Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

51 alerts match the current filters. technique: T1021 ✕

Show ATT&CK heatmap
  • A remote service was created via RPC over SMB Low 1 variation

    A remote service was created via RPC over SMB.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Process creation on a remote host.
    Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.

    Variations

    A remote service with an uncommon name was created via RPC over SMB

    Medium overridden

    A remote service was created via RPC over SMB. overridden

  • A user established an SMB connection to multiple hosts Informational Identity Analytics 2 variations

    A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries can effectively map out and strategize their lateral movement within a network by leveraging diverse protocols for reconnaissance.
    Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Look for the process that initiated this activity on the remote host. Check if the user is authorized to perform such activity.

    Variations

    A user established an SMB connection to multiple hosts for the first time

    Medium overridden

    A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden

    A user performed an abnormal SMB activity to multiple hosts

    Low overridden

    A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden

  • A user logged in to the AWS console for the first time Informational Cloud 1 variation

    A user logged in to the AWS console for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.
    Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.

    Variations

    A non-user identity logged in to the AWS console for the first time

    Medium overridden

    A non-user identity logged in to the AWS console for the first time. overridden

  • AWS SSM send command attempt Informational Cloud 2 variations

    An identity executed an AWS SSM Document.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.

    Variations

    AWS SSM SendCommand targeting multiple instances

    Low overridden

    An identity executed an AWS SSM Document. overridden

    Unusual AWS SSM send command

    Low overridden

    An identity executed an AWS SSM Document. overridden

  • Abnormal RDP connections to multiple hosts Informational 1 variation

    The endpoint attempted to initiate rare RDP connections to multiple hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics
    Attacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.

    Variations

    Abnormal RDP connections to multiple hosts

    Low overridden

    The endpoint attempted to initiate rare RDP connections to multiple hosts. overridden

  • Abnormal RDP connections to multiple hosts from a rarely seen host Low

    The endpoint attempted to initiate rare RDP connections to multiple hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.
  • Abnormal RDP session to a remote host from a rarely seen host Low

    The endpoint performed a rare RDP session to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user which the RDP made the connection with. Verify that this isn't IT activity.
  • Abnormal SMB activity to multiple hosts Low 4 variations

    An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

    Variations

    Highly rare SMB activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare, SMB activity to multiple hosts on the network. overridden

    Highly rare SMB activity to multiple hosts

    Medium overridden

    An endpoint performed a new, and highly rare SMB activity to multiple hosts on the network. overridden

    Abnormal SMB activity to multiple hosts

    Medium overridden

    An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden

    Abnormal SMB activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden

  • Abnormal sensitive RPC traffic to multiple hosts Low 1 variation

    The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.

    Variations

    Abnormal sensitive RPC traffic to multiple IPs

    Informational overridden

    The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface. overridden

  • Abnormal sensitive RPC traffic to multiple hosts from a rarely seen host Low

    The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.
  • An identity started an AWS SSM session Informational Cloud 2 variations

    An identity started an AWS SSM interactive session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the specifics of the SSM session, including the source IP address, identity, and timestamp. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant instance.

    Variations

    An identity started an unusual AWS SSM session

    Medium overridden

    An identity started an AWS SSM interactive session. overridden

    An unusual identity started an AWS SSM session

    Low overridden

    An identity started an AWS SSM interactive session. overridden

  • An uncommon RDP session from a managed host Informational 5 variations

    An RDP session was established with uncommon parameters from a managed host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.
    Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.

    Variations

    An uncommon RDP session initiated by a chained RDP client

    Low overridden

    An RDP session was established by a process that is itself an RDP client, which is uncommon behavior. overridden

    An uncommon RDP session initiated by a globally rare RDP client

    Low overridden

    An RDP session was established by a process hash that has not been seen globally, which is uncommon. overridden

    An uncommon RDP session initiated by a rare RDP client

    Low overridden

    An RDP session was established by a process hash that is rare in the environment. overridden

    An uncommon RDP session from a host that rarely initiates RDP

    Low overridden

    An RDP session was initiated from a host that does not typically establish RDP connections. overridden

    An uncommon RDP session initiated by a process with rare causality

    Low overridden

    An RDP session was established by a process with an uncommon parent process relationship. overridden

  • An uncommon RDP session was established Informational 5 variations

    An RDP session was established with uncommon parameters.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.
    Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.

    Variations

    An uncommon RDP session was established from a Suspicious Autonomous System (AS)

    Medium overridden

    An RDP session was established with uncommon parameters. overridden

    An uncommon RDP session was established originating from a chained RDP session which is also from a rare subnet

    Low overridden

    An RDP session was established with uncommon parameters. The connection appears to originate from an endpoint that itself received an RDP connection, suggesting a chained session. overridden

    An uncommon RDP session was established between subnets with no prior communication

    Low overridden

    An RDP session was established with uncommon parameters. The source and destination subnets have not been observed communicating with each other previously. overridden

    An uncommon RDP session was established involving subnets with no prior RDP history

    Low overridden

    An RDP session was established with uncommon parameters. Neither the source nor the destination subnet has been observed participating in RDP sessions previously. overridden

    An uncommon RDP session was established involving a destination subnet which rarely receives incoming RDP sessions

    Low overridden

    An RDP session was established with uncommon parameters. The destination subnet is rarely involved in RDP activity. overridden

  • An uncommon executable was remotely written over SMB to an uncommon destination Low 3 variations

    An uncommon executable was remotely written over SMB to a destination, which was not involved in significant similar activity during last month.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Transfer tools as part of lateral movement activity across the network.
    Investigative actions: Verify if the shared file is malicious. Investigate if the file was executed on the host. Check the remote SMB client for other suspicious activities.

    Variations

    An uncommon executable was remotely written over SMB to a highly suspicious destination

    High overridden

    An uncommon executable was remotely written over SMB to a highly suspicious destination, which was not involved in significant similar activity during last month. overridden

    An uncommon executable with SCR extension was remotely written over SMB to an uncommon destination

    Medium overridden

    An uncommon executable with SCR extension was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden

    PsExec remote service component was remotely written over SMB to an uncommon destination

    Low overridden

    PsExec remote service component was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden

  • Attempt to execute a command on a remote host using PsExec.exe Low 1 variation

    There was an attempt to run a command on a remote host using PsExec.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run processes remotely.
    Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.

    Variations

    Attempt to execute a command on a remote host using PsExec.exe

    Low overridden

    There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden

  • Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation

    A user modified Chrome OS Remote Access configuration in Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)
    ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.
    Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.

    Variations

    Suspicious Chrome OS Remote Access policy was modified in Google Workspace

    Low overridden

    This is the first time the user performs this operation in the last 30 days. overridden

  • Cloud compute serial console access Informational Cloud 2 variations

    An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.
    Investigative actions: Verify whether the identity should be making this action. Investigate which actions were performed via serial console access.

    Variations

    Cloud compute serial console access by an identity with high administrative activity

    Informational overridden

    An identity with high administrative activity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden

    Suspicious cloud compute serial console access in a project

    Low overridden

    An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden

  • Command execution via AWS SSM Medium Cloud

    A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.
    Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).
  • DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations

    An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute malicious content on and move laterally across machine in the network.
    Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.

    Variations

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a script

    High overridden

    An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden

  • Multiple alerts associated with a single RDP connection Informational

    Multiple alerts associated with a single RDP connection were triggered.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.
    Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.
  • New Administrative Behavior Medium 1 variation

    The endpoint performed new administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.
    Investigative actions: Investigate the endpoint to determine if it is legitimately being used for administrative functions.

    Variations

    New SSH Administrative Behavior

    Informational overridden

    The endpoint performed new SSH administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement. overridden

  • Possible Brute-Force attempt Informational Identity Analytics 2 variations

    This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Possible Brute-Force attempt on a Honey User Account

    Medium overridden

    This may indicate a brute-force attack. overridden

    Possible Brute-Force attempt with a successful login and suspicious characteristics

    Low overridden

    This may indicate a brute-force attack. overridden

  • RDP Connection to localhost Medium

    An RDP connection to localhost can be used for privilege escalation by leveraging Windows accessibility features.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: An attacker may initiate RDP tunneling for a more convenient and stable interface.
    Investigative actions: Identify the process/user performing RDP and check that it is authorized. Check whether the initiating process also connects to an external host.
  • RDP connections enabled remotely via Registry Low 2 variations

    An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Remotely enable RDP on the host for lateral movement.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Search for RDP sessions to this host and investigate them for malicious activities.

    Variations

    RDP connections enabled by a remote process via Registry

    Low overridden

    An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden

    RDP connections enabled remotely via Registry using WinRM

    Low overridden

    An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden

  • RDP from an unmanaged endpoint in a typically managed subnet Low 1 variation

    An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Lateral movement to critical assets from an unmanaged host.
    Investigative actions: Verify if the source endpoint is authorized to perform RDP connections. Validate that the source endpoint is managed or unmanaged. Investigate the user account used for the RDP connection.

    Variations

    RDP from an unmanaged endpoint in a typically managed subnet with a significantly higher number of managed endpoints in the subnet

    Low overridden

    An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement. The source subnet has a significantly higher number of managed endpoints compared to the unmanaged ones. overridden

  • Rare DCOM RPC activity Informational 1 variation

    The endpoint performed abnormal DCOM RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using the DCOM RPC interface. The DCOM RPC interface is used to remotely invoke registered COM applications on remote hosts.
    Investigative actions: Review the action of the initiated COM application on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare DCOM RPC activity

    Low overridden

    The endpoint performed abnormal DCOM RPC activity to a remote host. overridden

  • Rare RDP session to a remote host Low 1 variation

    The endpoint performed a rare RDP session to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics
    Attacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user who initiated the RDP session. Verify that this isn't routine IT activity.

    Variations

    Rare RDP session to a remote host

    Informational overridden

    The endpoint performed a rare RDP session to a remote host. overridden

  • Rare Remote Service (SVCCTL) RPC activity Informational 3 variations

    The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using services. The service control manager RPC interface is used to create and start services on a local or a remote host.
    Investigative actions: Review the action of services.exe on the remote host where possible. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare remote service creation and initiation via Remote Service (SVCCTL) RPC interface

    Medium overridden

    The endpoint performed abnormal service creation and initiation via Remote Service (SVCCTL) RPC interface to a remote host. overridden

    Rare remote service change or creation via Remote Service (SVCCTL) RPC interface

    Medium overridden

    The endpoint performed abnormal service creation via Remote Service (SVCCTL) RPC interface to a remote host. overridden

    Rare Remote Service (SVCCTL) RPC activity

    Low overridden

    The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host. overridden

  • Rare SMB session to a remote host Low 1 variation

    The endpoint performed a rare SMB activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use the SMB protocol in an attempt to move laterally in the network, and expand their foothold in the organization.
    Investigative actions: Check whether the username used in the SMB connection is legitimate. Verify that this isn't IT activity.

    Variations

    Rare SMB session to a remote host

    Informational overridden

    The endpoint performed a rare SMB activity to a remote host. overridden

  • Rare SSH Session Low

    Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent
    Attacker's goals: Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.
    Investigative actions: Verify that the process is allowed in the organization. Check if the user should access the destination and whether the session was successful or not.
  • Rare Scheduled Task RPC activity Informational 3 variations

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare remote task registration and creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden

    Rare remote task creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden

    Rare Scheduled Task RPC activity

    Low overridden

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden

  • Rare Scheduled Task RPC activity from a rarely seen host Low

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.
  • Rare WinRM Session Informational

    Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote system. WinRM sessions can be established using WinRM/WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent
    Attacker's goals: Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.
    Investigative actions: Investigate the endpoints participating in the session.
  • Rare Windows Remote Management (WinRM) HTTP Activity Low

    The endpoint performed unfamiliar WinRM HTTP activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use WinRM to execute code on remote hosts, in an attempt to gain persistence or move laterally in the network.
    Investigative actions: Correlate the WinRM HTTP request from the source host and understand which software initiated it. Verify that this isn't IT activity.
  • Rare file transfer over SMB protocol Low

    The endpoint performed an abnormal file transfer over SMB to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by dropping executable files and scripts on remote hosts using the SMB protocol.
    Investigative actions: Inspect the file that was transferred to the remote host. Verify that this isn't IT activity.
  • Rare process with VNC server capabilities started Low

    A rare process with VNC server capabilities was started.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.
  • Remote DCOM command execution Low 4 variations

    A remotely triggered DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the DCOM call from the source host and understand which software initiated it.

    Variations

    Remote suspicious DCOM-MMC20.Application command execution

    High overridden

    A remotely triggered suspicious DCOM-MMC20.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

    Remote suspicious DCOM-Excel.Application command execution

    High overridden

    A remotely triggered suspicious DCOM-Excel.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

    Remote suspicious DCOM-Outlook.Application command execution

    High overridden

    A remotely triggered suspicious DCOM-Outlook.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

    Remote suspicious DCOM command execution

    Medium overridden

    A remotely triggered suspicious DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

  • Remote PsExec-like command execution Informational 5 variations

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.

    Variations

    Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service

    High overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from an unsigned non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from a signed non-standard PsExec service

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec command execution

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

  • Remote WMI process execution Medium 1 variation

    A host that rarely initiates WMI to other remote hosts triggered a remote process execution by using WMI RPC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which process or software initiated it.

    Variations

    Suspicious remote WMI process execution

    High overridden

    A host that rarely initiates WMI to other remote hosts triggered a suspicious remote process execution by using WMI RPC. overridden

  • Remote service command execution from an uncommon source High

    A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Remote service start from an uncommon source Low

    A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Serial console access was enabled in AWS account Informational Cloud

    Serial console access to EC2 instances was enabled in an AWS account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.
    Investigative actions: Verify whether serial console access should be enabled. Investigate which actions were performed via serial console access.
  • Suspicious SSH Downgrade Low 2 variations

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)
    ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)
    Required data: Palo Alto Networks Firewall EAL Logs
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.
    Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.

    Variations

    A Host Performed an SSH Downgrade For The First Time In The Last 30 Days

    Low overridden

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden

    A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days

    Low overridden

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden

  • Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations

    An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.
    Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.

    Variations

    Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity

    Informational overridden

    An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Instance SSH keys were modified for the first time in the cloud provider

    High overridden

    An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification by a service account

    Medium overridden

    A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification

    Informational overridden

    An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious GCP project level metadata modification by a service account

    Low overridden

    A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification attempt

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

  • Uncommon Linux remote shell command execution Informational 15 variations

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: An attacker may attempt to execute a malicious shell command on the system.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.

    Variations

    Uncommon Linux remote shell command execution, possibly running LinPEAS

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution using an exploitation tool

    High overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution executing a reverse interactive shell

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution downloading a shell script

    Medium overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution disabling firewall

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution taking a screenshot

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution possibly running from an XZ backdoor

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running as root

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution setting a scheduled task

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a process kill command

    Low overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution loading a kernel module

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution running a network tool

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution trying to gather information about the system

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

    Uncommon Linux remote shell command execution, possibly granting file execution permissions

    Informational overridden

    An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden

  • Uncommon RDP connection Informational

    RDP is used by attackers to laterally move to new hosts. Standard processes do not usually implement RDP on their own, and attackers might inject or tunnel using a non-standard process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Validate if the process is a legitimate IT software. Verify if the process is known to be malicious. Look into actions done on the remote host.
  • Uncommon VNC server communication Low 4 variations

    Uncommon VNC server network traffic was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.

    Variations

    Uncommon VNC scanning activity detected from a scanning tool

    Medium overridden

    An uncommon VNC scanning network traffic was observed from a scanning tool. overridden

    Uncommon VNC server communication from an unmanaged previously unseen external host

    Low overridden

    Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden

    Partially uncommon VNC server communication

    Informational overridden

    Uncommon VNC server network traffic was observed. overridden

    Uncommon VNC server connection

    Informational overridden

    An uncommon VNC Server network connection was observed. overridden

  • Unusual AWS systems manager activity Informational Cloud

    A cloud identity performed an SSM operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Service Discovery (T1526) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Manipulate SSM operations to take control over EC2 instances and strengthen the foothold in the cloud environment of the organization, by running critical operating system commands, manipulating the parameters store, and patch management configuration.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive SSM operation that it shouldn't.
  • Unusual internal access to network device management interface Informational

    Unusual internal access to Palo Alto Networks device on management port.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)
    ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.
    Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.
  • WmiPrvSe.exe Rare Child Command Line Low 1 variation

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.

    Variations

    WmiPrvSe.exe Rare Child Command Line

    Medium overridden

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden

  • Wsmprovhost.exe Rare Child Process Low

    The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.