Analytics Alerts
Browse the Cortex analytics alert reference.
72 alerts match the current filters. tactic: TA0011 ✕
Show ATT&CK heatmapA Successful VPN connection from TOR High Identity Analytics 1 variation
A successful VPN connection from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A Successful VPN connection from TOR via Mobile Device
Medium overridden
A successful VPN connection from a TOR exit node. overridden
A Successful login from TOR High Identity Analytics
A successful login from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gain initial access to the organization while anonymizing the source of the activity.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.A commonly abused process connected to a rare cloud resource Low 3 variations
A commonly abused process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Is this use case usually takes place within the org? Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A commonly abused software develop tool connected to a rare cloud resource
Informational overridden
A commonly abused software develop tool connected to a rare cloud resource. overridden
A commonly abused rare process connected to a rare cloud resource
Low overridden
A commonly abused rare process connected to a rare cloud resource. overridden
A commonly abused renamed process connected to a rare cloud resource
Medium overridden
A commonly abused renamed process connected to a rare cloud resource. overridden
A commonly abused process connected to a rare external host Low 3 variations
A commonly abused process connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the external host. Get further details about the uncommon external destination. Assess whether this communication pattern is expected or not.Variations
A commonly abused renamed process connected to a rare external host
Medium overridden
A commonly abused renamed process connected to a rare external host. overridden
A commonly abused process connected to a globally rare external host
Low overridden
A commonly abused process connected to a globally rare external host. overridden
A commonly abused rare process connected to a rare external host
Low overridden
A commonly abused rare process connected to a rare external host. overridden
A compromised process accessed a rare cloud resource Informational 3 variations
A compromised process accessed a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.Investigative actions: Investigate the compromised process. Identify the rare cloud resource accessed, is it managed by your organization?Variations
A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters
Medium overridden
A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters. overridden
A process compromised by DLL sideloading accessed a rare cloud resource
Informational overridden
A process compromised by DLL sideloading accessed a rare cloud resource. overridden
An injected process accessed a rare cloud resource
Informational overridden
An injected process accessed a rare cloud resource. overridden
A compromised process accessed a rare external host Low 3 variations
A compromised process accessed a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.Investigative actions: Investigate the compromised process. Check the rare remote host.Variations
A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data
High overridden
A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data. overridden
A process compromised by DLL sideloading accessed a rare external host
Medium overridden
A process compromised by DLL sideloading accessed a rare external host. overridden
An injected process accessed a rare external host
Medium overridden
An injected process accessed a rare external host. overridden
A non-browser process accessed a website UI Informational 3 variations
An uncommon network communication between a non-browser process and a website UI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: Palo Alto Networks Url LogsAttacker's goals: Data exfiltration or attack tool staging.Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.Variations
Suspicious content upload to a known text share website by Non browser process
High overridden
Uncommon data upload to a known text share website through a Non-browser process. overridden
Uncommon data upload to a website through a Non-browser process
Low overridden
Uncommon data upload to a website through a Non browser process. overridden
Uncommon data download from a known text share website through a Non-browser process
Medium overridden
Uncommon content download from a known text share website through a Non browser process. overridden
A process connected to a rare cloud resource Informational 3 variations
A process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A browser process connected to a rare cloud resource
Informational overridden
A browser process connected to a rare cloud resource. overridden
A process connected to an atypical rare cloud resource
Informational overridden
A process connected to an atypical rare cloud resource. overridden
A process connected to a rare cloud resource atypical to this agent
Informational overridden
A process connected to a rare cloud resource atypical to this agent. overridden
A process connected to a rare external host Informational 6 variations
A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentAttacker's goals: Beacon to C2 server and/or exfiltrate data.Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.Variations
MSBuild process connected to a rare external host
High overridden
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden
MSBuild process connected to a rare external host
Medium overridden
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden
LOLBIN spawned by an Office executable connected to a rare external host
High overridden
A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization. overridden
A curl process connected to a rare external host
Informational overridden
A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization. overridden
VSCode extension process connected to a rare external host
Low overridden
A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization. overridden
UNIX LOLBIN process connected to a rare external host
Low overridden
A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization. overridden
A process connected to rare external host Informational 1 variation
A process connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Get further details about the uncommon external destination and the actor process.Variations
A process connected to globally rare external host
Informational overridden
A process connected to a globally rare external host. overridden
A successful SSO sign-in from TOR High Identity Analytics 1 variation
A successful sign-in from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A successful SSO sign-in from TOR via Mobile Device
Medium overridden
A successful sign-in from a TOR exit node. overridden
Abnormal Communication to a Rare Domain Informational 3 variations
An abnormal communication was seen from an internal entity to a rare domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR C2 DetectionAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.Variations
Abnormal Communication to a Rare Domain With a Port Commonly Used by Attack Platforms
Low overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Communication to a Rare Domain to a Suspicious Autonomous System (AS)
Informational overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Communication to a Rare Domain With a Less Common Port
Informational overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Recurring Communications to a Rare Domain Informational 4 variations
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR C2 DetectionAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.Variations
Abnormal Recurring Communications to a Rare Domain With a Port Commonly Used by Attack Platforms
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain With an Abnormal Domain Suffix
Informational overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain With a Less Common Port
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.Variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden
Abnormal network communication through TOR using an uncommon port Low 2 variations
Suspicious connection from a known TOR IP to an uncommon port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: XDR AgentAttacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.Variations
Abnormal network communication through TOR using an uncommon port and App-id
Low overridden
Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden
Abnormal network communication through TOR using a suspicious port
Low overridden
Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare
Low overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden
Abnormal process connection to default Meterpreter port Informational 1 variation
This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Standard Port (T1571)Required data: XDR AgentAttacker's goals: Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.Investigative actions: Verify if the destination IP is running a Metasploit server. Look for malicious action being done by the suspicious process.Variations
Abnormal process connection to default Meterpreter port on an internet-facing server
Low overridden
This process has probably been compromised by Meterpreter and is now used by it to run malicious commands. overridden
An Azure DNS Zone was modified Informational Cloud
An Azure DNS zone has been changed or removed, which may indicate malicious activity or a misconfiguration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: DNS (T1071.004)Required data: Azure Audit LogAttacker's goals: Take control of DNS zones to redirect traffic to malicious websites.Investigative actions: Verify whether the identity should be making this action. Check what Azure DNS zones were changed or removed.An app was added to Google Marketplace Informational Identity Threat Module 3 variations
An app was added to the Google Workspace Marketplace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Remote Access Tools (T1219)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new app that was added to Google workspace Marketplace. Follow further actions done by the account.Variations
An app was added to Google Marketplace by a non-administrative identity
Informational overridden
An app was added to the Google Workspace Marketplace. overridden
An app was added to Google Marketplace from an unusual ASN
Low overridden
An app was added to the Google Workspace Marketplace. overridden
An unusual app was added to Google Marketplace
Low overridden
An app was added to the Google Workspace Marketplace. overridden
Cloud activity from a high-risk IP address Informational Cloud 1 variation
An identity executed a cloud API from a high-risk IP address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain initial access using a compromised identity while obfuscating origin.Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.Variations
Cloud activity from an unusual high-risk IP
Low overridden
An identity executed a cloud API from a high-risk IP address. overridden
DNS Tunneling Low 1 variation
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
DNS Tunneling
Medium overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden
Download pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Failed DNS Low
The endpoint is performing DNS lookups that are failing at an excessively high rate when compared to its peer group. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 2 Hours
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees large numbers of failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false-positive for this alert. Make sure the endpoint is configured properly for your DNS servers. For example, make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false-positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.File transfer from unusual IP using known tools Informational 1 variation
An adversary might use known tools to transfer tools/payloads into the compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Ingress Tool Transfer (T1105)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Expand attack vectors and compromise the rest of the network.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
File transfer from unusual IP using known tools in a Kubernetes pod
Low overridden
An adversary might use known tools to transfer tools/payloads into the compromised machine. overridden
Globally uncommon IP address by a common process (sha256) Informational 4 variations
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.Investigative actions: Check the destination IP address reputation. Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon IP address by a common process (sha256) from an injected thread
High overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address by a common process (sha256) from a known vendor
Medium overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address by a common process (sha256)
Medium overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and a rare IP address by a common process (sha256)
Low overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process Informational 3 variations
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.Variations
Globally uncommon IP address connection from an injected thread in a signed process
Medium overridden
An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process from a known vendor
Medium overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address connection from a signed process
Low overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process Low 4 variations
A signed process connected to an external domain that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root domain from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
Medium overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination by a common process (sha256) Informational 4 variations
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination by a common process (sha256) from an injected thread
High overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare root-domain port combination by a common process (sha256)
Medium overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination by a common process (sha256) from a known vendor
Medium overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and rare root-domain port combination by a common process (sha256)
Low overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process Low 4 variations
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
Medium overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
HTTP with suspicious characteristics Low 3 variations
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
HTTP with suspicious characteristics which is repetitive
Low overridden
Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics to an IP address
Low overridden
Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics that always fails
Informational overridden
Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
MpCmdRun.exe was used to download files into the system Low
Attackers might be using legitimate Windows Defender executables to download malicious code onto the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: Download malicious tools onto the host for more activities.Investigative actions: Check if the downloaded file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.Netcat makes or gets connections High
Malicious actors can use Netcat for privilege escalation, remote code execution, data exfiltration and protocol tunneling to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: XDR AgentAttacker's goals: Establish command and control channel. Propagate in the victim network.Investigative actions: Verify that the usage of Netcat/Netcat64 is from an authorized personnel and that user has the right to access the remote host.Non-browser access to a pastebin-like site Low 4 variations
Non-browser access to a pastebin-like site.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: Palo Alto Networks Url LogsAttacker's goals: Data exfiltration or attack tool staging.Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.Variations
Non-browser or an uncommon browser access to a pastebin-like site
Informational overridden
Non-browser or an uncommon browser access to a pastebin-like site. overridden
Non-browser access to google sheets API
Low overridden
Non-browser access to google sheets API. overridden
Non-browser failed access to a pastebin-like site
Low overridden
Non-browser failed access to a pastebin-like site. overridden
Rare non-browser access to a pastebin-like site
Medium overridden
Rare non-browser access to a pastebin-like site. overridden
Random-Looking Domain Names Medium
The endpoint performed DNS lookups to an excessively large number of apparently random root domain names. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many unique, random-looking domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one, which may also trigger the Failed DNS alert.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network for controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees many failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false positive for this alert. Ensure that the endpoint is configured properly for your DNS servers. Make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.Rare AppID usage to a rare destination Informational 2 variations
Rare AppID with port usage to rare destination.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.Investigative actions: Investigate the endpoints participating in the session.Variations
Rare AppID usage to a rare destination using an unsigned process
Low overridden
Rare AppID with port usage to rare destination. overridden
Rare AppID usage to a rare destination from an internet-facing server
Low overridden
Rare AppID with port usage to rare destination. overridden
Rare access to known advertising domains Informational 2 variations
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Causing the user to view excessive advertising content.Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.Variations
Rare access to known advertising domains from a Rare User Agent
Informational overridden
The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden
Suspicious Rare access to known advertising domains
Low overridden
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden
Rare binary connected to a rare cloud resource Low 2 variations
Rare binary connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Check the binary file. Get further details about the uncommon external cloud resource.Variations
Software development tool connected to a rare cloud resource
Informational overridden
Software development tool connected to a rare cloud resource. overridden
Recently downloaded rare binary connected to a rare cloud resource
Medium overridden
Recently downloaded rare binary connected to a rare cloud resource. overridden
Rare binary connected to a rare external host Low 2 variations
Rare binary connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Check the rare binary file. Get further details about the rare external destination.Variations
Rare unsigned binary connected to a globally rare external host
Medium overridden
Rare unsigned binary connected to a globally rare external host. overridden
Rare binary connected to a globally rare external host
Low overridden
Rare binary connected to a globally rare external host. overridden
Rare communication over email ports to external email server by unsigned process Low
These methods are used by malware and attackers to leak data and remain undetected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers might use well-known email ports as a C&C channel to evade detection and firewall rules.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol Informational 4 variations
A process made a connection to an external IP address or host that is rarely connected to by the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Url LogsAttacker's goals: Connect to a server to retrieve commands or exfiltrate data.Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.Variations
Rare connection to external IP address or host by a java application using LDAP protocol
Medium overridden
A Java Process that never created LDAP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using LDAP protocol
Medium overridden
A Java Process that never created RMI-IIOP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using LDAP protocol
Low overridden
A Java Process connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden
Rare connection to external IP address or host by a java application using RMI-IIOP protocol
Low overridden
A Java Process connected to an external IP address or host, which is rarely connected to from the organization using RMI-IIOP protocol. overridden
Rare process created an SSH session to an uncommon cloud resource Low
A rare process created an SSH session to an uncommon cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers may use SSH or any similar utility as a Command and Control (C2) channel or to exfiltrate data to a remote host.Investigative actions: Investigate the actor process and its causality. Review the remote cloud asset, is it managed by the organization or a partner? Search for processes or files that were accessed by this SSH instance.Rare process created an SSH session to an uncommon external host Low 3 variations
Rare process created an SSH session to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.Investigative actions: Investigate the actor process and its causality. Review the external IP/domain using known intelligence tools. Search for processes or files that were accessed by this SSH instance.Variations
Rare process created an SSH session to a domain with an uncommon TLD
Medium overridden
Rare process created an SSH session to a domain with an uncommon TLD. overridden
Rare process created an SSH session to an globally uncommon external host
Low overridden
Rare process created an SSH session to an globally uncommon external host. overridden
Rare process created an SSH session to an external host
Informational overridden
Rare process created an SSH session to an external host. overridden
Rare process with VNC server capabilities started Low
A rare process with VNC server capabilities was started.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Recurring access to rare IP Low
The endpoint is periodically accessing an external fixed-IP address that its peers rarely use. Access to this external IP address has occurred repeatedly over many days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 21 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the IP address belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious IP address. Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.Recurring access to rare domain Low 1 variation
The endpoint is periodically connecting to an external domain (categorized as malware) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.Variations
Recurring access to rare domain
Low overridden
The endpoint is periodically connecting to an external domain (categorized as command-and-control) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring rare domain access from an unsigned process Low 2 variations
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Recurring rare domain access from an uncommon unsigned process
Medium overridden
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring access to a rare domain associated with known threats
Medium overridden
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring rare domain access to dynamic DNS domain Low
The endpoint is periodically connecting to an external domain that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.Scripting engine connected to a rare external host Low 3 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.Variations
Scripting engine failed to connect to a rare external host
Informational overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Scripting engine with a modified image name connected to a rare external host
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN scripting engine connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Suspicious AI model usage from a Tor exit node High Cloud 1 variation
A cloud identity invoked an AI model from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Failed AI model usage from a Tor exit node
Informational overridden
A cloud identity invoked an AI model from a Tor exit node. overridden
Suspicious API call from a Tor exit node High Cloud 2 variations
A cloud API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Suspicious Kubernetes API call from a Tor exit node
High overridden
A Kubernetes API was called from a Tor exit node. overridden
A Failed API call from a Tor exit node
Informational overridden
A cloud API was called from a Tor exit node. overridden
Suspicious DNS traffic Informational 2 variations
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
Suspicious DNS traffic with a rarely seen domain
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden
Suspicious DNS traffic with a globally rare DNS query length
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden
Suspicious ICMP packet Low 1 variation
An ICMP router advertisement was sent by a host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Make the victim change his routing table.Investigative actions: Investigate why the source host sent an ICMP router advertisement and if it changed the destination target routing table.Variations
Suspicious ICMP packet that resemble an ICMP redirect attack
Informational overridden
ICMP redirect was sent by a user. overridden
Suspicious SaaS API call from a Tor exit node High Identity Threat Module 2 variations
A SaaS API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
A Failed API call from a Tor exit node
Informational overridden
A SaaS API was called from a Tor exit node. overridden
Suspicious SaaS API call from a Tor exit node via Mobile Device
Medium overridden
A SaaS API was called from a Tor exit node. overridden
Suspicious certutil command line Medium
An attacker may use certutil to download malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: An attacker may use certutil to download malware.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.Suspicious curl user agent Informational 1 variation
Suspicious user agent provided to curl command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Impairing host defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Suspicious curl user agent from within a Kubernetes Pod
Low overridden
Suspicious user agent provided to curl command. overridden
Suspicious process accessed a site masquerading as Google Informational 1 variation
A suspicious process accessed a site masquerading as Google.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)Required data: XDR AgentAttacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.Variations
Suspicious process resolved the DNS name of a site masquerading as Google
Informational overridden
A suspicious process resolved the DNS name of a site masquerading as Google. overridden
Suspicious proxy environment variable setting Informational
Suspicious proxy environment variable change or definition with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Internal Proxy (T1090.001)Required data: XDR AgentAttacker's goals: Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.Investigative actions: Investigate the process activities and try to understand the network impact os the new proxy setting.Uncommon Linux process communication to a rare external host Informational 6 variations
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are alsocontacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Uncommon Linux process communication to a rare external host by an automated penetration testing tool
Medium overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host involving a code sharing website
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host involving a low-prevalence process connecting to a rare Top-Level Domain
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host with an external IP in the command line
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host using a data transfer tool
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon Linux process communication to a rare external host identified as global anomaly
Low overridden
An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden
Uncommon SSH session was established Low 14 variations
An uncommon SSH session was established.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.Variations
An Uncommon SSH session was established using a rare server HASSH for the ssh server
Low overridden
An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden
An Uncommon SSH session was established using a rare client HASSH for the agent
Low overridden
An uncommon SSH session was established using a rare client HASSH for the agent. overridden
An Uncommon SSH session was established using a rare request banner for the agent
Low overridden
An Uncommon SSH session was established using a rare request banner for the agent. overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server
Low overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden
An Uncommon SSH session was established using a rare Response banner
Low overridden
An Uncommon SSH session was established using a rare Response banner. overridden
An Uncommon SSH session was established using a rare request banner
Low overridden
An Uncommon SSH session was established using a rare request banner. overridden
An Uncommon SSH session was established using a rare Client HASSH
Low overridden
An uncommon SSH session was established using a rare client HASSH. overridden
An Uncommon SSH session was established using a rare Server HASSH
Low overridden
An Uncommon SSH session was established using a rare Server HASSH. overridden
A suspicious SSH session was established
Low overridden
A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden
An Uncommon SSH session was established to a rare IP address
Low overridden
An uncommon SSH session was established to a rare remote IP address. overridden
An Uncommon SSH session was established using a nonstandard SSH port
Low overridden
An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden
Uncommon SSH session was established to a rare internal IP
Low overridden
An uncommon SSH session was established to a rare internal IP. overridden
Uncommon SSH session was established that involved a higher than usual volume
Low overridden
Uncommon SSH session was established that involved a higher than usual volume. overridden
Uncommon SSH session was established to an internal IP
Informational overridden
An uncommon SSH session was established to an internal IP. overridden
Uncommon VNC server communication Low 4 variations
Uncommon VNC server network traffic was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Variations
Uncommon VNC scanning activity detected from a scanning tool
Medium overridden
An uncommon VNC scanning network traffic was observed from a scanning tool. overridden
Uncommon VNC server communication from an unmanaged previously unseen external host
Low overridden
Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden
Partially uncommon VNC server communication
Informational overridden
Uncommon VNC server network traffic was observed. overridden
Uncommon VNC server connection
Informational overridden
An uncommon VNC Server network connection was observed. overridden
Uncommon communication to an instant messaging server Informational 2 variations
A rare communication between a process to a known instant messaging server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: XDR AgentAttacker's goals: Data exfiltration or attack tool staging through a trusted service.Investigative actions: Examine the legitimacy of the application that made the communication with the provider's server. Examine the parent process of this application. Check for anomalies regarding the time frame where the communication occurred.Variations
Uncommon communication to an instant messaging server by a suspicious process
Low overridden
A rare communication by a suspicious process to a known instant messaging server. overridden
Uncommon communication to an instant messaging server by an uncommon scripting engine execution
Low overridden
A rare communication by an uncommon execution of a scripting engine to a known instant messaging server. overridden
Uncommon file access over WebDAV Low 1 variation
Uncommon file access over WebDAV.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Threat actors may use the WebDAV to blend in existing network traffic.Investigative actions: Investigate the process {actor_process_image_name} which tried to access the remote file. Investigate the remote host {webdav_dst_from_file_event}.Variations
High-risk file read over WebDAV by a LOLBIN process
High overridden
High-risk file read over WebDAV by a LOLBIN process. overridden
Uncommon macOS process communication to a rare external host Informational 11 variations
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also contacting the suspicious host. Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Uncommon macOS process communication to a rare external host by security testing tool
High overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host with a frequently abused TLD
Medium overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility to establish a connection with a messaging service API
Medium overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host related to LOTTunnels
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host with a rare TLD
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and piping to script
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility to download and change permission
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility running by an unsigned process
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and saving data to a temporary folder
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility and downloading a script
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon macOS process communication to a rare external host while using a CLI utility
Low overridden
An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden
Uncommon network tunnel creation Informational 3 variations
An uncommon network tunnel was established.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 12 Hours
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Url LogsAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.Variations
Uncommon network tunnel creation
Informational overridden
An uncommon network tunnel was established using ACS_ssh.exe. overridden
Uncommon SSH tunnel to unpopular IP address
Low overridden
An uncommon SSH tunnel was established to an unpopular remote IP address at the organization. overridden
An uncommon network tunnel was established over the default SSH port
Low overridden
An unpopular process and command line created a network tunnel over the default SSH port. overridden
Uncommon recurring rare external host access Informational 6 variations
A process has established recurring connections to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.Variations
Uncommon recurring rare external host access by an automated penetration testing tool
High overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access to a dynamic DNS domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access initiated by a cron job
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a rare top-level domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access using an exfiltration tool
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a sensitive file in actor or causality command line
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon remote monitoring and management tool Low 4 variations
An uncommon Remote Monitoring and Management (RMM) product was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Remote Access Tools (T1219)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Ask the owners of the machine if they knowingly used this software. Investigate why the software was being used. Check if it was executed remotely or locally.Variations
Uncommon renamed remote monitoring and management tool
Medium overridden
An uncommon renamed Remote Monitoring and Management (RMM) product was observed. overridden
Uncommon remote monitoring and management tool (browser origin)
Informational overridden
An uncommon Remote Monitoring and Management (RMM) product was observed. (browser origin). overridden
Uncommon remote monitoring and management tool extracted from an internet-downloaded archive and executed
Low overridden
An uncommon Remote Monitoring and Management (RMM) product extracted from an internet-downloaded archive and executed. overridden
Uncommon remote monitoring and management tool downloaded from an uncommon source and executed
Medium overridden
An uncommon Remote Monitoring and Management (RMM) product downloaded from an uncommon source and executed. overridden
Uncommon reverse SSH tunnel to external domain/ip Low 1 variation
An uncommon reverse SSH tunnel might have been created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external ip/domain. Investigate the causality of the process.Variations
Uncommon reverse SSH tunnel to external domain/ip using a sensitive port
Low overridden
An uncommon reverse SSH tunnel might have been created. overridden
Unusual Netsh PortProxy rule Low 2 variations
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unusual Netsh PortProxy rule by non-netsh process
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual Netsh PortProxy rule by an unsigned causality actor
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual SSH Activity Informational 2 variations
Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the client IP/Agent for using known intelligence tools. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.Variations
Unusual, long SSH activity with tunnel characteristics
Low overridden
Unusual SSH activity was detected that involved a high volume of data transfer and abnormal session duration. overridden
Unusual SSH activity with tunnel characteristics to external destination
Low overridden
Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session. overridden
Unusual SSH activity that resembles SSH proxy Informational 3 variations
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Internal Proxy (T1090.001)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.Investigative actions: Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.Variations
High Volume Unusual SSH activity that resembles SSH proxy
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Suspicious SSH activity that resembles SSH proxy
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Unusual SSH activity that resembles SSH proxy detected
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Upload pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Windows LOLBIN executable connected to a rare external host Medium 2 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to.Variations
Windows LOLBIN executable connected to a rare external host on a newly activated agent
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN executable connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden