Analytics Alerts
Browse the Cortex analytics alert reference.
249 alerts match the current filters. tactic: TA0005 ✕
Show ATT&CK heatmapEncoded information using Windows certificate management tool Medium
Encoding/decoding to/from using certutil.exe could be used to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Encrypted/Encoded File (T1027.013) Deobfuscate/Decode Files or Information (T1140)Required data: XDR AgentAttacker's goals: Evade detection by executing processes with obfuscated arguments.Investigative actions: Check encoded/decoded command content and see whether it is benign or malicious.Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
A recently configured Exchange DKIM signing configuration was disabled
Informational overridden
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden
Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)Required data: Office 365 AuditAttacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Exchange Safe Link policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
Recently configured Exchange anti-phish policy disabled or removed
Informational overridden
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden
Exchange audit log disabled Low Identity Threat Module Email
A user disabled the Exchange audit log. This may indicate an attempt to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Exchange email-hiding inbox rule Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox rule that may be used to hide emails.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)Required data: Office 365 AuditAttacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule keywords look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures inbox rules.Variations
Possible BEC Exchange email-hiding inbox rule
Medium overridden
A user configured an Exchange inbox rule that may be used to hide emails. The rule contains characteristics that resemble a business email compromise (BEC) attack. overridden
Suspicious Exchange email-hiding inbox rule
Medium overridden
A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden
Abnormal Exchange email-hiding inbox rule
Low overridden
A user configured an Exchange inbox rule that may be used to hide emails. overridden
Exchange email-hiding transport rule Informational Identity Threat Module Email 2 variations
A user configured an Exchange transport rule that may be used to hide emails in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)Required data: Office 365 AuditAttacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule contains keywords and if they look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures transport rules.Variations
Suspicious Exchange email-hiding transport rule
Medium overridden
A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden
Exchange email-hiding transport rule based on message keywords
Low overridden
A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain certain keywords, which may be a sign of a compromised account. overridden
Exchange mailbox audit bypass Low Identity Threat Module Email
A user added mailbox audit bypass for an account. This will allow the account to perform actions without being logged, and may indicate an attempt to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker may abuse the audit bypass mechanism to conceal actions and evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected.Exchange malware filter policy removed Low Identity Threat Module Email
A user removed an Exchange malware filter policy, which may prevent the detection of malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed. Monitor for signs of malware in future messages.Executable created to disk by lsass.exe Medium
Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: This activity was an important stage for several exploits.Investigative actions: Check the file that was written to the disk for malicious activities.Executable moved to Windows system folder Informational 4 variations
An attacker may be trying to avoid detection by moving an executable to a Windows system folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker may be trying to avoid detection by moving an executable to a Windows system folder.Investigative actions: Check if the file is known in organization or malicious. Check if the digital signature of the file is valid and belongs to a known good software vendor. Investigate the process that has moved the file to the system folder.Variations
Rare executable moved to Windows system folder by rare causality actor
Medium overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Executable moved to Windows system folder by remote causality and a rare actor
Medium overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Rare executable moved to Windows system folder by rare actor
Low overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Executable moved to Windows system folder by rare and unsigned actor
Low overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Execution of dllhost.exe with an empty command line Low 2 variations
The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Evade detection when running suspicious commands.Investigative actions: Check if an entry for dllhost.exe was added in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.Variations
Execution of unsigned dllhost from a non-typical path with empty command line
High overridden
An unsigned process was executed with the name dllhost.exe from a non-typical path, this behavior is suspicious and maybe performed by a malicious actor in an attempt to hide their actions. overridden
Globally uncommon execution of dllhost.exe with an empty command line
Low overridden
The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection. overridden
Execution of masqueraded third-party utility Informational 2 variations
An attacker may be trying to avoid detection of third-party utility execution by renaming it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file masquerading.Investigative actions: Check the process origin or whether it comes with any packages the user has used.Variations
Execution of masqueraded third-party automation utility
Medium overridden
An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden
Execution of significantly masqueraded third-party utility
Low overridden
An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden
Execution of renamed lolbin Informational 1 variation
An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file rename.Investigative actions: Check the lolbin's origin or whether it comes with any packages the user has used.Variations
Execution of significantly renamed lolbin
Medium overridden
An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin. overridden
External email display name impersonation of internal personnel Informational Email 1 variation
The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
External email display name impersonation of internal personnel, using a public provider
Informational overridden
The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user. overridden
Failed Login For Locked-Out Account Informational
A locked-out user account (event ID 4725 or 4740) was used in a Kerberos TGT pre-authentication attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Authenticate using the principal in the TGT, not knowing that it has been revoked.Investigative actions: Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For example, a user or a script that was not updated that the account has been revoked. The lockout can be temporary, for example, in the case of too many login attempts, and may not be visible after the account was released. Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of the alert.GCP Firewall Rule Modification Informational Cloud
A GCP firewall rule was modified. An attacker might use this technique to access restricted resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.GCP Firewall Rule creation Informational Cloud
A GCP VPN firewall rule was created. An attacker might use this technique to block or open access to/from restricted areas.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the created rule. Check the cloud identity activity before and after the rule creation.GCP Logging Bucket Deletion Informational Cloud
A GCP logging bucket was deleted. An attacker might delete the bucket to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Evade detection.Investigative actions: Check which logs were affected by the bucket deletion. Check The cloud identity activity prior/after to the bucket deletion.GCP Storage Bucket Permissions Modification Informational Cloud
A GCP storage bucket's IAM permissions were modified. An attacker might use this technique to expose sensitive data or cause data loss.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: File and Directory Permissions Modification (T1222)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate information.Investigative actions: Check which data exists in the modified bucket and its classification. Look for events that involve actions for the bucket data.GCP VPC Firewall Rule Deletion Informational Cloud
A GCP VPC firewall rule was deleted. An attacker might use this technique to access restricted resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.GCP data asset shared public Low Cloud
The GCP data asset was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.GCP logging sink deletion Informational Cloud 1 variation
A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Identify the logs impacted by the deletion. Review cloud identity activity before and after the deletion.Variations
GCP logging sink deletion
Low overridden
A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection. overridden
GCP logging sink modification Informational Cloud 2 variations
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Identify the relevant logs impacted by the modification. Review The cloud identity activity before and after the logging sink modification.Variations
GCP logging sink modification
Medium overridden
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden
GCP logging sink modification
Low overridden
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden
Globally uncommon IP address connection from a signed process Informational 3 variations
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.Variations
Globally uncommon IP address connection from an injected thread in a signed process
Medium overridden
An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process from a known vendor
Medium overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address connection from a signed process
Low overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon high entropy module was loaded Informational 1 variation
A module with high entropy and a globally uncommon hash was loaded.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.Investigative actions: Check if the module is either compressed, encrypted, obfuscated or packed.Variations
Globally uncommon high entropy module was loaded by process which was executed by a scheduled task
Low overridden
A module with high entropy and a globally uncommon hash was loaded. overridden
Globally uncommon high entropy process was executed Informational 4 variations
A process with high entropy and a globally uncommon hash was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.Investigative actions: Check if the process' file is either compressed, encrypted, obfuscated or packed.Variations
Globally uncommon high entropy process was executed by an untrusted CGO
Low overridden
A process with high entropy and a globally uncommon hash was executed by an untrusted CGO. overridden
Globally uncommon high entropy process was executed by a web server process or CGO
Low overridden
A process with high entropy and a globally uncommon hash was executed by a web server process or CGO. overridden
Globally uncommon high entropy process was extracted from an internet-downloaded archive and executed
Low overridden
A process with high entropy and a globally uncommon hash was extracted from an internet-downloaded archive and executed. overridden
Globally uncommon high entropy process was downloaded from an uncommon source and executed
Low overridden
A process with high entropy and a globally uncommon hash was downloaded from an uncommon source and executed. overridden
Globally uncommon image load from a signed process Informational 5 variations
A signed process loaded a DLL that, on a global level, it usually doesn't load.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: Global Anomaly Analytics, DLL Hijacking AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon image load from a signed process from a known vendor
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon unsigned image side loaded to a signed process
Medium overridden
A signed process side loaded an unsigned DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon and very rare image load from a signed process
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon image load from an injected thread in a signed process
Low overridden
An injected thread in a signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon DLL was downloaded from an uncommon source and loaded by a signed process
Low overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon injection from a signed process Informational 3 variations
A signed process injected into another process that it does not normally target at a global level.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)Required data: XDR AgentDetector tags: Injection Analytics, Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon suspicious injection from a signed process
Medium overridden
A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process which was executed by a scheduled task
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon root domain from a signed process Low 4 variations
A signed process connected to an external domain that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root domain from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
Medium overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process Low 4 variations
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
Medium overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Hidden Attribute was added to a file using attrib.exe Informational
Hidden attribute was added to a file using attrib.exe, adversaries may set files to be hidden to evade detection mechanisms.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentAttacker's goals: Hide malware or staged files from standard file explorers.Investigative actions: Check if the hidden file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.Indicator blocking Informational 1 variation
Auditing or logging configuration changes on Linux host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Impairing host defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Indicator blocking in a Kubernetes pod
Low overridden
Auditing or logging configuration changes on Linux host. overridden
Indirect command execution using the Program Compatibility Assistant Medium
Pcalua.exe (Program Compatibility Assistant) is used for running old programs that have compatibility issues. Attackers can use pcalua.exe to indirectly execute their malicious programs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indirect Command Execution (T1202)Required data: XDR AgentAttacker's goals: Evading detection by indirectly executing their malicious programs.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Injection into rundll32.exe Informational 1 variation
A process injected into an instance of rundll32.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Injection into rundll32.exe which was executed by a scheduled task
Low overridden
A process injected into an instance of rundll32.exe. overridden
Iptables configuration command was executed Informational 7 variations
The iptables process was executed with a command to add or delete rules on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: Adding or deleting system firewalls rules to avoid possible detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Rare iptables port forward command was executed
Low overridden
An iptables command was executed to perform port forward, This command is unpopular. overridden
Uncommon iptables port forward command was executed on the host
Informational overridden
An iptables command was executed to perform port forward, This command is uncommon for the host. overridden
Rare iptables delete command was executed
Low overridden
An iptables command was executed to delete rule, This command is unpopular. overridden
A rare iptables delete command was executed on the host
Informational overridden
An iptables command was executed to delete rule, This command is uncommon for the host. overridden
A rare iptables flush all command was executed
Low overridden
An iptables command was executed to flush all rules, This command is unpopular. overridden
A rare iptables flush command was executed
Low overridden
An iptables command was executed to flush all rules, This command is unpopular. overridden
A rare iptables flush command was executed on the host
Informational overridden
An iptables command was executed to flush rules, This command is uncommon for the host. overridden
Kubernetes cluster events deletion Informational Cloud
Kubernetes cluster events deletion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Adversaries may delete Kubernetes events to avoid possible detection.Investigative actions: Check whether these changes are expected.LOLBAS executable injects into another process Informational 1 variation
A signed binary, which can be abused to run code, injected code to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.Variations
LOLBAS executable injects into another process under an uncommon CGO
Low overridden
A signed binary, which can be abused to run code, injected code to another process. overridden
Linux system firewall was modified Low
The system firewall was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Exfiltrate data or move laterally in the organization.Investigative actions: Examine the command to understand which IPs or ports were affected. Check the communication allowed by the modified firewall rule.Logging was impaired via external encryption key Medium Cloud
The resource was configured with an external key This might be an attempt to disrupt log inspection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Modifying the key used to encrypt the logs to remain undetected.Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.Login by a dormant user Informational Identity Analytics 1 variation
A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use a compromised user account that has not been used for a long time and is therefore less likely to be noticed.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Cached interactive login by a dormant user
Informational overridden
A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker. overridden
MFA device was removed/deactivated from an IAM user Informational Cloud
Deactivate an MFA device and disassociate it from an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: This may allow an attacker to gain access to the IAM user.Investigative actions: Check if IAM requires MFA to be enabled.MFA was disabled for a Google Workspace user Informational Identity Threat Module 2 variations
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.Investigative actions: Verify if the MFA disablement was authorized. Investigate the source IP and User Agent for previous malicious activity or anomalies. Follow further actions done by the user and IP address.Variations
MFA was disabled for a Google Workspace administrative user
Medium overridden
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden
MFA was disabled for a Google Workspace user by a different account for the first time
Low overridden
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden
MFA was disabled for an Azure identity Low Identity Threat Module 2 variations
MFA was disabled for the user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556)Required data: AzureAD Audit LogAttacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.Variations
Suspicious MFA was disabled for an Azure identity
Medium overridden
MFA was disabled for the user. overridden
MFA was disabled for an Azure identity regularly by the user
Informational overridden
MFA was disabled for the user. overridden
MSI accessed a web page running a server-side script Informational 1 variation
The Microsoft installer command line included a URL to a web page running a server-side script, which is suspicious.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: An attacker may use this technique to install a malicious tool from a remote server.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow.Variations
MSI accessed a web page running a server-side script
High overridden
MSI on an internet-facing server accessed a web page running a server-side script. overridden
Masquerading as a default local account Low Identity Analytics 3 variations
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is attempting to evade detection.Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.Variations
Masquerading as a default local account for the first time
Medium overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Potential masquerading as a power user account
Low overridden
A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden
Masquerading as a default Administrator account
Informational overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Masquerading as the Linux crond process Low 1 variation
Copies a file and renames it as crond.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may masquerade as the crond executable.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Masquerading as the Linux crond process from a Kubernetes pod
Low overridden
Copies a file and renames it as crond. overridden
Microsoft 365 DLP policy disabled or removed Informational Identity Threat Module Email 1 variation
A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass Microsoft 365 Data Loss Prevention (DLP) policies.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Monitor the user's activity for any access to sensitive data or data exfiltration. Investigate if any other security policies have been changed or removed.Variations
Rare Microsoft 365 DLP policy removal
Low overridden
A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion. overridden
Microsoft Office injects code into a process Low 5 variations
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned Microsoft Office injects code into a process
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to a non-standard PE section
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to an undeclared memory page
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process from an unsigned process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams the application setup policy, which is responsible for application management, was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.Variations
A user changed the Microsoft Teams application setup policy for the first time
Low overridden
Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden
Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams external communication policy was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.Variations
Microsoft Teams external communication policy was modified by an unusual user
Low overridden
Microsoft Teams external communication policy was modified. overridden
Modification of PAM Informational 1 variation
Modification of PAM configuration files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Credential access, defense evasion or persistence.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Modification of PAM from a Kubernetes pod
Informational overridden
Modification of PAM configuration files. overridden
Modification of the AD FS IdentityServer configuration file Informational Identity Analytics 1 variation
The AD FS service configuration file was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow (T1574)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attacker's goal is to establish a persistent, high-privilege backdoor by forcing the service to load a malicious configuration that enables remote code execution and the bypass of security controls like MFA.Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Investigate the process and user that performed the write operation for signs of compromise.Variations
Suspicious Modification of the AD FS IdentityServer configuration file
Low overridden
The AD FS service configuration file was modified. overridden
Mshta.exe launched with suspicious arguments Low
Microsoft HTML application host process has been launched with suspicious arguments, which may indicate malicious intent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Mshta.exe spawns from a browser process Low 1 variation
Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)Required data: XDR AgentAttacker's goals: Execute malicious code through system binary proxy execution to bypass application controls and security monitoring.Investigative actions: Examine the command line arguments passed to mshta for suspicious URLs or file paths. Check the browser process that spawned mshta for signs of compromise. Review network connections around the time of execution. Analyze any HTML applications (.hta files) that may have been executed.Variations
Mshta.exe spawns from a browser process that executes a script from a URL
Medium overridden
Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector. overridden
Msiexec execution of an executable from an uncommon remote location Informational 2 variations
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)Required data: XDR AgentAttacker's goals: Evading security controls and executing arbitrary files from the web.Investigative actions: Check execution of msiexec and the IP/Domain that used. Is the URL that is encoded in the command line trusted. Is executed DLL or MSI file known as legitimate. Is the initiating process legitimate and the user running it knows of its use.Variations
Msiexec execution of an executable from an uncommon remote location with a specific port
High overridden
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. overridden
Msiexec execution of an executable from an uncommon remote location without properties
Medium overridden
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. Execution without properties is more common in malware. overridden
Multi region enumeration activity Informational Cloud
An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.New addition to Windows Defender exclusion list Low 1 variation
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.Variations
New addition to Windows Defender exclusion list from an unsigned process
Medium overridden
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden
Office process spawned with suspicious command-line arguments Low 2 variations
An Office process was executed with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that executes executables from the memory of Word/Excel/PowerPoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection: Process Hollowing (T1055.012)Required data: XDR AgentAttacker's goals: Execute arbitrary code or run malicious applications undetected.Investigative actions: Check the file that spawns the office application and search for macros, formulas, or scripts.Variations
Masqueraded office process spawned with suspicious command-line arguments
Medium overridden
An executable masquerading an office process was executed with LOLBIN-like command-line arguments. overridden
PowerPoint process accesses a suspicious PPAM file
Low overridden
A PowerPoint process opened a PPAM file which might be used to execute malicious code. overridden
Ping to localhost from an uncommon, unsigned parent process Informational
Ping is often used by malware and attackers to delay the execution of suspicious commands in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Virtualization/Sandbox Evasion (T1497)Required data: XDR AgentAttacker's goals: Use ping as an easy way to wait to try and evade detection between executions.Investigative actions: Validate if the executing process is malicious.Possible DCSync from a non domain controller Low 5 variations
Attackers may pose a compromised host as a DC to replicate data to it (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check whether one of the machines is a new domain controller.Variations
DCSync from a non domain controller from a non-standard process
High overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller by AppID
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible DCSync from an internet-facing server
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
DCSync from a non domain controller
Low overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible DLL Hijack into a Microsoft process Informational 6 variations
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Hijack of a low entropy DLL into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Side-Loading into a Microsoft process from a suspicious folder
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
DLL Hijack into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft development or framework related process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Search Order Hijacking Low 3 variations
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Search Order Hijacking by DLL Substitution
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible binary padding using dd Informational
A suspicious dd command ran and added data to a binary. This may indicate binary padding to change the hash of a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Binary Padding (T1027.001)Required data: XDR AgentAttacker's goals: An adversary may use binary padding to avoid hash-based blacklists and static antivirus signatures.Investigative actions: Check the padded file and try to understand the impact of padding this specific binary.Possible code downloading from a remote host by Regsvr32 Medium
Regsvr32 may be used to fetch arbitrary code from a remote host and execute it without dropping the payload onto the disk. Known to be used for malicious purposes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Regsvr32 (T1218.010)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible data obfuscation Informational 1 variation
A command that can be used for file obfuscation was executed with an uncommon command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use obfuscated files to cover their tracks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Possible data obfuscation in a Kubernetes pod
Low overridden
A command that can be used for file obfuscation was executed with an uncommon command line. overridden
Possible malicious .NET compilation started by a commonly abused process Medium
Attackers may use csc.exe to compile payloads on a compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Compile After Delivery (T1027.004)Required data: XDR AgentAttacker's goals: Compile payloads on the host to evade detection.Investigative actions: Investigate the payload being compiled. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Potential DCSync by an unusual user Informational Identity Analytics 1 variation
Attackers may leverage the domain replication process to extract sensitive information (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check the role of the account, and see if it should initiate a DC synchronization. Check if the account performing the DCSync is related to a new DC. Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID'). Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it. Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.Variations
Possible DCSync by an unusual user
Low overridden
Attackers may leverage the domain replication process to extract sensitive information (DCSync). overridden
Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager
Medium overridden
Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden
Potential spoofing of internal domain spotted Informational Email
An external sender is possibly impersonating an employee by spoofing the company's internal address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing (T1566) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Procdump executed from an atypical directory Medium
Procdump.exe is a SysInternals tool used to dump process memory; it can be used to dump lsass.exe memory to extract credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Punycode characters detected in URL(s) Informational Email
Punycode character(s) detected within URL(s) in email content.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading (T1036) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Cause a different URL to be presented to the user as a legitimate URL, prompting user engagement.Investigative actions: Examine the sender's IP address and reputation. Check the email address and content for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rare security product signed executable executed in the network Low
Attackers may attempt to install a security product with a known vulnerability to bypass security features.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Exploitation for Defense Evasion (T1211)Required data: XDR AgentAttacker's goals: Adversaries may exploit the application vulnerability to bypass security features.Investigative actions: Check if the security product was installed by a legitimate user and intentionally.Rare service DLL was added to the registry Low 2 variations
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Masquerade execution on the host using a benign Windows process and achieve persistence.Investigative actions: Investigate the suspicious DLL and check for malicious content. Go to the service registry key and investigate it to find the associated executable that runs the service. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Rare service DLL was added to the registry from an injected thread
Medium overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Rare service DLL was added to the registry from a rare unsigned actor process
High overridden
A service was added as a dll, which will be executed by svchost.exe. This is a stealthy technique attackers use to persist their malware. overridden
Rare signature signed executable executed in the network Informational 4 variations
Attackers may use signed executables by less known vendors to bypass security features.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Subvert Trust Controls: Code Signing (T1553.002)Required data: XDR AgentAttacker's goals: Adversaries may use signed binaries to bypass security features.Investigative actions: Check if this is legitimate software installed by a legitimate user and intentionally.Variations
Rare signature signed forensic tool remotely executed in the network
Medium overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Rare signature signed forensic tool executed in the network
Low overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Rare signature signed executable extracted from an internet-downloaded archive and executed in the network
Low overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Rare signature signed executable downloaded from an uncommon source and executed in the network
Low overridden
Attackers may use signed executables by less known vendors to bypass security features. overridden
Registration of Uncommon .NET Services and/or Assemblies Informational
Regasm.exe and regsvcs.exe are used to register .NET COM assemblies, which are typically located in specific paths, attackers might leverage that to execute code within a Microsoft signed binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)Required data: XDR AgentAttacker's goals: Load untrusted code into a trusted Microsoft context to evade detection.Investigative actions: Verify if the loaded dll is known to be malicious. Track down which process dropped the library being loaded. Validate if the actions being done by the regasm.exe process are malicious.Removal of an Azure Owner from an Application or Service Principal Informational Cloud 1 variation
An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: Azure Audit LogAttacker's goals: Remove owners from applications for full control of the application or service principal. Manipulate or delete data stored in the Azure environment.Investigative actions: Check the Azure Activity Log to identify which user removed the Azure Owner. Check the Azure Role Assignments to identify the current Azure Owners. Check the Application or Service Principal to identify if any changes have been made.Variations
Removal of an Azure AD privileged user from an Application or Service Principal
Low overridden
An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service. overridden
Rundll32.exe executes a rare unsigned module Low 2 variations
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow.Variations
Rundll32.exe executes a rare unsigned module with very high entropy
Medium overridden
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. The module executed by Rundll32 has very high entropy. overridden
Rundll32.exe executes a rare unsigned module with suspicious characteristics
Medium overridden
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. overridden
Rundll32.exe running with no command-line arguments Medium
Rundll32.exe is meant to run with parameters, so the absence of them is extremely suspicious; this behavior is used in the default configuration of Cobalt Strike.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Run as a signed Microsoft executables to avoid detection. Rundll32 is the default process used by Cobalt Strike for running post-exploitation tools.Investigative actions: Check for any injection event to the Rundll32 process. Check the causality of execution for any injections.Rundll32.exe spawns conhost.exe Medium
This unusual parent-child process relationship may indicate that an attacker has abused rundll32.exe to run a console-based application such as PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Scheduled Task hidden by registry modification Low
Attackers may try to hide a Scheduled Task by deleting the Scheduled Task's software descriptor (SD) value in the registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Registry (T1112) Hide Artifacts (T1564)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may hide their malicious Scheduled Task to evade detection.Investigative actions: Check the appropriate Scheduled Task to verify its legitimacy. You can also check the executing executable to verify its purpose.Security object deletion in Google Workspace Admin Console Informational Identity Threat Module 1 variation
A security object was deleted in Google Workspace Admin Console.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify or disable security rules to avoid detection of their activities.Investigative actions: Investigate the security object name deleted and whether it was intended. Check if the user was recently granted new elevated permissions that allowed them to delete security rules. Follow other administrative or suspicious actions performed by this user around the same time.Variations
Security object deletion in Google Workspace Admin Console for the first time
Low overridden
A security object was deleted in Google Workspace Admin Console. overridden
Security tools detection attempt Informational
A script has executed commands that can be used to detect security tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.Setuid and Setgid file bit manipulation Low 1 variation
The setuid or setgid bits were set on a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application as a different user.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Setuid and Setgid file bit manipulation in a Kubernetes pod
Low overridden
The setuid or setgid bits were set on a file. overridden
Short-lived Azure AD user account Informational Identity Threat Module 1 variation
An Azure AD user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal Short-lived Azure AD user account
Low overridden
An Azure AD user was created and deleted within a short period of time. overridden
Short-lived user account Low Identity Analytics 2 variations
A user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal short-lived user account
Low overridden
A user was observed creating and deleting an account a short time later. This user does not regularly create and delete accounts. overridden
Short-lived hidden user account
Medium overridden
A user was created with a name that mimics a machine account and later deleted within a short period of time. This may be an attacker's attempt to evade detection. overridden
Signed process performed an unpopular DLL injection Informational 4 variations
A signed process performed an unpopular DLL injection into another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Signed process that got injected performed an unpopular and suspicious dll injection
High overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process that got injected performed an unpopular and suspicious dll injection
Medium overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process that got injected performed an unpopular dll injection
Medium overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process performed an unpopular DLL injection
Low overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process performed an unpopular injection Informational 6 variations
A signed process performed an unpopular injection to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Signed process that got injected performed an unpopular and suspicious injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process that got injected performed an unpopular and suspicious injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process that got injected performed an unpopular injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Commonly abused signed process performed a globally unpopular injection to a Microsoft signed process
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process performed an unpopular injection
Low overridden
A signed process performed an unpopular injection to another process. overridden
Signed process executed by a scheduled task performed an unpopular injection
Low overridden
A signed process performed an unpopular injection to another process. overridden
Space after filename Informational
A file was created or renamed to have a space at the end of its name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Space after Filename (T1036.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to change the extension of the file to evade detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Suspicious .NET process loads an MSBuild DLL Medium
A suspicious process in the Microsoft .NET directory loaded the Microsoft Build Framework DLL. This may occur if an attacker masquerades a process like MSBuild (PowerLessShell).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious AMSI decode attempt Informational
A script has executed commands that can be used to decode commands or files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Minute
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid security mitigations and detections.Investigative actions: Check the payload for malicious activity.Suspicious DKIM Result Informational Email 4 variations
The email contains a suspicious DKIM entry, showing either an unexpected verification result (none, fail, or policy) or a mismatched signing domain, which may indicate potential tampering or spoofing activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation, and check why DKIM didn't pass. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Known domain DKIM deviation
Informational overridden
An email was sent from a commonly seen domain in the organization, that has historically passed DKIM checks, but returned a suspicious DKIM result of fail This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden
Lack DKIM signature from typically signing domains
Informational overridden
An email was sent from a domain that has historically passed DKIM checks, but returned a suspicious DKIM result of none A none DKIM result implies on an unsigned email, which is atypical for domains with previous signed messages. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden
DKIM results lacking sender correlation
Informational overridden
The email's authentication results have no indication of proper signing from the email's sender This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. overridden
Known domain suspicious DKIM result
Informational overridden
An email was sent from a commonly seen domain that had no other suspicious DKIM outcomes for the past 30 days. This may indicate an attempt to spoof or impersonate a legitimate external sender. overridden
Suspicious DMARC result Informational Email 3 variations
The email has a suspicious DMARC result of either fail or none, which may indicate a potential domain misconfiguration or spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Trick users into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Check the reason DMARC didn't pass and the action. Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
DMARC deviation from historically compliant domain
Informational overridden
This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DMARC outcome from a previously trusted external domain warrants further investigation. overridden
DMARC failure bypassed domain policy
Informational overridden
This indicates the message should have been rejected according to the domain owner policy, but was instead accepted and delivered, potentially exposing the user to email spoofing or phishing. This suggests a potential policy bypass or misconfiguration in mail filtering. overridden
DMARC failed with non-enforcing policy
Informational overridden
This may indicate an overly permissive DMARC configuration on the sender side and could allow unauthenticated messages to reach users' inboxes. Such configurations are often exploited in phishing or spoofing campaigns, and should be treated with caution. overridden
Suspicious DotNet log file created Low 3 variations
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Run/Inject DotNet code in the context of a signed process.Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.Variations
DotNet log file created by svchost from 'Absolute software Corp' causality
Informational overridden
Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden
Suspicious DotNet log file created from an injected thread
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Suspicious DotNet log file created
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Suspicious Process Spawned by wininit.exe Medium
An unusual process was spawned by wininit.exe, possibly indicating malicious local or remote code execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious SPF Result Informational Email 3 variations
The email has a suspicious SPF result of fail, soft fail, or policy, which may indicate a potential domain misconfiguration or spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Trick users into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify the domain's connection to the IP address and investigate the reason SPF didn't pass. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Internal domain SPF deviation
Informational overridden
An email was sent from an internal root domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a trusted internal sender, a tactic commonly associated with BEC and internal phishing. Such a sudden SPF outcome from a typically trusted domain warrants further investigation. overridden
Known domain SPF deviation
Informational overridden
An email was sent from a commonly seen domain that has historically passed SPF checks, but returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such a sudden SPF outcome from a previously trusted external domain warrants further investigation. overridden
Known domain unusual SPF result
Informational overridden
A commonly seen root domain has returned a suspicious SPF result of fail, soft fail, or policy for the first time in the past 30 days. While other suspicious SPF outcomes may have occurred previously for this domain, this is the first instance of this particular SPF result. Such a shift in SPF behavior may signal evolving abuse tactics, domain misconfiguration, or an attempted spoof using unauthorized infrastructure. overridden
Suspicious SSH Downgrade Low 2 variations
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.Variations
A Host Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden
A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden
Suspicious SearchProtocolHost.exe parent process Medium
SearchProtocolHost.exe has been launched from a process that is different from SearchIndexer.exeThis may indicate malicious activity (such as malware later being injected to it, or it being used for phantom DLL hijacking).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution (T1204) System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious Unicode character detected in email Informational Email 3 variations
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Embedding suspicious Unicode characters in the email to appear legitimate, evade security filters and bypass detection mechanisms.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Phishing terms obfuscation using Unicode characters detected in email
Low overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Words obfuscation using Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden
Multiple suspicious Unicode characters detected in email
Informational overridden
Unicode characters can be used for obfuscation, allowing malicious actors to disguise harmful intent, URLs or attachments By embedding non-printing Unicode characters, attackers can bypass security filters and evade detection mechanisms Such characters may also be used for phishing attempts that appear legitimate to both users and security systems. overridden