Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

249 alerts match the current filters. tactic: TA0005 ✕

Show ATT&CK heatmap
  • Suspicious activity on logging bucket Informational Cloud 1 variation

    An identity performed a suspicious activity on bucket used to store logs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by tampering the logs.
    Investigative actions: Verify whether the identity attempted to access the bucket. Verify no logs were modified in the bucket.

    Variations

    Suspicious deletion on CloudTrail logging bucket

    Medium overridden

    An identity performed a suspicious activity on bucket used to store CloudTrail logs. overridden

  • Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics

    Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)
    Required data: AzureAD
    Attacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.
    Investigative actions: Follow further actions done by the account.
  • Suspicious certutil command line Medium

    An attacker may use certutil to download malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: An attacker may use certutil to download malware.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.
  • Suspicious data encryption Low

    Known applications were used to encrypt data within a machine's local file system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)
    Required data: XDR Agent
    Attacker's goals: Damage or hide data on the local file system.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.
  • Suspicious disablement of the Windows Firewall Low

    The Windows Firewall has been disabled. Malware may turn it off to exfiltrate data and communicate with C2 servers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent
    Attacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if the process is legitimately disabling the firewall.
  • Suspicious disablement of the Windows Firewall using PowerShell commands Medium

    The Windows Firewall has been disabled using PowerShell. Malware may turn it off to exfiltrate data and communicate with C2 servers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.
    Investigative actions: Check Windows event logs to see the PowerShell command or script that was executed. Check whether the PowerShell command is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that disabled the firewall.
  • Suspicious hidden user created Medium Identity Analytics

    A user account was created with a name that mimics a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Create Account (T1136) Hide Artifacts: Hidden Users (T1564.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user account created and verify its activity.
  • Suspicious process accessed a site masquerading as Google Informational 1 variation

    A suspicious process accessed a site masquerading as Google.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)
    Required data: XDR Agent
    Attacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.
    Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.

    Variations

    Suspicious process resolved the DNS name of a site masquerading as Google

    Informational overridden

    A suspicious process resolved the DNS name of a site masquerading as Google. overridden

  • Suspicious process execution from tmp folder Informational 4 variations

    An unpopular process was executed from the tmp folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    A web server process executed an unpopular application from the tmp folder

    Medium overridden

    An executable application ran from the tmp folder by a web server process. overridden

    Suspicious cron job task execution of a binary from the tmp folder

    Medium overridden

    An unpopular process was executed from the tmp folder. overridden

    Suspicious interactive execution of a binary from the tmp folder

    Medium overridden

    An unpopular process was executed from the tmp folder. overridden

    Suspicious process execution from tmp folder in a Kubernetes pod

    Informational overridden

    An unpopular process was executed from the tmp folder. overridden

  • Svchost.exe loads a rare unsigned module Low

    Svchost.exe loads a rare unsigned module, which can indicate an attacker's malicious service execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004) Create or Modify System Process: Windows Service (T1543.003)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow. Go to the 'Services' registry key and investigate its sub keys to find the service associated with the loaded dll.
  • Tampering with Internet Explorer Protected Mode configuration Informational 2 variations

    When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent
    Attacker's goals: When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched. Attackers may change this value to make the process launch with higher privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Tampering with Internet Explorer Protected Mode default configuration

    Medium overridden

    When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden

    Tampering with Internet Explorer Protected Mode specific app configuration

    Informational overridden

    When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden

  • Tampering with the Windows User Account Controls (UAC) configuration Informational 3 variations

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Tampering with the Windows User Account Controls (UAC) configuration by a remote host

    Medium overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

    Tampering with the Windows User Account Controls (UAC) configuration

    Low overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

    Tampering with the Windows User Account Controls (UAC) configuration

    Low overridden

    EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to modify the computer. UAC was formerly known as Limited User Account (LUA). overridden

  • The Linux system firewall was disabled Low

    The system firewall was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    10 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent
    Attacker's goals: Exfiltrate data or move laterally in the organization.
    Investigative actions: Examine the command to understand which ip or port were affected. Check the communication allowed by the created firewall rule.
  • Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium

    A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.
  • Uncommon DotNet module load relationship Informational

    A signed process that usually doesn't use DotNet loaded a common DotNet module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Reflective Code Loading (T1620)
    Required data: XDR Agent
    Attacker's goals: Adversaries may reflectively load DotNet code into a process to conceal execution of malicious payloads.
    Investigative actions: Investigate the actor process for potential malicious activity. Check for recently installed services that may load DotNet modules.
  • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer Low 4 variations

    A process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection: Portable Executable Injection (T1055.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Gain code execution on the host in the context of another process.
    Investigative actions: Investigate the acting process for other malicious activities. Check if the target process was injected and for anomalies in its behavior after this event.

    Variations

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an office process

    High overridden

    An office process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an injected thread

    Medium overridden

    An injected thread wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from a LOLBIN process

    Medium overridden

    A LOLBIN process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

    Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer from an unsigned process

    Medium overridden

    An unsigned process wrote a PE header to another process by calling the NtWriteVirtualMemoryRemote API function. overridden

  • Uncommon attempt to clear shell history Low 1 variation

    An attempt to clear or manipulate shell history files was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: XDR Agent
    Attacker's goals: Attackers may clear or modify shell history files to remove traces of their activities.
    Investigative actions: Investigate the user and process that executed the command. Examine other related activities on the host to understand the context of this action.

    Variations

    Globally uncommon attempt to clear shell history

    Medium overridden

    An attempt to clear or manipulate shell history files was detected. overridden

  • Uncommon driver loaded Low 3 variations

    An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Rootkit (T1014)
    Required data: XDR Agent
    Attacker's goals: Install rootkit to gain kernel-level to gain full control over the machine or disable security products.
    Investigative actions: Investigate which process created the driver or how it has been loaded.

    Variations

    Uncommon driver loaded by a Web server process

    High overridden

    An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit by a Web server process. overridden

    Globally rare and unsigned driver loaded

    Medium overridden

    Globally rare and unsigned driver loaded. overridden

    Uncommon driver with a globally rare vendor loaded as a service

    Medium overridden

    An uncommon driver loaded which may be an attempt to kill the EDR or install rootkit. overridden

  • Uncommon execution of ODBCConf Low 1 variation

    Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Odbcconf (T1218.008)
    Required data: XDR Agent
    Attacker's goals: Execute arbitrary code or load malicious DLL modules undetected within Microsoft signed program from Microsoft signed process.
    Investigative actions: Check the execution command-line, in case of 'REGSVR' points to a DLL, then check it. If the command-line contains '/f' argument (for script file) check the content of the script.

    Variations

    Uncommon execution of ODBCConf to load dll directly

    High overridden

    Attackers may abuse the Odbcconf.exe Windows utility to proxy the execution of malicious DLL files. overridden

  • Uncommon kernel module load Informational 1 variation

    Loading of a kernel module using the modprobe command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Rootkit (T1014)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Gain persistence using the kernel module.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Uncommon kernel module load in a Kubernetes pod

    Informational overridden

    Loading of a kernel module using the modprobe command. overridden

  • Uncommon msiexec execution of an arbitrary file from a remote location Low 1 variation

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and executing arbitrary files from the web.
    Investigative actions: Check if the the URL that is encoded in the command line is trusted. Determine if the executed DLL or MSI file is known as legitimate. Confirm whether the initiating process is legitimate and if the user running it knows of its use.Note - the MSI executable can run from other LAN locations, the alert will raise on the WAN connection.

    Variations

    Suspicious msiexec execution on an internet-facing endpoint

    Low overridden

    Suspicious msiexec execution of an arbitrary file from the web on an internet-facing server. overridden

  • Unicode RTL Override Character High

    An attacker may use a special right-to-left (RTL) override character to trick users into executing malicious files that look like benign file types.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Trick users into executing malicious files by making their file types seem benign.
    Investigative actions: Investigate the executed process. There is no reason for benign files to contain the Unicode right-to-left override character in their name.
  • Unpopular rsync process execution Informational 1 variation

    An unpopular rsync process was executed on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may attempt to transfer tools or other files to a compromised host.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Unpopular rsync process execution in a Kubernetes Pod

    Informational overridden

    An unpopular rsync process was executed on the host. overridden

  • Unsigned DLL Hijack into a Microsoft process Informational 7 variations

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden

    Rare and unsigned DLL into an injected Microsoft process

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a low entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a high entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a recently created Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

  • Unsigned DLL Side-Loading Informational 6 variations

    A signed process loaded an unsigned and rare module from the same folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    DLL Side-Loading of module bearing an invalid Microsoft signature

    High overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor

    Medium overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading - DLL downloaded from an uncommon source

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned high entropy DLL Side-Loading by untrusted causality actor

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading which was executed by a scheduled task

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

  • Unsigned and unpopular process performed a DLL injection Low 5 variations

    An unsigned process with low popularity injected a dll into another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject DLLs into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned and unpopular process performed process hollowing DLL injection

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed queue APC DLL injection

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a sensitive process

    Medium overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a commonly abused process

    High overridden

    An unsigned process with low popularity injected a dll into another process. overridden

    Unsigned and unpopular process performed a DLL injection to a security vendor signed process

    Medium overridden

    An unsigned process with low popularity injected a dll into another process. overridden

  • Unsigned and unpopular process performed an injection Low 7 variations

    An unsigned process with low popularity injected code to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned and unpopular process performed process hollowing injection

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed queue APC injection

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into a sensitive process

    Medium overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into svchost.exe

    High overridden

    An unsigned process with low popularity injected code to another process. This process attempted to obtain System user permissions. overridden

    Unsigned and unpopular process performed injection into a commonly abused process

    High overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process performed injection into a process signed by a security vendor

    Medium overridden

    An unsigned process with low popularity injected code to another process. overridden

    Unsigned and unpopular process executed by a scheduled task performed an injection

    Low overridden

    An unsigned process with low popularity injected code to another process. overridden

  • Unsigned process injecting into a Windows system binary with no command line Medium

    An attacker may be trying to avoid detection by injecting their malicious code into a legitimate Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.
  • Unusual Conditional Access operation for an identity Informational Identity Threat Module 1 variation

    An identity attempted to add or update an Azure AD Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Conditional Access policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the updated policy. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    Suspicious Conditional Access operation for an identity

    Low overridden

    An identity that doesn't usually modify Azure AD Conditional Access policies successfully modified a policy. overridden

  • Unusual Lolbins Process Spawned by InstallUtil.exe Low

    An unusual process was spawned by InstallUtil.exe, possibly indicating malicious local or remote code execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: InstallUtil (T1218.004)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Unusual Netsh PortProxy rule Low 2 variations

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.
    Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unusual Netsh PortProxy rule by non-netsh process

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

    Unusual Netsh PortProxy rule by an unsigned causality actor

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden

  • Unusual hostname for the sending mail server in the email headers Informational Email

    The detected mail server hostname had not been observed in the organization's emails in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.
    Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Unusual sender IP subnet Informational Email 2 variations

    This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.
    Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Unusual sender IP subnet associated with infrastructure or tunneling services

    Informational overridden

    This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden

    Unusual sender IP subnet associated with internal sender

    Informational overridden

    This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden

  • Unusual use of a 'SysInternals' tool Informational 3 variations

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may leverage SysInternals tools for lateral movement, credential access, or to delete recovery backups to cause impact.
    Investigative actions: Check if the file is familiar to the user, if not, investigate further the source of it.

    Variations

    Unusual use of a 'SysInternals' tool by a process with an invalid or non-standard signature

    High overridden

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden

    Unusual use of a 'SysInternals' tool that can be used for offensive operations

    High overridden

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden

    A registry key related to SysInternals was modified by a known registry editor

    Informational overridden

    A registry key related to SysInternals was modified by a known registry editor to circumvent a EULA prompt. overridden

  • Unusual user-agent for a cloud identity Informational Cloud 1 variation

    A cloud identity has executed an API call with an unusual user-agent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Evade detection by using non-standard tools or scripts.
    Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.

    Variations

    Unusual user-agent for a cloud identity by a compromised AWS access key

    Medium overridden

    A cloud identity has executed an API call with an unusual user-agent. overridden

  • Usage of homograph characters detected in an email Informational Email

    Detected characters resembling Latin letters within an email's subject and/or body.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656) Masquerading (T1036)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.
    Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Usage of homograph characters detected in an email's from header Informational Email

    Detected characters resembling Latin letters within an email's From header.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.
    Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • User added SID History to an account Informational Identity Analytics 1 variation

    A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.
    Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.

    Variations

    Suspicious SID History Addition

    Medium overridden

    A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden

  • User moved Exchange sent messages to deleted items Informational Identity Threat Module Email 1 variation

    A user moved sent messages to deleted items in Exchange.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal: Clear Mailbox Data (T1070.008)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to hide newly sent email messages for evasion purposes.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Sensitive Exchange sent messages moved to deleted items from unusual source

    Low overridden

    A user moved sensitive sent messages to deleted items in Exchange. overridden

  • User set insecure CA registry setting for global SANs Low Identity Analytics

    A user enabled the EDITF_ATTRIBUTESUBJECTALTNAME2 registry flag, allowing custom Subject Alternative Names (SANs) to be specified on all certificate templates. This could enable attackers to bypass security controls by requesting certificates with user-defined SANs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: This flag can allow an attacker to obtain a certificate with higher privileges and escalate to Domain Admin.
    Investigative actions: Confirm whether the registry change was authorized by the user or system administrator. Monitor certificate enrollments with Subject Alternate Names. Restore the secure configuration by disabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag and enforcing strict certificate policies. Investigate any unusual authentication attempts or certificates issued to high-privilege users or accounts.
  • VM Detection attempt Informational

    A script has executed commands that can be used to detect VM environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.
    Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.
  • VM Detection attempt on Linux Informational 2 variations

    A Process executed a command and/or accessed a file that can be used to detect VM environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent
    Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.
    Investigative actions: Review the process for additional malicious actions. Check for any additional alerts raised within the same context of the script.

    Variations

    VM Detection attempt on Linux with further reconnaissance commands

    Medium overridden

    A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden

    VM Detection attempt on Linux using an unpopular technique

    Low overridden

    A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden

  • VPN login by a dormant user Informational Identity Analytics

    A dormant user logged on to a VPN service after having been unused for a month or longer.This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use a compromised user account which has not been used for a long while, and therefore is less likely to be noticed.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check if the user initiated other logins aside from a VPN login. Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.
  • Weakly-Encrypted Kerberos TGT Response Informational 1 variation

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.
    Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).

    Variations

    Abnormal Weakly-Encrypted Kerberos TGT Response

    Low overridden

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden

  • Well-known brand in sender headers with header inconsistencies Informational Email

    Sender headers include a well-known brand with header inconsistencies indicating possible impersonation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Brand Impersonation
    Attacker's goals: Impersonate known legitimate brands or other technological entities to trick recipients into disclosing information or executing malicious code unwillingly.
    Investigative actions: Identify the specific emails responsible for the accumulation of these alerts. Review their headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Review the email headers and metadata of each flagged email to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk. Document and escalate findings in case this is a broader phenomenon.
  • Windows event logs were cleared with PowerShell Informational 3 variations

    Windows event logs were cleared or deleted with PowerShell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal: Clear Windows Event Logs (T1070.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may clear events from Windows event logs to remove traces of their malicious activity.
    Investigative actions: Validate if the script that was executed is from a legitimate IT activity. Look for additional suspicious actions that were executed on the host.

    Variations

    Suspicious clear or delete security provider event logs with PowerShell

    High overridden

    Windows event logs were cleared or deleted with PowerShell. overridden

    Suspicious clear or delete default providers event logs with PowerShell

    Medium overridden

    Windows event logs were cleared or deleted with PowerShell. overridden

    Windows event logs were cleared with uncommon PowerShell command line

    Low overridden

    Windows event logs were cleared or deleted with PowerShell. overridden

  • Wscript/Cscript loads .NET DLLs Low

    An unusual script loads .NET DLLs, possibly indicating JScriptToDotnet execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden