Analytics Alerts
Browse the Cortex analytics alert reference.
51 alerts match the current filters. technique: T1021 ✕
Show ATT&CK heatmapA remote service was created via RPC over SMB Low 1 variation
A remote service was created via RPC over SMB.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Process creation on a remote host.Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.Variations
A remote service with an uncommon name was created via RPC over SMB
Medium overridden
A remote service was created via RPC over SMB. overridden
A user established an SMB connection to multiple hosts Informational Identity Analytics 2 variations
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries can effectively map out and strategize their lateral movement within a network by leveraging diverse protocols for reconnaissance.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Look for the process that initiated this activity on the remote host. Check if the user is authorized to perform such activity.Variations
A user established an SMB connection to multiple hosts for the first time
Medium overridden
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden
A user performed an abnormal SMB activity to multiple hosts
Low overridden
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden
A user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
AWS SSM send command attempt Informational Cloud 2 variations
An identity executed an AWS SSM Document.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.Variations
AWS SSM SendCommand targeting multiple instances
Low overridden
An identity executed an AWS SSM Document. overridden
Unusual AWS SSM send command
Low overridden
An identity executed an AWS SSM Document. overridden
Abnormal RDP connections to multiple hosts Informational 1 variation
The endpoint attempted to initiate rare RDP connections to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: NDR Lateral Movement Analytics, Enhanced RDP AnalyticsAttacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.Variations
Abnormal RDP connections to multiple hosts
Low overridden
The endpoint attempted to initiate rare RDP connections to multiple hosts. overridden
Abnormal RDP connections to multiple hosts from a rarely seen host Low
The endpoint attempted to initiate rare RDP connections to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.Abnormal RDP session to a remote host from a rarely seen host Low
The endpoint performed a rare RDP session to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.Investigative actions: Inspect the legitimacy of the user which the RDP made the connection with. Verify that this isn't IT activity.Abnormal SMB activity to multiple hosts Low 4 variations
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.Variations
Highly rare SMB activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare, SMB activity to multiple hosts on the network. overridden
Highly rare SMB activity to multiple hosts
Medium overridden
An endpoint performed a new, and highly rare SMB activity to multiple hosts on the network. overridden
Abnormal SMB activity to multiple hosts
Medium overridden
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden
Abnormal SMB activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden
Abnormal sensitive RPC traffic to multiple hosts Low 1 variation
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.Variations
Abnormal sensitive RPC traffic to multiple IPs
Informational overridden
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface. overridden
Abnormal sensitive RPC traffic to multiple hosts from a rarely seen host Low
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.An identity started an AWS SSM session Informational Cloud 2 variations
An identity started an AWS SSM interactive session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the specifics of the SSM session, including the source IP address, identity, and timestamp. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant instance.Variations
An identity started an unusual AWS SSM session
Medium overridden
An identity started an AWS SSM interactive session. overridden
An unusual identity started an AWS SSM session
Low overridden
An identity started an AWS SSM interactive session. overridden
An uncommon RDP session from a managed host Informational 5 variations
An RDP session was established with uncommon parameters from a managed host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Variations
An uncommon RDP session initiated by a chained RDP client
Low overridden
An RDP session was established by a process that is itself an RDP client, which is uncommon behavior. overridden
An uncommon RDP session initiated by a globally rare RDP client
Low overridden
An RDP session was established by a process hash that has not been seen globally, which is uncommon. overridden
An uncommon RDP session initiated by a rare RDP client
Low overridden
An RDP session was established by a process hash that is rare in the environment. overridden
An uncommon RDP session from a host that rarely initiates RDP
Low overridden
An RDP session was initiated from a host that does not typically establish RDP connections. overridden
An uncommon RDP session initiated by a process with rare causality
Low overridden
An RDP session was established by a process with an uncommon parent process relationship. overridden
An uncommon RDP session was established Informational 5 variations
An RDP session was established with uncommon parameters.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Variations
An uncommon RDP session was established from a Suspicious Autonomous System (AS)
Medium overridden
An RDP session was established with uncommon parameters. overridden
An uncommon RDP session was established originating from a chained RDP session which is also from a rare subnet
Low overridden
An RDP session was established with uncommon parameters. The connection appears to originate from an endpoint that itself received an RDP connection, suggesting a chained session. overridden
An uncommon RDP session was established between subnets with no prior communication
Low overridden
An RDP session was established with uncommon parameters. The source and destination subnets have not been observed communicating with each other previously. overridden
An uncommon RDP session was established involving subnets with no prior RDP history
Low overridden
An RDP session was established with uncommon parameters. Neither the source nor the destination subnet has been observed participating in RDP sessions previously. overridden
An uncommon RDP session was established involving a destination subnet which rarely receives incoming RDP sessions
Low overridden
An RDP session was established with uncommon parameters. The destination subnet is rarely involved in RDP activity. overridden
An uncommon executable was remotely written over SMB to an uncommon destination Low 3 variations
An uncommon executable was remotely written over SMB to a destination, which was not involved in significant similar activity during last month.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Transfer tools as part of lateral movement activity across the network.Investigative actions: Verify if the shared file is malicious. Investigate if the file was executed on the host. Check the remote SMB client for other suspicious activities.Variations
An uncommon executable was remotely written over SMB to a highly suspicious destination
High overridden
An uncommon executable was remotely written over SMB to a highly suspicious destination, which was not involved in significant similar activity during last month. overridden
An uncommon executable with SCR extension was remotely written over SMB to an uncommon destination
Medium overridden
An uncommon executable with SCR extension was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden
PsExec remote service component was remotely written over SMB to an uncommon destination
Low overridden
PsExec remote service component was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden
Attempt to execute a command on a remote host using PsExec.exe Low 1 variation
There was an attempt to run a command on a remote host using PsExec.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run processes remotely.Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.Variations
Attempt to execute a command on a remote host using PsExec.exe
Low overridden
There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden
Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation
A user modified Chrome OS Remote Access configuration in Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.Variations
Suspicious Chrome OS Remote Access policy was modified in Google Workspace
Low overridden
This is the first time the user performs this operation in the last 30 days. overridden
Cloud compute serial console access Informational Cloud 2 variations
An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.Investigative actions: Verify whether the identity should be making this action. Investigate which actions were performed via serial console access.Variations
Cloud compute serial console access by an identity with high administrative activity
Informational overridden
An identity with high administrative activity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden
Suspicious cloud compute serial console access in a project
Low overridden
An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden
Command execution via AWS SSM Medium Cloud
A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit LogAttacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations
An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Execute malicious content on and move laterally across machine in the network.Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.Variations
DSC (Desired State Configuration) lateral movement using PowerShell to execute a script
High overridden
An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service
Medium overridden
An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry
Medium overridden
An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden
Multiple alerts associated with a single RDP connection Informational
Multiple alerts associated with a single RDP connection were triggered.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.New Administrative Behavior Medium 1 variation
The endpoint performed new administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.Investigative actions: Investigate the endpoint to determine if it is legitimately being used for administrative functions.Variations
New SSH Administrative Behavior
Informational overridden
The endpoint performed new SSH administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement. overridden
Possible Brute-Force attempt Informational Identity Analytics 2 variations
This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Possible Brute-Force attempt on a Honey User Account
Medium overridden
This may indicate a brute-force attack. overridden
Possible Brute-Force attempt with a successful login and suspicious characteristics
Low overridden
This may indicate a brute-force attack. overridden
RDP Connection to localhost Medium
An RDP connection to localhost can be used for privilege escalation by leveraging Windows accessibility features.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: An attacker may initiate RDP tunneling for a more convenient and stable interface.Investigative actions: Identify the process/user performing RDP and check that it is authorized. Check whether the initiating process also connects to an external host.RDP connections enabled remotely via Registry Low 2 variations
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Enhanced RDP AnalyticsAttacker's goals: Remotely enable RDP on the host for lateral movement.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Search for RDP sessions to this host and investigate them for malicious activities.Variations
RDP connections enabled by a remote process via Registry
Low overridden
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden
RDP connections enabled remotely via Registry using WinRM
Low overridden
An attacker may remotely enable RDP connections to a machine by setting the fDenyTSConnections Registry key to 0. overridden
RDP from an unmanaged endpoint in a typically managed subnet Low 1 variation
An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Lateral movement to critical assets from an unmanaged host.Investigative actions: Verify if the source endpoint is authorized to perform RDP connections. Validate that the source endpoint is managed or unmanaged. Investigate the user account used for the RDP connection.Variations
RDP from an unmanaged endpoint in a typically managed subnet with a significantly higher number of managed endpoints in the subnet
Low overridden
An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement. The source subnet has a significantly higher number of managed endpoints compared to the unmanaged ones. overridden
Rare DCOM RPC activity Informational 1 variation
The endpoint performed abnormal DCOM RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using the DCOM RPC interface. The DCOM RPC interface is used to remotely invoke registered COM applications on remote hosts.Investigative actions: Review the action of the initiated COM application on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare DCOM RPC activity
Low overridden
The endpoint performed abnormal DCOM RPC activity to a remote host. overridden
Rare RDP session to a remote host Low 1 variation
The endpoint performed a rare RDP session to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement Analytics, Enhanced RDP AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.Investigative actions: Inspect the legitimacy of the user who initiated the RDP session. Verify that this isn't routine IT activity.Variations
Rare RDP session to a remote host
Informational overridden
The endpoint performed a rare RDP session to a remote host. overridden
Rare Remote Service (SVCCTL) RPC activity Informational 3 variations
The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using services. The service control manager RPC interface is used to create and start services on a local or a remote host.Investigative actions: Review the action of services.exe on the remote host where possible. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote service creation and initiation via Remote Service (SVCCTL) RPC interface
Medium overridden
The endpoint performed abnormal service creation and initiation via Remote Service (SVCCTL) RPC interface to a remote host. overridden
Rare remote service change or creation via Remote Service (SVCCTL) RPC interface
Medium overridden
The endpoint performed abnormal service creation via Remote Service (SVCCTL) RPC interface to a remote host. overridden
Rare Remote Service (SVCCTL) RPC activity
Low overridden
The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host. overridden
Rare SMB session to a remote host Low 1 variation
The endpoint performed a rare SMB activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use the SMB protocol in an attempt to move laterally in the network, and expand their foothold in the organization.Investigative actions: Check whether the username used in the SMB connection is legitimate. Verify that this isn't IT activity.Variations
Rare SMB session to a remote host
Informational overridden
The endpoint performed a rare SMB activity to a remote host. overridden
Rare SSH Session Low
Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentAttacker's goals: Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.Investigative actions: Verify that the process is allowed in the organization. Check if the user should access the destination and whether the session was successful or not.Rare Scheduled Task RPC activity Informational 3 variations
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote task registration and creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden
Rare remote task creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden
Rare Scheduled Task RPC activity
Low overridden
The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden
Rare Scheduled Task RPC activity from a rarely seen host Low
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Rare WinRM Session Informational
Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote system. WinRM sessions can be established using WinRM/WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006)Required data: XDR AgentAttacker's goals: Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.Investigative actions: Investigate the endpoints participating in the session.Rare Windows Remote Management (WinRM) HTTP Activity Low
The endpoint performed unfamiliar WinRM HTTP activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use WinRM to execute code on remote hosts, in an attempt to gain persistence or move laterally in the network.Investigative actions: Correlate the WinRM HTTP request from the source host and understand which software initiated it. Verify that this isn't IT activity.Rare file transfer over SMB protocol Low
The endpoint performed an abnormal file transfer over SMB to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by dropping executable files and scripts on remote hosts using the SMB protocol.Investigative actions: Inspect the file that was transferred to the remote host. Verify that this isn't IT activity.Rare process with VNC server capabilities started Low
A rare process with VNC server capabilities was started.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Remote DCOM command execution Low 4 variations
A remotely triggered DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the DCOM call from the source host and understand which software initiated it.Variations
Remote suspicious DCOM-MMC20.Application command execution
High overridden
A remotely triggered suspicious DCOM-MMC20.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM-Excel.Application command execution
High overridden
A remotely triggered suspicious DCOM-Excel.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM-Outlook.Application command execution
High overridden
A remotely triggered suspicious DCOM-Outlook.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM command execution
Medium overridden
A remotely triggered suspicious DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote PsExec-like command execution Informational 5 variations
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Variations
Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service
High overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from an unsigned non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from a signed non-standard PsExec service
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec command execution
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote WMI process execution Medium 1 variation
A host that rarely initiates WMI to other remote hosts triggered a remote process execution by using WMI RPC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which process or software initiated it.Variations
Suspicious remote WMI process execution
High overridden
A host that rarely initiates WMI to other remote hosts triggered a suspicious remote process execution by using WMI RPC. overridden
Remote service command execution from an uncommon source High
A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote service start from an uncommon source Low
A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Serial console access was enabled in AWS account Informational Cloud
Serial console access to EC2 instances was enabled in an AWS account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.Investigative actions: Verify whether serial console access should be enabled. Investigate which actions were performed via serial console access.Suspicious SSH Downgrade Low 2 variations
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.Variations
A Host Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden
A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden
Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations
An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.Variations
Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity
Informational overridden
An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Instance SSH keys were modified for the first time in the cloud provider
High overridden
An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification by a service account
Medium overridden
A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification
Informational overridden
An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious GCP project level metadata modification by a service account
Low overridden
A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification attempt
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Uncommon Linux remote shell command execution Informational 15 variations
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059) Remote Services (T1021)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: An attacker may attempt to execute a malicious shell command on the system.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the executed shell command (and possible child processes) for malicious actions.Variations
Uncommon Linux remote shell command execution, possibly running LinPEAS
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution using an exploitation tool
High overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution executing a reverse interactive shell
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution downloading a shell script
Medium overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution disabling firewall
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution taking a screenshot
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution possibly running from an XZ backdoor
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running as root
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution setting a scheduled task
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a process kill command
Low overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution loading a kernel module
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution via non-SSH or SSH on a non-standard port
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution running a network tool
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution trying to gather information about the system
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon Linux remote shell command execution, possibly granting file execution permissions
Informational overridden
An unusual process execution of a shell command on Linux from a remote source. This action may indicate possible exploitation or shell command execution via a backdoor. overridden
Uncommon RDP connection Informational
RDP is used by attackers to laterally move to new hosts. Standard processes do not usually implement RDP on their own, and attackers might inject or tunnel using a non-standard process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Validate if the process is a legitimate IT software. Verify if the process is known to be malicious. Look into actions done on the remote host.Uncommon VNC server communication Low 4 variations
Uncommon VNC server network traffic was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Variations
Uncommon VNC scanning activity detected from a scanning tool
Medium overridden
An uncommon VNC scanning network traffic was observed from a scanning tool. overridden
Uncommon VNC server communication from an unmanaged previously unseen external host
Low overridden
Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden
Partially uncommon VNC server communication
Informational overridden
Uncommon VNC server network traffic was observed. overridden
Uncommon VNC server connection
Informational overridden
An uncommon VNC Server network connection was observed. overridden
Unusual AWS systems manager activity Informational Cloud
A cloud identity performed an SSM operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Lateral Movement (TA0008)ATT&CK techniques: Cloud Service Discovery (T1526) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Manipulate SSM operations to take control over EC2 instances and strengthen the foothold in the cloud environment of the organization, by running critical operating system commands, manipulating the parameters store, and patch management configuration.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive SSM operation that it shouldn't.Unusual internal access to network device management interface Informational
Unusual internal access to Palo Alto Networks device on management port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.WmiPrvSe.exe Rare Child Command Line Low 1 variation
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.Variations
WmiPrvSe.exe Rare Child Command Line
Medium overridden
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden
Wsmprovhost.exe Rare Child Process Low
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.