Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

72 alerts match the current filters. tactic: TA0011 ✕

Show ATT&CK heatmap
  • A Successful VPN connection from TOR High Identity Analytics 1 variation

    A successful VPN connection from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A Successful VPN connection from TOR via Mobile Device

    Medium overridden

    A successful VPN connection from a TOR exit node. overridden

  • A Successful login from TOR High Identity Analytics

    A successful login from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gain initial access to the organization while anonymizing the source of the activity.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.
  • A commonly abused process connected to a rare cloud resource Low 3 variations

    A commonly abused process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Is this use case usually takes place within the org? Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A commonly abused software develop tool connected to a rare cloud resource

    Informational overridden

    A commonly abused software develop tool connected to a rare cloud resource. overridden

    A commonly abused rare process connected to a rare cloud resource

    Low overridden

    A commonly abused rare process connected to a rare cloud resource. overridden

    A commonly abused renamed process connected to a rare cloud resource

    Medium overridden

    A commonly abused renamed process connected to a rare cloud resource. overridden

  • A commonly abused process connected to a rare external host Low 3 variations

    A commonly abused process connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the external host. Get further details about the uncommon external destination. Assess whether this communication pattern is expected or not.

    Variations

    A commonly abused renamed process connected to a rare external host

    Medium overridden

    A commonly abused renamed process connected to a rare external host. overridden

    A commonly abused process connected to a globally rare external host

    Low overridden

    A commonly abused process connected to a globally rare external host. overridden

    A commonly abused rare process connected to a rare external host

    Low overridden

    A commonly abused rare process connected to a rare external host. overridden

  • A compromised process accessed a rare cloud resource Informational 3 variations

    A compromised process accessed a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.
    Investigative actions: Investigate the compromised process. Identify the rare cloud resource accessed, is it managed by your organization?

    Variations

    A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters

    Medium overridden

    A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters. overridden

    A process compromised by DLL sideloading accessed a rare cloud resource

    Informational overridden

    A process compromised by DLL sideloading accessed a rare cloud resource. overridden

    An injected process accessed a rare cloud resource

    Informational overridden

    An injected process accessed a rare cloud resource. overridden

  • A compromised process accessed a rare external host Low 3 variations

    A compromised process accessed a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.
    Investigative actions: Investigate the compromised process. Check the rare remote host.

    Variations

    A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data

    High overridden

    A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data. overridden

    A process compromised by DLL sideloading accessed a rare external host

    Medium overridden

    A process compromised by DLL sideloading accessed a rare external host. overridden

    An injected process accessed a rare external host

    Medium overridden

    An injected process accessed a rare external host. overridden

  • A non-browser process accessed a website UI Informational 3 variations

    An uncommon network communication between a non-browser process and a website UI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Data exfiltration or attack tool staging.
    Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.

    Variations

    Suspicious content upload to a known text share website by Non browser process

    High overridden

    Uncommon data upload to a known text share website through a Non-browser process. overridden

    Uncommon data upload to a website through a Non-browser process

    Low overridden

    Uncommon data upload to a website through a Non browser process. overridden

    Uncommon data download from a known text share website through a Non-browser process

    Medium overridden

    Uncommon content download from a known text share website through a Non browser process. overridden

  • A process connected to a rare cloud resource Informational 3 variations

    A process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A browser process connected to a rare cloud resource

    Informational overridden

    A browser process connected to a rare cloud resource. overridden

    A process connected to an atypical rare cloud resource

    Informational overridden

    A process connected to an atypical rare cloud resource. overridden

    A process connected to a rare cloud resource atypical to this agent

    Informational overridden

    A process connected to a rare cloud resource atypical to this agent. overridden

  • A process connected to a rare external host Informational 6 variations

    A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Attacker's goals: Beacon to C2 server and/or exfiltrate data.
    Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.

    Variations

    MSBuild process connected to a rare external host

    High overridden

    MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden

    MSBuild process connected to a rare external host

    Medium overridden

    MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden

    LOLBIN spawned by an Office executable connected to a rare external host

    High overridden

    A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization. overridden

    A curl process connected to a rare external host

    Informational overridden

    A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization. overridden

    VSCode extension process connected to a rare external host

    Low overridden

    A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization. overridden

    UNIX LOLBIN process connected to a rare external host

    Low overridden

    A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization. overridden

  • A process connected to rare external host Informational 1 variation

    A process connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Get further details about the uncommon external destination and the actor process.

    Variations

    A process connected to globally rare external host

    Informational overridden

    A process connected to a globally rare external host. overridden

  • A successful SSO sign-in from TOR High Identity Analytics 1 variation

    A successful sign-in from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A successful SSO sign-in from TOR via Mobile Device

    Medium overridden

    A successful sign-in from a TOR exit node. overridden

  • Abnormal Communication to a Rare Domain Informational 3 variations

    An abnormal communication was seen from an internal entity to a rare domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR C2 Detection
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.

    Variations

    Abnormal Communication to a Rare Domain With a Port Commonly Used by Attack Platforms

    Low overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

    Abnormal Communication to a Rare Domain to a Suspicious Autonomous System (AS)

    Informational overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

    Abnormal Communication to a Rare Domain With a Less Common Port

    Informational overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

  • Abnormal Recurring Communications to a Rare Domain Informational 4 variations

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR C2 Detection
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.

    Variations

    Abnormal Recurring Communications to a Rare Domain With a Port Commonly Used by Attack Platforms

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain With an Abnormal Domain Suffix

    Informational overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain With a Less Common Port

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

  • Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.

    Variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden

  • Abnormal network communication through TOR using an uncommon port Low 2 variations

    Suspicious connection from a known TOR IP to an uncommon port.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: XDR Agent
    Attacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.
    Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.

    Variations

    Abnormal network communication through TOR using an uncommon port and App-id

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden

    Abnormal network communication through TOR using a suspicious port

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden

  • Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare

    Low overridden

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden

  • Abnormal process connection to default Meterpreter port Informational 1 variation

    This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Standard Port (T1571)
    Required data: XDR Agent
    Attacker's goals: Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.
    Investigative actions: Verify if the destination IP is running a Metasploit server. Look for malicious action being done by the suspicious process.

    Variations

    Abnormal process connection to default Meterpreter port on an internet-facing server

    Low overridden

    This process has probably been compromised by Meterpreter and is now used by it to run malicious commands. overridden

  • An Azure DNS Zone was modified Informational Cloud

    An Azure DNS zone has been changed or removed, which may indicate malicious activity or a misconfiguration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: DNS (T1071.004)
    Required data: Azure Audit Log
    Attacker's goals: Take control of DNS zones to redirect traffic to malicious websites.
    Investigative actions: Verify whether the identity should be making this action. Check what Azure DNS zones were changed or removed.
  • An app was added to Google Marketplace Informational Identity Threat Module 3 variations

    An app was added to the Google Workspace Marketplace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Remote Access Tools (T1219)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new app that was added to Google workspace Marketplace. Follow further actions done by the account.

    Variations

    An app was added to Google Marketplace by a non-administrative identity

    Informational overridden

    An app was added to the Google Workspace Marketplace. overridden

    An app was added to Google Marketplace from an unusual ASN

    Low overridden

    An app was added to the Google Workspace Marketplace. overridden

    An unusual app was added to Google Marketplace

    Low overridden

    An app was added to the Google Workspace Marketplace. overridden

  • Cloud activity from a high-risk IP address Informational Cloud 1 variation

    An identity executed a cloud API from a high-risk IP address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access using a compromised identity while obfuscating origin.
    Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.

    Variations

    Cloud activity from an unusual high-risk IP

    Low overridden

    An identity executed a cloud API from a high-risk IP address. overridden

  • DNS Tunneling Low 1 variation

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    DNS Tunneling

    Medium overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden

  • Download pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Failed DNS Low

    The endpoint is performing DNS lookups that are failing at an excessively high rate when compared to its peer group. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    2 Hours
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees large numbers of failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false-positive for this alert. Make sure the endpoint is configured properly for your DNS servers. For example, make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false-positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.
  • File transfer from unusual IP using known tools Informational 1 variation

    An adversary might use known tools to transfer tools/payloads into the compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Expand attack vectors and compromise the rest of the network.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    File transfer from unusual IP using known tools in a Kubernetes pod

    Low overridden

    An adversary might use known tools to transfer tools/payloads into the compromised machine. overridden

  • Globally uncommon IP address by a common process (sha256) Informational 4 variations

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.
    Investigative actions: Check the destination IP address reputation. Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address by a common process (sha256) from an injected thread

    High overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address by a common process (sha256) from a known vendor

    Medium overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address by a common process (sha256)

    Medium overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and a rare IP address by a common process (sha256)

    Low overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon IP address connection from a signed process Informational 3 variations

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address connection from an injected thread in a signed process

    Medium overridden

    An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address connection from a signed process from a known vendor

    Medium overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address connection from a signed process

    Low overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root domain from a signed process Low 4 variations

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root domain from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    Medium overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination by a common process (sha256) Informational 4 variations

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination by a common process (sha256) from an injected thread

    High overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare root-domain port combination by a common process (sha256)

    Medium overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination by a common process (sha256) from a known vendor

    Medium overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and rare root-domain port combination by a common process (sha256)

    Low overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination from a signed process Low 4 variations

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    Medium overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

  • HTTP with suspicious characteristics Low 3 variations

    Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    HTTP with suspicious characteristics which is repetitive

    Low overridden

    Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics to an IP address

    Low overridden

    Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics that always fails

    Informational overridden

    Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

  • MpCmdRun.exe was used to download files into the system Low

    Attackers might be using legitimate Windows Defender executables to download malicious code onto the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: Download malicious tools onto the host for more activities.
    Investigative actions: Check if the downloaded file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.
  • Netcat makes or gets connections High

    Malicious actors can use Netcat for privilege escalation, remote code execution, data exfiltration and protocol tunneling to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: XDR Agent
    Attacker's goals: Establish command and control channel. Propagate in the victim network.
    Investigative actions: Verify that the usage of Netcat/Netcat64 is from an authorized personnel and that user has the right to access the remote host.
  • Non-browser access to a pastebin-like site Low 4 variations

    Non-browser access to a pastebin-like site.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Data exfiltration or attack tool staging.
    Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.

    Variations

    Non-browser or an uncommon browser access to a pastebin-like site

    Informational overridden

    Non-browser or an uncommon browser access to a pastebin-like site. overridden

    Non-browser access to google sheets API

    Low overridden

    Non-browser access to google sheets API. overridden

    Non-browser failed access to a pastebin-like site

    Low overridden

    Non-browser failed access to a pastebin-like site. overridden

    Rare non-browser access to a pastebin-like site

    Medium overridden

    Rare non-browser access to a pastebin-like site. overridden

  • Random-Looking Domain Names Medium

    The endpoint performed DNS lookups to an excessively large number of apparently random root domain names. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many unique, random-looking domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one, which may also trigger the Failed DNS alert.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network for controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.
    Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees many failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false positive for this alert. Ensure that the endpoint is configured properly for your DNS servers. Make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.
  • Rare AppID usage to a rare destination Informational 2 variations

    Rare AppID with port usage to rare destination.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.
    Investigative actions: Investigate the endpoints participating in the session.

    Variations

    Rare AppID usage to a rare destination using an unsigned process

    Low overridden

    Rare AppID with port usage to rare destination. overridden

    Rare AppID usage to a rare destination from an internet-facing server

    Low overridden

    Rare AppID with port usage to rare destination. overridden

  • Rare access to known advertising domains Informational 2 variations

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)
    ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Causing the user to view excessive advertising content.
    Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.

    Variations

    Rare access to known advertising domains from a Rare User Agent

    Informational overridden

    The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden

    Suspicious Rare access to known advertising domains

    Low overridden

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden

  • Rare binary connected to a rare cloud resource Low 2 variations

    Rare binary connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Check the binary file. Get further details about the uncommon external cloud resource.

    Variations

    Software development tool connected to a rare cloud resource

    Informational overridden

    Software development tool connected to a rare cloud resource. overridden

    Recently downloaded rare binary connected to a rare cloud resource

    Medium overridden

    Recently downloaded rare binary connected to a rare cloud resource. overridden

  • Rare binary connected to a rare external host Low 2 variations

    Rare binary connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Check the rare binary file. Get further details about the rare external destination.

    Variations

    Rare unsigned binary connected to a globally rare external host

    Medium overridden

    Rare unsigned binary connected to a globally rare external host. overridden

    Rare binary connected to a globally rare external host

    Low overridden

    Rare binary connected to a globally rare external host. overridden

  • Rare communication over email ports to external email server by unsigned process Low

    These methods are used by malware and attackers to leak data and remain undetected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers might use well-known email ports as a C&C channel to evade detection and firewall rules.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.
  • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol Informational 4 variations

    A process made a connection to an external IP address or host that is rarely connected to by the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Connect to a server to retrieve commands or exfiltrate data.
    Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.

    Variations

    Rare connection to external IP address or host by a java application using LDAP protocol

    Medium overridden

    A Java Process that never created LDAP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using LDAP protocol

    Medium overridden

    A Java Process that never created RMI-IIOP connection before connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using LDAP protocol

    Low overridden

    A Java Process connected to an external IP address or host, which is rarely connected to from the organization using LDAP protocol. overridden

    Rare connection to external IP address or host by a java application using RMI-IIOP protocol

    Low overridden

    A Java Process connected to an external IP address or host, which is rarely connected to from the organization using RMI-IIOP protocol. overridden

  • Rare process created an SSH session to an uncommon cloud resource Low

    A rare process created an SSH session to an uncommon cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers may use SSH or any similar utility as a Command and Control (C2) channel or to exfiltrate data to a remote host.
    Investigative actions: Investigate the actor process and its causality. Review the remote cloud asset, is it managed by the organization or a partner? Search for processes or files that were accessed by this SSH instance.
  • Rare process created an SSH session to an uncommon external host Low 3 variations

    Rare process created an SSH session to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.
    Investigative actions: Investigate the actor process and its causality. Review the external IP/domain using known intelligence tools. Search for processes or files that were accessed by this SSH instance.

    Variations

    Rare process created an SSH session to a domain with an uncommon TLD

    Medium overridden

    Rare process created an SSH session to a domain with an uncommon TLD. overridden

    Rare process created an SSH session to an globally uncommon external host

    Low overridden

    Rare process created an SSH session to an globally uncommon external host. overridden

    Rare process created an SSH session to an external host

    Informational overridden

    Rare process created an SSH session to an external host. overridden

  • Rare process with VNC server capabilities started Low

    A rare process with VNC server capabilities was started.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.
  • Recurring access to rare IP Low

    The endpoint is periodically accessing an external fixed-IP address that its peers rarely use. Access to this external IP address has occurred repeatedly over many days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    21 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the IP address belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious IP address. Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.
  • Recurring access to rare domain Low 1 variation

    The endpoint is periodically connecting to an external domain (categorized as malware) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.

    Variations

    Recurring access to rare domain

    Low overridden

    The endpoint is periodically connecting to an external domain (categorized as command-and-control) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

  • Recurring rare domain access from an unsigned process Low 2 variations

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Recurring rare domain access from an uncommon unsigned process

    Medium overridden

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

    Recurring access to a rare domain associated with known threats

    Medium overridden

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

  • Recurring rare domain access to dynamic DNS domain Low

    The endpoint is periodically connecting to an external domain that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.
  • Scripting engine connected to a rare external host Low 3 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)
    ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.

    Variations

    Scripting engine failed to connect to a rare external host

    Informational overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Scripting engine with a modified image name connected to a rare external host

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN scripting engine connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

  • Suspicious AI model usage from a Tor exit node High Cloud 1 variation

    A cloud identity invoked an AI model from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    Failed AI model usage from a Tor exit node

    Informational overridden

    A cloud identity invoked an AI model from a Tor exit node. overridden

  • Suspicious API call from a Tor exit node High Cloud 2 variations

    A cloud API was called from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    Suspicious Kubernetes API call from a Tor exit node

    High overridden

    A Kubernetes API was called from a Tor exit node. overridden

    A Failed API call from a Tor exit node

    Informational overridden

    A cloud API was called from a Tor exit node. overridden

  • Suspicious DNS traffic Informational 2 variations

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    Suspicious DNS traffic with a rarely seen domain

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden

    Suspicious DNS traffic with a globally rare DNS query length

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden

  • Suspicious ICMP packet Low 1 variation

    An ICMP router advertisement was sent by a host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Make the victim change his routing table.
    Investigative actions: Investigate why the source host sent an ICMP router advertisement and if it changed the destination target routing table.

    Variations

    Suspicious ICMP packet that resemble an ICMP redirect attack

    Informational overridden

    ICMP redirect was sent by a user. overridden

  • Suspicious SaaS API call from a Tor exit node High Identity Threat Module 2 variations

    A SaaS API was called from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    A Failed API call from a Tor exit node

    Informational overridden

    A SaaS API was called from a Tor exit node. overridden

    Suspicious SaaS API call from a Tor exit node via Mobile Device

    Medium overridden

    A SaaS API was called from a Tor exit node. overridden

  • Suspicious certutil command line Medium

    An attacker may use certutil to download malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: An attacker may use certutil to download malware.
    Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow. Check whether the downloaded file is malicious.
  • Suspicious curl user agent Informational 1 variation

    Suspicious user agent provided to curl command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Impairing host defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Suspicious curl user agent from within a Kubernetes Pod

    Low overridden

    Suspicious user agent provided to curl command. overridden

  • Suspicious process accessed a site masquerading as Google Informational 1 variation

    A suspicious process accessed a site masquerading as Google.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)
    Required data: XDR Agent
    Attacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.
    Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.

    Variations

    Suspicious process resolved the DNS name of a site masquerading as Google

    Informational overridden

    A suspicious process resolved the DNS name of a site masquerading as Google. overridden

  • Suspicious proxy environment variable setting Informational

    Suspicious proxy environment variable change or definition with a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Internal Proxy (T1090.001)
    Required data: XDR Agent
    Attacker's goals: Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
    Investigative actions: Investigate the process activities and try to understand the network impact os the new proxy setting.
  • Uncommon Linux process communication to a rare external host Informational 6 variations

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are alsocontacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Uncommon Linux process communication to a rare external host by an automated penetration testing tool

    Medium overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host involving a code sharing website

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host involving a low-prevalence process connecting to a rare Top-Level Domain

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host with an external IP in the command line

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host using a data transfer tool

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

    Uncommon Linux process communication to a rare external host identified as global anomaly

    Low overridden

    An uncommon process is connecting to an external domain that is rarely accessed within the organization.This connection pattern is consistent with malware initiating connection to its command and control server. overridden

  • Uncommon SSH session was established Low 14 variations

    An uncommon SSH session was established.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.

    Variations

    An Uncommon SSH session was established using a rare server HASSH for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden

    An Uncommon SSH session was established using a rare client HASSH for the agent

    Low overridden

    An uncommon SSH session was established using a rare client HASSH for the agent. overridden

    An Uncommon SSH session was established using a rare request banner for the agent

    Low overridden

    An Uncommon SSH session was established using a rare request banner for the agent. overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden

    An Uncommon SSH session was established using a rare Response banner

    Low overridden

    An Uncommon SSH session was established using a rare Response banner. overridden

    An Uncommon SSH session was established using a rare request banner

    Low overridden

    An Uncommon SSH session was established using a rare request banner. overridden

    An Uncommon SSH session was established using a rare Client HASSH

    Low overridden

    An uncommon SSH session was established using a rare client HASSH. overridden

    An Uncommon SSH session was established using a rare Server HASSH

    Low overridden

    An Uncommon SSH session was established using a rare Server HASSH. overridden

    A suspicious SSH session was established

    Low overridden

    A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden

    An Uncommon SSH session was established to a rare IP address

    Low overridden

    An uncommon SSH session was established to a rare remote IP address. overridden

    An Uncommon SSH session was established using a nonstandard SSH port

    Low overridden

    An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden

    Uncommon SSH session was established to a rare internal IP

    Low overridden

    An uncommon SSH session was established to a rare internal IP. overridden

    Uncommon SSH session was established that involved a higher than usual volume

    Low overridden

    Uncommon SSH session was established that involved a higher than usual volume. overridden

    Uncommon SSH session was established to an internal IP

    Informational overridden

    An uncommon SSH session was established to an internal IP. overridden

  • Uncommon VNC server communication Low 4 variations

    Uncommon VNC server network traffic was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.

    Variations

    Uncommon VNC scanning activity detected from a scanning tool

    Medium overridden

    An uncommon VNC scanning network traffic was observed from a scanning tool. overridden

    Uncommon VNC server communication from an unmanaged previously unseen external host

    Low overridden

    Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden

    Partially uncommon VNC server communication

    Informational overridden

    Uncommon VNC server network traffic was observed. overridden

    Uncommon VNC server connection

    Informational overridden

    An uncommon VNC Server network connection was observed. overridden

  • Uncommon communication to an instant messaging server Informational 2 variations

    A rare communication between a process to a known instant messaging server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: XDR Agent
    Attacker's goals: Data exfiltration or attack tool staging through a trusted service.
    Investigative actions: Examine the legitimacy of the application that made the communication with the provider's server. Examine the parent process of this application. Check for anomalies regarding the time frame where the communication occurred.

    Variations

    Uncommon communication to an instant messaging server by a suspicious process

    Low overridden

    A rare communication by a suspicious process to a known instant messaging server. overridden

    Uncommon communication to an instant messaging server by an uncommon scripting engine execution

    Low overridden

    A rare communication by an uncommon execution of a scripting engine to a known instant messaging server. overridden

  • Uncommon file access over WebDAV Low 1 variation

    Uncommon file access over WebDAV.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Threat actors may use the WebDAV to blend in existing network traffic.
    Investigative actions: Investigate the process {actor_process_image_name} which tried to access the remote file. Investigate the remote host {webdav_dst_from_file_event}.

    Variations

    High-risk file read over WebDAV by a LOLBIN process

    High overridden

    High-risk file read over WebDAV by a LOLBIN process. overridden

  • Uncommon macOS process communication to a rare external host Informational 11 variations

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Establish a remote backdoor to issue instructions, deploy additional payloads, and maintain long-term persistence across the infected fleet.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also contacting the suspicious host. Inspect the host or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Uncommon macOS process communication to a rare external host by security testing tool

    High overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host with a frequently abused TLD

    Medium overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility to establish a connection with a messaging service API

    Medium overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host related to LOTTunnels

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host with a rare TLD

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and piping to script

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility to download and change permission

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility running by an unsigned process

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and saving data to a temporary folder

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility and downloading a script

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

    Uncommon macOS process communication to a rare external host while using a CLI utility

    Low overridden

    An uncommon process is connecting to an external host that is rarely accessed within the organization.This connection pattern is consistent with malicious activity such as command and control execution, malware download and so on. overridden

  • Uncommon network tunnel creation Informational 3 variations

    An uncommon network tunnel was established.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    12 Hours
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.

    Variations

    Uncommon network tunnel creation

    Informational overridden

    An uncommon network tunnel was established using ACS_ssh.exe. overridden

    Uncommon SSH tunnel to unpopular IP address

    Low overridden

    An uncommon SSH tunnel was established to an unpopular remote IP address at the organization. overridden

    An uncommon network tunnel was established over the default SSH port

    Low overridden

    An unpopular process and command line created a network tunnel over the default SSH port. overridden

  • Uncommon recurring rare external host access Informational 6 variations

    A process has established recurring connections to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.

    Variations

    Uncommon recurring rare external host access by an automated penetration testing tool

    High overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access to a dynamic DNS domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access initiated by a cron job

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a rare top-level domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access using an exfiltration tool

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a sensitive file in actor or causality command line

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

  • Uncommon remote monitoring and management tool Low 4 variations

    An uncommon Remote Monitoring and Management (RMM) product was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Remote Access Tools (T1219)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Ask the owners of the machine if they knowingly used this software. Investigate why the software was being used. Check if it was executed remotely or locally.

    Variations

    Uncommon renamed remote monitoring and management tool

    Medium overridden

    An uncommon renamed Remote Monitoring and Management (RMM) product was observed. overridden

    Uncommon remote monitoring and management tool (browser origin)

    Informational overridden

    An uncommon Remote Monitoring and Management (RMM) product was observed. (browser origin). overridden

    Uncommon remote monitoring and management tool extracted from an internet-downloaded archive and executed

    Low overridden

    An uncommon Remote Monitoring and Management (RMM) product extracted from an internet-downloaded archive and executed. overridden

    Uncommon remote monitoring and management tool downloaded from an uncommon source and executed

    Medium overridden

    An uncommon Remote Monitoring and Management (RMM) product downloaded from an uncommon source and executed. overridden

  • Uncommon reverse SSH tunnel to external domain/ip Low 1 variation

    An uncommon reverse SSH tunnel might have been created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external ip/domain. Investigate the causality of the process.

    Variations

    Uncommon reverse SSH tunnel to external domain/ip using a sensitive port

    Low overridden

    An uncommon reverse SSH tunnel might have been created. overridden

  • Unusual Netsh PortProxy rule Low 2 variations

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.
    Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unusual Netsh PortProxy rule by non-netsh process

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

    Unusual Netsh PortProxy rule by an unsigned causality actor

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

  • Unusual SSH Activity Informational 2 variations

    Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the client IP/Agent for using known intelligence tools. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.

    Variations

    Unusual, long SSH activity with tunnel characteristics

    Low overridden

    Unusual SSH activity was detected that involved a high volume of data transfer and abnormal session duration. overridden

    Unusual SSH activity with tunnel characteristics to external destination

    Low overridden

    Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session. overridden

  • Unusual SSH activity that resembles SSH proxy Informational 3 variations

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Internal Proxy (T1090.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.
    Investigative actions: Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.

    Variations

    High Volume Unusual SSH activity that resembles SSH proxy

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

    Suspicious SSH activity that resembles SSH proxy

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

    Unusual SSH activity that resembles SSH proxy detected

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

  • Upload pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Windows LOLBIN executable connected to a rare external host Medium 2 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to.

    Variations

    Windows LOLBIN executable connected to a rare external host on a newly activated agent

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN executable connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden