    Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden