detectionTypes Field Values

The detectionTypes field can contain any of the following predefined values:

  • Has Malops

  • Has suspicions

  • malopSphere

  • Self

  • Attachment

  • Machines

  • MD5 signature

  • File name

  • self

  • SHA1 Signature

  • SHA256 Signature

  • Automatic execution name

  • Machine

  • Registry entry

  • Scheduled Task

  • Service

  • Type

  • Automatic execution

  • T1060 - Registry Run Keys / Startup Folder : Autorun JavaScript Value

  • T1060 - Registry Run Keys / Startup Folder : Registry entry JavaScript value

  • Registry entry file

  • Registry entry name

  • Remove time

  • File

  • is CLSID

  • Is pointing to temporary folder

  • T1112 - Modify Registry : Unusual file name for registry entry by operating system

  • Rare Registry Key

  • Registry events

  • Value

  • transaction id

  • T1043 - Commonly Used Port : High Data Volume Transmitted To Malicious Address

  • T1043 - Commonly Used Port : Absolute High Transmitted Bytes

  • T1043 - Commonly Used Port : Address Accessed by Malware

  • Received bytes

  • Transmitted bytes

  • Connected to a blocklist IP address

  • T1043 - Commonly Used Port : Connected to a blocklist domain

  • T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Connected to a blocklist domain

  • T1043 - Commonly Used Port : Blocklist URL Domain

  • Blocklist URL Domain List

  • Creation time

  • T1043 - Commonly Used Port : Connection to an address used by malware

  • Network access to a web service that is known to demonstrate malicious behavior. Can include downloading unauthorized software to a device, disrupting normal operation or gathering sensitive information

  • T1188 - Multi-hop Proxy, T1079 - Multilayer Encryption : Connection to TOR address

  • Creation Time

  • A browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format

  • A site designed to secretly hijack the target’s device to mine cryptocurrencies

  • Detection events

  • Direction

  • DNS query

  • T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Malicious Domain

  • Domain name

  • Connection name

  • End time

  • T1043 - Commonly Used Port : External Connection of a Malicious Process

  • T1043 - Commonly Used Port : External Connection to Well Known Port

  • First seen time

  • T1048 - Exfiltration Over Alternative Protocol : Connected to ftp port

  • Has Suspicions

  • T1043 - Commonly Used Port : Internal Connection of a Malicious Process

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Connected to IRC port

  • Connection to proxy

  • Is external

  • Is incoming

  • Is live connection

  • Is live owner process

  • Opened by legitimate process

  • Process Malicious by Hash

  • Opened by malware

  • Is proxy connection

  • Suspicious

  • Is well known port

  • Detection status

  • Local address

  • Local port

  • Significantly low ratio of address for machine

  • Significantly low ratio of address for process

  • Significantly low ratio of address for process on machine

  • T1043 - Commonly Used Port : Connected to mail port

  • T1043 - Commonly Used Port : Malicious Address

  • T1043 - Commonly Used Port : Connection to Malicious Address

  • A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form

  • Malicious URL domains

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Outgoing connection with listening socket

  • Owner machine

  • Owner process

  • Owner user

  • Associated listening socket

  • An app-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise

  • Port description

  • Port type

  • Process name

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare address for process

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare Address Location by Process

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare address for machine

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare remote address country for machine

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare remote address country for process

  • T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare connection direction for process

  • T1065 - Uncommonly Used Port : Rare port for address

  • T1065 - Uncommonly Used Port : Rare port for process

  • T1065 - Uncommonly Used Port : Rare port type for process

  • receivedBytesCount

  • Is related to Malop

  • Remote address

  • Remote address Location

  • Remote address type

  • Classification type

  • Remote address name

  • Remote machine

  • Remote port

  • Server address

  • Server port

  • State

  • T1065 - Uncommonly Used Port : Malicious Domain

  • T1065 - Uncommonly Used Port : Suspicious URL-Domain

  • uspicious URL-Domain list

  • T1188 - Multi-hop Proxy, T1079 - Multilayer Encryption : Connected to Tor port

  • transmittedBytesCount

  • Transport protocol

  • Device configurations that may put corporate and personal data at risk

  • Irrelevant or unsolicited content that is disseminated for the purposes of advertising, phishing or spreading malware

  • T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Suspicious URL-Domain

  • URL domains

  • An app-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) format

  • A browser-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format

  • A browser-based communication that includes the device’s physical geo-location in an unencrypted (or easily decrypted) format

  • Allow Privilege Escalation

  • Commands

  • Image ID

  • Image Name

  • IP

  • Mounts

  • Name

  • Ports

  • Processes

  • Status

  • Users

  • Application Control blocked application on blocklist

  • Known malware detected by Cybereason Anti-Malware

  • Malicious process behavior

  • Connection associated with this event

  • Engine

  • Decision Time

  • Detection value

  • Detection type

  • Domain name associated with this event

  • Detection event

  • Exploitation attempt

  • File associated with this event

  • Process used Download and Execute

  • Download from malicious domain

  • Process ran malicious command

  • Malicious floating module

  • Associated with Malops

  • Associated with suspicions

  • Machines associated with the detection event

  • Malicious document detected

  • Associated Malops

  • Msrpc event type

  • Suspected remote IP addresses

  • offending user

  • Script engine

  • Malware detection by Anti-Malware Artificial Intelligence classification

  • Connected user

  • Hosts file

  • IP address

  • Blocklist source domain

  • Blocklist target domain

  • Source and target domain

  • Malware source domain

  • Malware target domain

  • Non Default Resolver - Domain to Domain

  • Record type

  • Resolvers

  • Sinkhole source domain

  • Sinkhole target domain

  • Source domain

  • T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Malicious Source Domain

  • Target domain

  • T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Malicious Target Domain

  • TTL range

  • Blocklist evidence

  • Source domain and target IP

  • Low Max TTL

  • Malware evidence

  • Non Default Resolver - Domain to IP

  • Sinkholed Domain

  • Target IP

  • Blocklist domain

  • Source IP and target domain

  • Malware domain

  • Non Default Resolver - IP to Domain

  • Record Type

  • Sinkhole domain

  • TTL Range

  • Domain Does Not Exists

  • Has Connection To Malicious Domain

  • Error code

  • Has resolved classification

  • Is internal domain

  • Never seen resolved in organization

  • Never seen resolved second level domain in organization

  • Source IP address

  • Source IP

  • Address reputation

  • T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Blocklist domain

  • Classification comment

  • Classification link

  • Classification user

  • Was ever resolved

  • Ever Resolved Domain

  • Was ever resolved as a second level domain

  • Ever Resolved Second Level Domain

  • Has resolved classification evidence

  • Good Domain

  • Indifferent Domain

  • Is internal second level domain

  • Malicious Domain

  • Is reverse lookup

  • Suspicious Domain

  • Is torrent domain

  • Unknown Domain

  • Reputation

  • Malware Domain

  • Related to Malop

  • Second level domain

  • Sinkhole Domain

  • Top level domain

  • sourceDomain

  • targetDomain

  • targetIpAddress

  • Driver name

  • Known Malicious Driver

  • T1109 - Component Firmware : Known Malicious Driver

  • Malicious Tool Driver

  • T1109 - Component Firmware : Malicious Tool Driver Suspicion

  • Malware Driver

  • T1109 - Component Firmware : Malware Driver Suspicion

  • Driver filename

  • T1109 - Component Firmware : New driver

  • T1109 - Component Firmware : New drivers count is above threshold

  • T1109 - Component Firmware : Rare driver

  • Unwanted Driver

  • T1109 - Component Firmware : Unwanted Driver Suspicion

  • Email Address

  • User accounts

  • Display names

  • Event

  • null

  • Product-specific type of event

  • Action name

  • Arguments

  • Path

  • Executable

  • A malware that attempts to obtain escalated system privilleges

  • Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior

  • A malicious application that demonstrates harmful behavior and disrupts the device

  • Application Identifier

  • Process(es) attempted to execute malicious file

  • Attempt execution processes

  • Registry Key

  • Associated Registry entries

  • Remediation status

  • Detection time

  • Blocklist file

  • Blocked file hash

  • Canonized Path

  • Marked for prevention

  • Detection name

  • Comments

  • Company name

  • An app-based communication that includes a credit card number in an unencrypted (or easily decrypted) format

  • Cves

  • Document contains autorun macro

  • Document contains Dynamic Data Exchange (DDE)

  • Document contains dropper macro

  • Document contains macro

  • Document contains malformed header

  • Document contains malicious macro

  • Document contains obfuscated macro

  • Document contains suspicious embedded object

  • Downloaded from domain

  • Sender email address

  • Email message ID

  • Email subject

  • Downloaded from IP address

  • The file’s origin URL

  • The file’s referral URL

  • T1406 - Obfuscated Files or Information : Dual extension on file name

  • Scheduled task actions running this file

  • T1106 - Execution through API : Executed by Process

  • An app-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format

  • Extension type

  • File events

  • File description

  • File hash

  • Quarantine actions

  • Creation quarantine action

  • File Reputation Suspicion

  • File version

  • File Version

  • Hacking Tool

  • Found in a registry entry

  • Has classification

  • Legitimate Classification

  • Non Legitimate Classification

  • T1406 - Obfuscated Files or Information : Obscured file extension evidence

  • Recognized Product

  • Benign

  • Internal name

  • Downloaded from Internet

  • Located on removable device

  • Is installer

  • Is classification not found

  • Signed

  • Is suspicious

  • Legal copyright

  • Legal trademarks

  • T1406 - Obfuscated Files or Information : Malformed ELF file

  • A malware that steals bank credentials

  • Reputation type

  • A malware that aggressively displays ads, negatively affecting user productivity and device performance

  • A malware that blocks access to a device until a ransom is paid

  • A malware that causes SMS related charges

  • T1044 - File System Permissions Weakness : Image file has a malicious signature

  • A malware that is monitoring and collecting information about a user and the device

  • Malicious Tool

  • A malware that obtains unauthorized access to the person’s mobile device

  • T1036 - Masquerading : Malware

  • T1036 - Masquerading : Masquerading as movie Evidence

  • T1219 - Remote Access Tools : Remote malicious tool resources

  • Mimikatz file characteristics

  • Mimikatz suspicion

  • Modification time

  • Mount Point

  • Mounted As

  • T1406 - Obfuscated Files or Information : Multiple company names

  • Multiple Hash For PE Information

  • Original file name

  • Original file

  • Private build marker

  • Product name

  • Product title

  • Product type

  • Product version

  • Quarantined file

  • Ransomware

  • Malicious by Signatures analysis evidence

  • Malicious by Signature analysis

  • Malicious by Anti-Malware evidence

  • Malicious by Anti-Malware

  • T1406 - Obfuscated Files or Information : Right to left file extension evidence

  • Second extension type

  • Apps that are not installed through official channels, such as through official app stores or an EMM, are unlikely to have gone through the rigorous quality checks expected of an app store release and therefore may be poorly written or malicious

  • T1116 - Code Signing : Signature bad chain of trust

  • T1116 - Code Signing : Signature expired

  • T1116 - Code Signing : Signature explicitly revoked

  • T1116 - Code Signing : Signature mismatch

  • T1116 - Code Signing : Signature misuse

  • T1116 - Code Signing : Unsigned

  • T1116 - Code Signing : Signature could not be verified

  • T1116 - Code Signing : Signature unrecognized root certificate

  • T1116 - Code Signing : Signature user distrust

  • Signature verified

  • Signature Verified

  • Signed by Apple

  • Signed by Cybereason

  • Signed by Linux

  • Signed by Microsoft

  • Signed by operation system

  • File is Signed

  • Signer

  • Internal/External Signer

  • Size

  • Special build

  • Suspicious screen saver

  • Temporary Folder

  • Unknown and unclassified

  • T1129 - Execution through Module Load : Unknown and Unsigned

  • Unsigned file with a known signed version

  • T1116 - Code Signing : Unsigned file with a known signed version

  • T1116 - Code Signing : Unsigned file

  • Unverified

  • T1116 - Code Signing : Unverified

  • Potentially unwanted program

  • Vulnerable App Installed

  • Allowlist

  • WMI persistent objects

  • File event instance name

  • Event type

  • File information

  • First access timestamp

  • Is alternate data stream

  • Is hidden file

  • New path after rename event

  • File path

  • File hash comment

  • First detection time

  • File hash score

  • Threat remediation confidence level low

  • Threat remediation confidence level high

  • Threat remediation confidence level medium

  • File hash user

  • Icon

  • Icon md5 hex

  • SHA1 Hex Signature

  • File Hash

  • Function Details

  • Exporting module

  • Function Name

  • Hook Offset

  • Hooked modules

  • Hooking module

  • Group

  • Group name

  • Used by malware

  • Address

  • Blocklist IP

  • City name

  • Country code

  • Country name

  • Related DHCP interfaces

  • Related gateway interfaces

  • Malicious reputation

  • Reputation source

  • Is DHCP

  • Gateway

  • Safe Address

  • Indifferent Address

  • Malicious Address

  • Suspicious Address

  • Unknown Address

  • Latitude

  • Longitude

  • Malicious address

  • Malicious by Cybereason block list

  • Malicious by TOR list

  • Custom Reputation

  • Region

  • Version

  • IP range name

  • Mask

  • Subnet

  • Count

  • Ip Range Scan

  • Scanned range

  • sourceAddress

  • Event counter

  • Attribute list

  • Distinguished name

  • Search filters

  • Last seen time

  • Process

  • Scope of search

  • Address type

  • Connections

  • Local address and port

  • Listening connection end time

  • Owner module

  • DHCP server address

  • DNS server address

  • LAN name

  • IP address of the network’s gateway

  • MAC address of the network’s gateway

  • Local network’s IP range

  • Network interfaces

  • Local network’s default search domain

  • Link to the element

  • Connected SSIDs

  • User

  • LUID

  • Client Remote Session

  • Logon session name

  • Empty or null work station evidence

  • Logon application type

  • Logon Type

  • Pass the Hash

  • Stolen credentials used in Pass the Hash attack (ATT&CK: Lateral Movement - Pass the Hash)

  • Pass The Ticket

  • T1097 - Pass the Ticket : Pass The Ticket Remote Session

  • Pass The Ticket Remote Sessions

  • Session with credentials mismatch (ATT&CK: Lateral Movement - Pass the Ticket)

  • Proxies

  • Remote network machine

  • Server Remote Session

  • Unexpected key length evidence

  • Windows logon details

  • Unexpected NTLM key evidence

  • Android Device - Compatibility Not Tested By Google

  • Active users

  • Canonical name

  • Company

  • DNS host name

  • Department

  • Description

  • Display name

  • Location

  • Machine role

  • Organizational unit (OU)

  • Organization

  • Security identifier (SID)

  • Not verified Android Debug Bridge (ADB) apps installed

  • Cybereason for Mobile not activated on all profiles fot Android For Work

  • Registry entries

  • BlueBorn vulnerability evidence

  • Client interactions

  • Machine name

  • DNS change

  • Gateway change

  • Google Play Protect disabled (ATT&CK: Initial Access)

  • Network proxy change evidence

  • Network proxy change

  • Unknown download sources enabled evidence (ATT&CK: Initial Access)

  • Unknown download sources enabled (ATT&CK: Initial Access)

  • CPU count

  • Developer Options enabled

  • Device model

  • DNS cache

  • Machine domain name

  • Drivers

  • Device Encryption not set up

  • Active user

  • Free disk space

  • Free memory

  • Malicious processes

  • Has removable device

  • T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Has Removable Device

  • T1109 - Component Firmware : Spreading driver

  • High Number of Downloaded Processes

  • High Number of New Processes

  • T1078 - Valid Accounts : High users count

  • IMEI

  • Is connected to Cybereason

  • Is Android

  • Is domain controller

  • Is iOS

  • Is isolated

  • Is laptop

  • Is Linux

  • Is Mac

  • Outdated

  • Has suspicious processes

  • Is Windows

  • Is Windows desktop

  • Is Windows Server

  • A modified build of an operating system that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack

  • Last Communicated

  • Local Networks

  • Once the lock screen is disabled the device encryption is rendered useless against physical attacks

  • Login actions

  • Last time logon file not found

  • Logon sessions

  • T1100 - Web Shell : Web shells evidence

  • Malicious tools

  • MBR Hash

  • MDM ID

  • Stagefright vulnerability (ATT&CK: Initial Access)

  • Mount points

  • Network machine

  • T1017 - Application Deployment Software : New administrator tool

  • OS Type

  • OS minor version

  • OS version

  • Over-The-Air (OTA) updates disabled

  • Owner organization

  • Device Pin

  • Platform architecture

  • Suspicious profile added evidence (ATT&CK: Persistence)

  • Suspicious profile added (ATT&CK: Persistence)

  • Pylum ID

  • Removable devices

  • Running malicious tool

  • Running web shells

  • Scanning activity (ATT&CK: Discovery)

  • SELinux disabled evidence

  • SELinux Disabled

  • Server interactions

  • Services

  • Sensor group

  • Spreading drivers

  • SSL/TLS downgrade evidence (ATT&CK: Network Effects)

  • SSL/TLS downgrade (ATT&CK: Network Effects)

  • Suspicious processes

  • Time since last communication

  • Machine timezone

  • Total disk space

  • Total memory

  • Uptime

  • Once developer mode is enabled sideloading from unknown sources, USB debugging and other configurations that can lead to security risks can be enabled

  • USB Debugging mode enabled (ATT&CK: Privilege escalation)

  • Vulnerable Android version (ATT&CK: Privilege Escalation)

  • Vulnerable, non-upgradeable Android version

  • Vulnerable iOS version (ATT&CK: Privilege Escalation)

  • Vulnerable, mon-upgradeable iOS version

  • An older version of an OS that is more vulnerable to known security exploits

  • Zero ARP Entries Above Threshold

  • Anomalies types

  • IP address of client machine for attacker

  • IP address of server machine for attacker

  • First time detected on attacking machine

  • Client machine

  • IP address of client machine

  • Port on client machine

  • Process initiating interaction

  • User on client machine

  • Interaction description

  • Interaction protocol

  • Machine role in interaction

  • Interaction type

  • Timestamp for maximum period

  • Timestamp for minimum period

  • Receiver machine for Pass the Hash evidence

  • T1075 - Pass the Hash : Pass the hash receiver suspicion

  • Sender machine for Pass the Hash evidence

  • T1075 - Pass the Hash : Pass the hash sender suspicion

  • Server machine

  • IP address of server machine

  • Port on server machine

  • Process initiating interaction on the server machine

  • User on server machine

  • Interaction unique value

  • Compromised user

  • IP address for victim client machine

  • IP address for victim server machine

  • First time detected on victim machine

  • Number of processes to remediate

  • Affected machines

  • Affected users

  • Command lines

  • Root casue

  • Decision statuses

  • Decoded command lines

  • Root cause type

  • Detection value types

  • Detection values

  • Malop activity types

  • Exploit detection types

  • File paths

  • Files for remediation

  • Files for un-remediation

  • Has processes to remediate

  • Icon base64

  • Last activity type

  • Last update time

  • New suspects

  • The primary Malop type

  • Primary root cause elements

  • Processes for remediation

  • Related malops

  • Root cause elements company: product

  • Root cause element hashes

  • Root cause element names

  • Root cause element types

  • Root cause elements

  • Script detection type

  • Signers

  • Decision feature

  • Malicious activity type

  • Malop activity type

  • Malop last update time

  • Malop start time

  • related malops

  • Suspects

  • Suspect features

  • Malop has suspended processes

  • Root cause

  • Detection Type

  • Process Name

  • null

  • Has Ransomware processes suspended

  • Mitigated

  • Malop detection types

  • Start time

  • New Suspicions

  • Remediation type

  • Root cause elements company and product

  • Suspects Host Processes

  • Suspects Injecting Processes

  • Suspects Processes

  • Suspects with no TID

  • Total number of incoming connections

  • Total number of outgoing connections

  • Total received bytes

  • Total transmitted bytes

  • Message

  • loadedModule

  • minionHost

  • process

  • pylum

  • minions

  • myMinion

  • rpcServices

  • Address (in Decimal)

  • Blocklist module

  • Prevent Execution FileHash

  • Module name

  • Allocated Protection

  • Malformed Executable Header

  • Header Protection

  • Malicious module prevented by App Control

  • Export Name

  • Fake OWAAuth

  • Fake OWAAuth Suspicion

  • T1116 - Code Signing : Unsigned with a signed version

  • Has registry entry

  • Suspicious module was loaded in memory

  • Module prevented by App Control

  • Is never in loader DB

  • File From Temp

  • Is floating code

  • Malicious File

  • Not in loader db

  • PE Header Allocated Size

  • Size Of Image

  • T1176 - Browser Extensions : Unsigned or Unverified

  • Unsigned with a signed version

  • Potentially Unwanted Program

  • Mount point creation time

  • Mount point credentials user

  • Device name

  • Mount point name

  • Mount point end time

  • Files

  • T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Active removable device

  • T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Inactive removable device

  • Removable device

  • Media type

  • Mount user

  • Mounted From

  • T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Unusual removable device

  • Volume name

  • Authentication Level

  • Authentication Service

  • Creation Timestamp

  • Msrpc Name

  • Endpoint

  • Event Counter

  • Event source

  • Impersonation level

  • Interface Name

  • Interface UUID

  • Last seen timestamp

  • Network Address

  • Operation Number

  • Operation Name

  • Options

  • Owner Machine

  • Protocol

  • Network interface name

  • Flags

  • Gateway address

  • Identifier

  • Internal IP addresses

  • Local networks the network interface is registered on

  • Hardware address (MAC)

  • Network statistics

  • Domain FQDN

  • Host

  • Object access name

  • The file that the process opened

  • machines

  • users

  • Pod containers

  • UID

  • T1086 - PowerShell : Obfuscated powershell payload

  • T1086 - PowerShell, T1027 - Obfuscated Files or Information : Obfuscated powershell payload

  • Android device possible tampering evidence Defense Evasion, Persistence

  • Android Device possible tampering

  • Android device possible tampering suspicion Defense Evasion, Persistence

  • T1188 - Multi-hop Proxy, T1079 - Multilayer Encryption : Tor Browser Evidence

  • Abnormal Process Activity Evidence

  • Abnormal Process Activity Malop

  • Abnormal Process Activity Suspicion

  • T1055 - Process Injection : Abnormal RWX section count by machine

  • T1055 - Process Injection : Abnormal RWX section count

  • T1043 - Commonly Used Port : High number of internal connections

  • T1043 - Commonly Used Port : Absolute High Number of Internal Outgoing Embryonic Connections

  • High volume external connections

  • High volume connections to malicious address

  • Masquerading as a Windows accessibility feature

  • Unrecognized process connects to Malware Address

  • Benign process connects to Malware Address

  • T1015 - Accessibility Features : Accessibility Feature binary swapped for other executable (ATT&CK: Persistence)

  • T1015 - Accessibility Features : Accessibility feature abuse

  • T1015 - Accessibility Features : Accessibility feature abuse (ATT&CK: Persistence, Privilege Escalation - Accessibility Features)

  • T1015 - Accessibility Features, T1112 - Modify Registry : Accessibility feature abusing by registry modification

  • T1036 - Masquerading : The process is masquerading as a Windows accessibility feature

  • T1015 - Accessibility Features, T1036 - Masquerading : The process is masquerading as a Windows accessibility feature

  • T1087 - Account Discovery : Account Discovery (ATT&CK: Reconnaissance)

  • T1087 - Account Discovery, T1033 - System Owner/User Discovery : Accounts discovery (ATT&CK: Discovery - System Owner/User Discovery)

  • Accounts discovery

  • Accounts discovery (ATT&CK: Discovery - System Owner/User Discovery)

  • T1089 - Disabling Security Tools : Add firewall rule

  • Addresses used by malwares

  • T1077 - Windows Admin Shares : Administrative share mount attempt (ATT&CK: Lateral Movement - Windows Admin shares)

  • Administrative share mount attempt (ATT&CK: Lateral Movement - Windows Admin shares)

  • Injected children

  • Interactions

  • T1096 - NTFS File Attributes : Alternate Data Stream hiding

  • Always-on VPN app set evidence (ATT&CK: Collection, Credential Access)

  • Always-on VPN app set (ATT&CK: Collection, Credential Access)

  • Suspension of Anti-Malware (ATT&CK: Defense Evasion - Disabling Security Tools)

  • Malicious application evidence

  • Malicious application

  • Malicious application suspicion (ATT&CK: Initial Access)

  • Out of compliance app

  • App tampering evidence (ATT&CK: Defense Evasion, Persistence)

  • App tampering

  • App tampering suspicion (ATT&CK: Defense Evasion, Persistence)

  • Process ID

  • Architecture

  • Network handoff

  • Automatic executions

  • T1012 - Query Registry : Autorun related registry key query

  • Autorun related registry key query

  • Autorun related registry key query (ATT&CK: Discovery - Query Registry)

  • Blocklist modules

  • Blocklist domains (Connection)

  • Blocklist domain to domain DNS

  • Blocklist domains (domain to domain DNS - source)

  • Blocklist domains (domain to domain DNS - target)

  • Blocklist domains (unresolved DNS)

  • Blocklist Domains

  • Blocklist domains (DNS)

  • Blocklist domains (reversed DNS)

  • Blocklist IP addresses

  • T1129 - Execution through Module Load : Blocklist module

  • Blocklist domains (URL)

  • Blocklist file hash

  • Blocked execution files

  • Blocked Moduls

  • Captive Portal usage (ATT&CK: Collection, Credential Access)

  • Certutil.exe used to decode data

  • Certutil.exe file download

  • T1105 - Remote File Copy : certutil.exe suspicious file download

  • T1140 - Deobfuscate/Decode Files or Information : certutil.exe used to encode data

  • Children

  • Children created by thread

  • Execution of a Malicious Script by a child process

  • Clear command line

  • Interactions with process as client

  • Command line

  • Add firewall rule in command line

  • Command Line Contains Temp

  • T1043 - Commonly Used Port : Connecting to a Known Malicious Address

  • Connection to blocklist IP address

  • Connection to blocklist domain

  • Connection to a malicious address

  • Connection to malicious address

  • Connection to a malicious domain

  • T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Connection to a malicious domain

  • T1079 - Multilayer Encryption : Connection to Tor domain by a process which is not a browser

  • Connections of host process

  • Connections to Malicious Domain

  • Connections to malware address

  • Connection to Tor domain

  • Covert process execution

  • Covert Process Fully Hidden from Scanning API

  • Covert process parameters override

  • Covert Process Partially Hidden from Scanning API

  • Covert Process (ATT&CK: Persistence, Defense Evasion)

  • CPU time

  • T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup account creation

  • T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup admin account creation

  • local group account was created

  • T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup admin account creation (ATT&CK: Persistence: Create Account)

  • T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup remote user account creation

  • A process has been created via the Win32_Product::Install WMI method (ATT&CK: Execution)

  • A service has been started via the Win32_BaseService::Start WMI method (ATT&CK: Execution)

  • Created by WMI

  • Created children

  • Creator process

  • Creator thread

  • Credential interaction loaded modules

  • Attempted credential theft

  • CVE-2020-0601 - attempted exploitation

  • T1216 - Signed Script Proxy Execution : Cscript command line contains temp

  • T1059 - Command-Line Interface, T1216 - Signed Script Proxy Execution : Cscript command line contains temp

  • T1203 - Exploitation for Client Execution: Process attempted to exploit known CVE evidence

  • T1203 - Exploitation for Client Execution : The process attempted to exploit a known CVE

  • T1203 - Exploitation for Client Execution : Process attempted to exploit a known CVE

  • CVE Events

  • Daemon anomaly evidence

  • Data compression tool evidence

  • Data compression tool

  • Decoded command line

  • T1068 - Exploitation for Privilege Escalation : Running Injected code by deleted process

  • T1502 - Parent PID Spoofing : Deleted parent process

  • T1055 - Process Injection : Detected injected process

  • T1055 - Process Injection : Detected injecting process

  • T1055 - Process Injection : Detected Injecting To Protected Process

  • T1483 - Domain Generation Algorithms : Domain Generation Algorithm

  • Different Signer Modules

  • Unknown DLL was loaded in a suspicious manner (ATT&CK: Privilege Escalation)

  • Connected to DNS Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)

  • Blocklist domain-to-IP DNS queries

  • Suspicious Domain-to-IP DNS queries

  • Blocklist IP-to-domain DNS queries

  • Suspicious IP-to-Domain DNS queries

  • Remote System Discovery

  • Domain enumeration (ATT&CK: Discovery: Remote system discovery, Network Share Discovery)

  • T1018 - Remote System Discovery, T1135 - Network Share Discovery : Domain host enumeration (ATT&CK: Discovery: Remote system discovery, Network Share Discovery)

  • T1018 - Remote System Discovery, T1135 - Network Share Discovery, T1482 - Domain Trust Discovery : Enumeration of the trust relationship between the workstation and the domain (ATT&CK: Discovery: Remote system discovery, Network Share Discovery)

  • T1482 - Domain Trust Discovery : Domain Trust Relationship Reconnaissance

  • T1482 - Domain Trust Discovery : Domain Trust Relationship Reconnaissance (ATT&CK: Reconnaissance - Remote System Discovery)

  • T1406 - Obfuscated Files or Information : Multiple extensions

  • T1406 - Obfuscated Files or Information : Obscured extension

  • Dynamic configuration connections

  • Elevating Privilege Child Processes

  • Elevating Privileges (ATT&CK: Privilege Escalation)

  • T1044 - File System Permissions Weakness : Elevating privileges to child process

  • Executing process

  • Process is a descendant of a MS office application

  • Malicious use of PsExec (ATT&CK: Lateral Movement - Remote Services)

  • T1036 - Masquerading, T1158 - Hidden Files and Directories : Process execution from Recycle Bin

  • Process execution from Recycle Bin

  • T1036 - Masquerading, T1158 - Hidden Files and Directories : Process execution from Recycle Bin (ATT&CK: Defense Evasion, Persistence - Hidden Files and Directories)

  • Evidence of a process run in context of a Pass the Hash attack (ATT&CK: Lateral Movement - Pass the Hash)

  • T1075 - Pass the Hash : Process run in context of a Pass the Hash attack

  • Process prevented by App Control

  • Exploit attempt

  • T1203 - Exploitation for Client Execution : Exploit Kit Evidence

  • T1203 - Exploitation for Client Execution : Exploit Kit Suspicion

  • T1049 - System Network Connections Discovery : Explorer.exe IP Discovery Suspicion

  • External connections

  • Failed to access file

  • T1038 - DLL Search Order Hijacking : Fake Unsigned Module

  • Fake Modules

  • T1036 - Masquerading : Fake OWAAuth Module

  • Fake OWAAuth Modules

  • T1036 - Masquerading : Fake OWAAuth Module Suspicion

  • File or directory discovery

  • Executed a allowlisted file

  • File-less malware

  • T1170 - Mshta : Fileless malware

  • T1063 - Security Software Discovery : Firewall discovery (ATT&CK: Discovery - Security Software Discovery)

  • Firewall discovery

  • Firewall discovery (ATT&CK: Discovery - Security Software Discovery)

  • Firewall hole punching (ATT&CK: Defense Evasion - Disabling Security Tools)

  • First Execution of Downloaded Process

  • Process flags

  • fsutil.exe deleted the Update Sequence Number journal change

  • Update Sequence Number journal deletion

  • T1107 - File Deletion, T1070 - Indicator Removal on Host : fsutil.exe deleted the Update Sequence Number journal change (ATT&CK: Defense Evasion - File Deletion, Indicator Removal on Host)

  • Ftp activity as part of a suspicious execution chain

  • T1048 - Exfiltration Over Alternative Protocol, T1105 - Remote File Copy : FTP communication

  • Connected to FTP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)

  • T1105 - Remote File Copy : ftp.exe is descendant of a suspicious process

  • Hacker tool children

  • Hacking Tool With Suspicious Parent

  • Hacking Tool With Suspicious Parent (ATT&CK: Defense Evasion, Execution)

  • T1043 - Commonly Used Port : Has Absolute High Volume Connection To Malicious Address

  • T1043 - Commonly Used Port : Has Absolute High Volume External Outgoing Connection

  • T1060 - Registry Run Keys / Startup Folder : Has automatic execution

  • Registry Run Keys / Startup Folder : Process with registry entry

  • Connection to Blocklist IP evidence

  • Blocklist IP - Domain to Domain evidence

  • Has blocked modules

  • Executes known hacker tool

  • Has children

  • Has client interaction

  • Has Connection to Malware Addresses

  • Process has connections

  • Has DNS Query From Suspicious Domain

  • Has DNS Query To Suspicious Domain

  • Has external connection

  • T1043 - Commonly Used Port : Has External Connection To Well Known Port

  • Has incoming connections

  • Has injected children

  • T1055 - Process Injection : Suspicious injection

  • Has internal connection

  • Connected to internal address

  • Has opened socket

  • Has Low TTL DNS Query

  • Has Mail Connection

  • Has Malicious Connection

  • Has malicious connections

  • T1129 - Execution through Module Load : Module in temporary folder

  • T1116 - Code Signing : Unsigned with a signed version module

  • Non Default Resolver

  • Contains a module not found in loader db

  • Has outgoing connections

  • Contains floating executable code

  • Has a rare known hacker tool child process

  • Rare external connection

  • Rare internal connection

  • Rare internal connection evidence

  • Loaded a rare module

  • Rare remote address

  • Rare remote address evidence

  • Malicious module was loaded in memory

  • Contains mismatching section

  • Attempt to manipulate Cybereason sensor detected evidence

  • Attempt to manipulate Cybereason sensor detected

  • Has server interaction

  • Has Suspicious DnsQuery Domain To Domain

  • T1041 - Exfiltration Over Command and Control Channel : Has Suspicious External Connection

  • Has Suspicious External Connection (ATT&CK: Exfiltration, Command and Control)

  • T1041 - Exfiltration Over Command and Control Channel : Has Suspicious Internal Connection

  • Suspicious Internal Connection

  • Has unresolved DNS queries

  • Has Unresolved Query From Suspicious Domain

  • Has visible windows

  • Has windows

  • Ratio of file hash

  • Hidden loaded module

  • T1129 - Execution through Module Load, T1055 - Process Injection : Hidden Loaded Module

  • Hidden Loaded Module

  • Suspicious hidden loaded module (ATT&CK: Defense Evasion)

  • Hidden Process

  • Hidden Process (ATT&CK: Defense Evasion - Rootkit)

  • High Data Transmitted (ATT&CK: Exfiltration)

  • Process running injected code transmitted high volume of data

  • Unrecognized process or process running injected code transmitted high volume of data

  • High Internal Outgoing Embryonic Connection Rate

  • T1046 - Network Service Scanning, T1049 - System Network Connections Discovery : High ip scan rate evidence

  • Many external connections

  • T1048 - Exfiltration Over Alternative Protocol : High Number Of External Connections

  • Many internal connections

  • High Number Of Internal Connections

  • High Unresolved-Resolved Rate

  • Hooked functions

  • Host process

  • Host user

  • Hosted injected children

  • Hosting Injected Thread

  • Hosting Injected Thread (ATT&CK: Defense Evasion - Process Injection)

  • Connected to HTTP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)

  • Executable image file hash

  • Image file

  • Image file hash

  • Multiple company names in image file

  • Image file path

  • Unsigned image file

  • T1116 - Code Signing : Unsigned image file with signed version

  • Unverified Signature

  • Incoming connections

  • Incoming connections of host process

  • Incoming external connections

  • Incoming internal connections

  • T1202 - Indirect Command Execution : Indirect Command Execution (ATT&CK: Defense Evasion Indirect Command Execution)

  • Injected Child Processes

  • Injected PowerShell process

  • T1055 - Process Injection : Injected Protected Process

  • Injection into a protected process (ATT&CK: Defense Evasion, Privilege Escalation - Process Injection)

  • Injection user mismatch

  • Injected thread running with elevated privileges

  • T1055 - Process Injection : Injecting To Protected Process

  • Injection method

  • Running Injected code in critical process (ATT&CK: Defense Evasion - Process Injection)

  • Running Injected code by child of legitimate process (ATT&CK: Defense Evasion - Process Injection)

  • Process integrity

  • Internal connections

  • Internal Network Access

  • Internal outgoing embryonic connections

  • Connection to External IP discovery service or known used legitimate websites for malicious activity

  • T1046 - Network Service Scanning, T1049 - System Network Connections Discovery : IP Discovery Suspicion

  • IP range scan set

  • IP scanned rate 10 seconds

  • Ip scanned rate 30 seconds

  • Ip scanned rate 60 seconds

  • Suspicious iOS app evidence

  • Suspicious iOS App

  • Suspicious iOS app suspicion

  • Is aggregated process

  • Is Apple System Process

  • Is chain of injections

  • Is .NET process inspected

  • Downloaded From the Internet

  • Is encoded commandline

  • Executed by WMI

  • Is full memory dump

  • Is hidden process

  • Is hosting injected thread

  • Is identified product

  • Signed image file

  • Signed and verified

  • Image file verified

  • Is injected

  • In injected with research

  • Is injecting

  • Injector not shell runner

  • Is injector shell

  • Injector signed by Microsoft

  • Installer

  • Is live process

  • Malicious by Hash

  • Malicious process

  • Is Microsoft System Process

  • Is minion host

  • Netsh process

  • Not shell runner

  • Operating System Process

  • PowerShell process

  • Indicates whether the process is protected or not

  • Sandbox Process

  • Is scheduled task

  • Service Host

  • Is suspended

  • Device jailbroken/rooted evidence (ATT&CK: Privilege Escalation)

  • Device jailbroken/rooted

  • Device jailbroken/rooted suspicion (ATT&CK: Privilege Escalation)

  • Java-based Malware

  • Keylogger Method

  • Known malicious tool indications

  • Process has a suspicious hash

  • Known ransomware indications

  • Known unwanted indications

  • Evidence of use of the LaZagne recon tool

  • T1081 - Credentials in Files, T1087 - Account Discovery : LaZagne recon tool (ATT&CK: Credential Access - Credentials in Files)

  • Last minute instances

  • Time of last process in group

  • LDAP queries

  • Running Injected code by legit process (ATT&CK: Defense Evasion - Process Injection)

  • Shell process connects to a remote address and allows interactive commands

  • Listening connections

  • Loaded modules

  • Local connections

  • T1070 - Indicator Removal on Host : Event log deletion evidence

  • T1070 - Indicator Removal on Host : Log deletion (ATT&CK: Defense Evasion: Indicator Removal on Host)

  • Logon script registration

  • Logon script registration (ATT&CK: Lateral Movement, Persistence - Logon Scripts)

  • Logon session

  • Low TTL DNS Queries

  • Read LSASS encryption keys (ATT&CK: Credential Access)

  • Read Sensitive information from main authentication package (ATT&CK: Credential Access)

  • The process performed a malicious read/write memory access to a sensitive process.

  • Write to LSASS samsrv.dll (ATT&CK: Credential Access)

  • Read Local Security Authority (ATT&CK: Credential Access)

  • Read LSASS sensitive information (ATT&CK: Credential Access)

  • LSASS virtual memory read action (ATT&CK: Credential Access)

  • LSASS virtual memory write action (ATT&CK: Credential Access)

  • Obscured file extension evidence

  • Mail connections

  • Accessing address used by malware

  • Malicious Code Injection

  • Malicious use of a Domain Generation Algorithm

  • Malicious by Obscured Extension

  • Malicious by Obscured Extension

  • Malicious By Floating Code

  • High volume of transmitted data by injected process

  • High volume of transmitted data

  • Cybereason Threat Intelligence identified a loaded module as a malicious tool

  • Cybereason Threat Intelligence identified a loaded module as malicious

  • Process opened a malicious file

  • Cybereason Threat Intelligence identified a loaded module as ransomware

  • Suspicious scanning activity by an elevated process

  • Process is performing suspicious scanning activities

  • Suspicious scanning activity

  • Cybereason Threat Intelligence identified an Unwanted Module

  • Process has loaded Cobalt Strike Beacon

  • Malicious connection domains

  • Malicious source domains

  • Malicious target domains

  • Malicious unresolved domains

  • Malicious domains

  • Malicious resolved domains

  • Malicious resolved to domains

  • Process has loaded PowerShell Empire

  • Malicious use of PowerShell

  • Malicious execution of shell process

  • Malicious fake module

  • Firewall hole punching

  • Process has loaded a malicious tool

  • T1037 - Logon Scripts : Running Injected code

  • T1055 - Process Injection : Injecting Code into a process

  • Malicious Injected Code by Hosting Injection

  • Malicious reputation addresses

  • Process has loaded a Meterpreter agent

  • Process has loaded Mimikatz (ATT&CK: Credential Access)

  • Fileless protection detection suspicion

  • Fileless protection: Prevented successfully

  • Executed a file with a malicious hash

  • Executed a potentially malicious file

  • T1193 - Spearphishing Attachment : Malicious opened files suspicions

  • Malicious PowerShell framework

  • Running Injected floating code (ATT&CK: Defense Evasion - Process Injection)

  • Process has loaded a PeddleCheap agent

  • Malicious Privilege Escalation

  • Malicious System Volume Information execution path or name

  • Dropped a script

  • T1064 - Scripting : Malicious script execution

  • Unexpected script execution

  • Ransomware behavior

  • Image file has a malicious signature

  • Remote Access Trojan

  • Cybereason Threat Intelligence identified a malicious tool

  • Malicious tool modules

  • Malicious Tool Module

  • Loaded module with malicious tool indicators

  • Malicious use of an OS process

  • Malicious Remote Execution (ATT&CK: Lateral Movement - Remote Services)

  • AppLocker Bypass via Regsvr32 utility and COM scriptlets

  • Abuse of the Regsvr32 utility module (ATT&CK: Defense Evasion, Execution - Regsvr32)

  • T1117 - Regsvr32 : AppLocker Bypass via Regsvr32 utility and COM scriptlets

  • Use of legitimate OS process for persistence

  • T1044 - File System Permissions Weakness : Malicious use of OS process suspicion

  • Web shell execution

  • T1100 - Web Shell : Web shell suspicion

  • Malop list

  • Cybereason Threat Intelligence identified a malicious executable

  • Malware classification modules

  • Malware

  • Malware Module

  • T1129 - Execution through Module Load : Malware module indications

  • Man In The Middle activity

  • Many Record-Not-Exists Unresolved DNS Query

  • Matched Activities

  • Dumped lsass process memory evidence

  • Dumped lsass process memory suspicion

  • Memory usage

  • Remote malicious tool resources

  • T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz execution was detected

  • T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : This process executing mimikatz

  • T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz execution evidence

  • T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz execution suspicion

  • T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz resource evidence

  • The process is executing Mimikatz (ATT&CK: Credential Access)

  • MITM attack via ARP evidence (ATT&CK: Network Effects)

  • MITM attack via ARP

  • MITM attack via ARP suspicion (ATT&CK: Network Effects)

  • MITM (ATT&CK: Network Effects)

  • MITM attack via ICMP redirect evidence (ATT&CK: Network Effects)

  • MITM attack via ICMP redirect

  • MITM attack via ICMP redirect suspicion (ATT&CK: Network Effects)

  • MITM attack

  • Rogue Access Point (ATT&CK: Network Effects)

  • Rogue Access Point

  • Rogue access point nearby evidence (ATT&CK: Network Effects)

  • Rogue access point (ATT&CK: Network Effects)

  • MITM attack with fake SSL certificate evidence (ATT&CK: Network Effects)

  • MITM - Fake SSL Certificate

  • MITM attack with fake SSL certificate (ATT&CK: Network Effects)

  • MITM attack through SSL Strip evidence (ATT&CK: Network Effects)

  • MITM attack through SSL Strip

  • MITM attack through SSL strip suspicion (ATT&CK: Network Effects)

  • MITM attack (ATT&CK: Network Effects)

  • Modules loaded from the temporary directory

  • Module not in loader DB

  • Msbuild exhibited suspicious behaviour related to code execution (ATT&CK: Defense Evasion, Execution - Trusted Developer Utilities)

  • Process is a suspicious executable descendant of a MS office application

  • MSBuild activity as part of a suspicious execution chain

  • MSBuild was executed by an MS Office application (ATT&CK: Defense Evasion, Execution - Trusted Developer Utilities)

  • msbuild exhibits unusual behavior evidence

  • Multiple Hashes For unsigned PE Information

  • Multiple names found for the same hash

  • File with matching hash and mismatching size

  • Multiple Record-Not-Exists Unresolved DNS Query

  • Net.exe activity as part of a suspicious execution chain

  • Net.exe conducted suspicious activity (ATT&CK: Privilege Escalation, Discovery)

  • net.exe add user to local admin group evidence

  • net.exe is used to create a user or add a user to a group

  • Net.exe is used to add user to a group

  • net.exe conducted suspicious activity

  • net.exe is descendant of a suspicious process

  • netsh.exe disabled firewall

  • netsh.exe disabled firewall (ATT&CK: Defense Evasion - Disabling Security Tools)

  • T1016 - System Network Configuration Discovery : Network configuration discovery (ATT&CK: Discovery - Network Configuration Discovery)

  • Network configuration discovery

  • Network configuration discovery (ATT&CK: Discovery - System Network Configuration Discovery)

  • Network scanner

  • T1135 - Network Share Discovery : Network Share Discovery (ATT&CK: Reconnaissance)

  • New process

  • Evidence of a new process

  • Multiple new processes created

  • T1050 - New Service : New Service

  • New Service was unconventionally created

  • New service (ATT&CK: Persistence, Privilege Escalation - New Service)

  • Fileless protection detection evidence

  • Fileless protection prevention evidence

  • Non-default resolver DNS queries

  • Non Executable Extension

  • Command line environment variable obfuscation evidence (ATT&CK: Defense Evasion)

  • Command line environment variable (ATT&CK: Defense Evasion)

  • Command line keyword obfuscation (ATT&CK: Defense Evasion)

  • Object access

  • MS Office process adds an executable file to disk

  • MS Office dropper behavior was detected

  • Opened files

  • Original Injector process

  • OS process that is not in its original location

  • T1036 - Masquerading : Unsigned OS process not in original location

  • A payload was run using osascript JavaScript

  • Outgoing connections

  • Outgoing connections of host process

  • Outgoing external connections

  • Outgoing internal connections

  • Overpass the hash

  • Process was initiated by a malicious packed binary

  • Packed Process

  • T1045 - Software Packing : Packed process suspicion

  • Parent process and creator process mismatch (ATT&CK: Defense Evasion)

  • Parent from removable device

  • Parent of PowerShell running JS

  • Parent process

  • T1091 - Replication Through Removable Media : Parent running from removable device

  • Parent process name

  • Parent process not executed by administrator user

  • T1502 - Parent PID Spoofing : Parent Process Does Not Match Hierarchy

  • Parent process not executed by system user

  • Process executed by PsExec

  • Client interactions as Pass the Hash

  • Server interactions as Pass the Hash

  • T1201 - Password Policy Discovery : Password policy discovery (ATT&CK: Discovery - Password policy discovery)

  • Password policy discovery

  • Password policy discovery (ATT&CK: Discovery - Password policy discovery)

  • T1069 - Permission Groups Discovery : Permission Groups Discovery (ATT&CK: Reconnaissance)

  • T1048 - Exfiltration Over Alternative Protocol, T1105 - Remote File Copy : ftp suspicious activity

  • Obfuscated PowerShell command

  • Attempted file download by a PowerShell process (ATT&CK: Execution - PowerShell)

  • T1086 - PowerShell : PowerShell executed with invoked Cmdlet to execute a value stored as environment variable

  • Execution of the Invoke command by PowerShell

  • Power shell modules

  • PowerShell Commandline Has HKCU Registry Key

  • PowerShell downloader

  • PowerShell adds executable file to disk

  • PowerShell dropper behavior was detected

  • PowerShell Commandline Has Email Address

  • PowerShell with encoded command

  • T1064 - Scripting : Powershell executed by word process

  • PowerShell Executing Invoke Expression

  • PowerShell Commandline Has IP Address

  • PowerShell Commandline Has HKLM Registry Key

  • Loaded PowerShell Module

  • Privilege escalation tool execution

  • T1086 - PowerShell : Powerup execution suspicion

  • Privilege Escalation

  • Privilege Escalation to SYSTEM (ATT&CK: Privilege Escalation)

  • Privilege Escalation to Admin (ATT&CK: Privilege Escalation)

  • T1057 - Process Discovery : Process Discovery (ATT&CK: Reconnaissance)

  • Local process discovery

  • Process discovery (ATT&CK: Discovery)

  • Elevation of Privileges evidence (ATT&CK: Privilege Escalation)

  • Elevation of Privileges

  • Elevation of Privileges suspicion (ATT&CK: Privilege Escalation)

  • Attempt to execute malicious file

  • Process attempted to execute malicious file (ATT&CK: Execution)

  • Process prevented by App Control - Evidence

  • Malicious process prevented by App Control - Suspicion

  • Persistent modifications to devices’ file systems (ATT&CK: Defense Evasion, Persistence)

  • Persistent modifications to devices’ file systems

  • T1055 - Process Injection : Injection detection via memory activity

  • Has prevented modules

  • Ratio of process

  • Untrusted profile evidence (ATT&CK: Persistence)

  • Untrusted Profile

  • Untrusted profile suspicion (ATT&CK: Persistence)

  • Suspicious behavior similar to PowerShell Inveigh script

  • T1040 - Network Sniffing : Process exhibits behavior related to powershell Inveigh script

  • Remote Execution Process (PsExec)

  • An encoded payload was run using Python

  • Affected files

  • Ransomware auto blocking file hash

  • Suspended

  • Ransomware by file manipulation

  • Cybereason Threat Intelligence identified an executable as ransomware

  • Ransomware by shadow copy deletion

  • Ransomware classification mudules

  • Ransomware Module

  • Ransomware module indications

  • Rare child process

  • Rare Extension

  • Rare Extension Type

  • Rare external connections

  • Rarely executed as a registry entry

  • Rare Non Default Resolver

  • Rare PE mismatch

  • Rare module not in loader db

  • Rare internal connections

  • Rare Listening Connection

  • Executed by local system user

  • Rare module registry entry

  • Rare execution not by local system user

  • Rare parent

  • Contains rare floating executable code

  • Rare process

  • Rare Process Run by Service

  • Rare remote addresses

  • Rare Service Running Process

  • Rare Unsigned For Company

  • Suspicious Cscript Java based malware

  • Connected to RDP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)

  • T1076 - Remote Desktop Protocol : Remote Desktop Protocol has been enabled (ATT&CK: Lateral Movement - Enable Remote Desktop Protocol)

  • RDP enabled

  • Remote Desktop Protocol enabled (ATT&CK: Lateral Movement - Enable Remote Desktop Protocol)

  • Suspicious executable was reflectively loaded

  • T1129 - Execution through Module Load : Blocklist executable loaded in memory

  • T1214 - Credentials in Registry : Registry credentials dump

  • reg.exe executed SAM registry dump

  • SECURITY Registry dump

  • reg.exe executed SYSTEM registry dump

  • reg.exe command line contains temporary folder

  • T1219 - Remote Access Tools : Suspicious reg.exe command line contains temporary folder

  • T1121 - Regsvcs/Regasm : Regasm has tried to uninstall a library (ATT&CK: Defense Evasion, Execution - Regsvcs/Regasm)

  • Registry key creation (ATT&CK: Persistence)

  • Registry key deletion (ATT&CK: Persistence or Defense Evasion)

  • Registry key modification (ATT&CK: Persistence)

  • T1121 - Regsvcs/Regasm : Regsvcs has tried to uninstall a library (ATT&CK: Defense Evasion, Execution - Regsvcs/Regasm)

  • T1076 - Remote Desktop Protocol : Remote Desktop Protocol has been started

  • T1076 - Remote Desktop Protocol, T1112 - Modify Registry : Remote Desktop Protocol Registry has Been Enabled

  • T1005 - Data from Local System : Querying local terminal service status

  • T1076 - Remote Desktop Protocol : Remote Desktop Protocol Service has Been Started

  • Remote Execution of PowerShell

  • T1021 - Remote Services : Remote Service Creation Evidence

  • T1021 - Remote Services : Remote Service Creation (ATT&CK: Lateral movement - Service Execution)

  • Remote session

  • T1018 - Remote System Discovery : Remote System Discovery (ATT&CK: Reconnaissance)

  • A process has been remotely created via the Win32_Product::Install WMI method (ATT&CK: Execution, Lateral Movement)

  • A suspicious process has been remotely created via the Win32_Product::Install WMI method (ATT&CK: Execution, Lateral Movement)

  • A service has been remotely started via the Win32_BaseService::Start WMI method (ATT&CK: Execution, Lateral Movement)

  • Well-known Windows executable renamed (ATT&CK: Defense Evasion)

  • Well-known Microsoft Windows executable was renamed for defense evasion purposes (ATT&CK: Defense Evasion)

  • Resolved DNS queries from domain to domain

  • Resolved DNS queries from domain to IP

  • Resolved DNS queries from IP to Domain

  • Hidden by a rootkit

  • Connected to RPC Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)

  • Msrpc requests

  • Running from temporary folder

  • ARP scan evidence (ATT&CK: Discovery)

  • ARP scan (ATT&CK: Discovery)

  • IP scan evidence

  • IP scan

  • TCP scan evidence (ATT&CK: Discovery)

  • TCP scan (ATT&CK: Discovery)

  • UDP scan evidence (ATT&CK: Discovery)

  • UDP scan (ATT&CK: Discovery)

  • T1046 - Network Service Scanning : Scanning activity

  • Scheduled task

  • T1053 - Scheduled Task : Scheduled Tasks as system (ATT&CK: Persistence)

  • T1053 - Scheduled Task : Scheduled Tasks discovery (ATT&CK: Reconnaissance)

  • Local scheduled tasks discovery

  • Scheduled tasks discovery (ATT&CK: Discovery - Scheduled Task Discovery)

  • T1053 - Scheduled Task : Scheduled Tasks reboot persistence (ATT&CK: Persistence)

  • Screen Saver Not Executed By Explorer

  • T1015 - Accessibility Features : Screen Saver With Children

  • Search for files containing passwords evidence

  • Search for files containing passwords (ATT&CK: Credential Access - Credentials in Files)

  • Seen Creation

  • Interactions with process as server

  • T1035 - Service Execution : Service started (ATT&CK: Execution - Service Execution)

  • Service started (ATT&CK: Execution - Service Execution)

  • T1050 - New Service : Service Process

  • Service without service host

  • T1007 - System Service Discovery : System services discovery (ATT&CK: Discovery - System Services Discovery)

  • System services discovery

  • System services discovery (ATT&CK: Discovery - System Services Discovery)

  • T1059 - Command-Line Interface : Running Injected code by shell

  • T1064 - Scripting : Shell with an unexpected parent

  • T1203 - Exploitation for Client Execution : Shell with an unexpected parent

  • Process renamed a shell process image file

  • T1203 - Exploitation for Client Execution : Shell with elevated privileges

  • Shell With Elevated Privileges

  • T1490 - Inhibit System Recovery : Shell Executing VSSAdmin Delete Shadows

  • T1055 - Process Injection : Floating code was found in the process

  • T1055 - Process Injection : Process memory contains shellcode

  • The process contains shellcode

  • T1055 - Process Injection : A remote process injected shellcode into the victim process

  • T1055 - Process Injection : The process injected shellcode

  • This process injected shellcode into the victim process

  • Shellcode Execution

  • Cscript running files from temporary folder

  • Sideloaded apps evidence (ATT&CK: Initial Access)

  • Sideloaded apps

  • Sideloaded apps (ATT&CK: Initial Access)

  • T1218 - Signed Binary Proxy Execution : Signed OS process not in original location

  • Significant File

  • Site Insight - link tapped

  • Site Insight - link visited evidence (ATT&CK: Initial Access)

  • Site Insight - link visited (ATT&CK: Initial Access)

  • Connected to SMTP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)

  • Indicates there is evidence that this process connects to an outgoing SSH port

  • Process created autorun file

  • Sticky keys images renamed

  • Suspicious file renamed for login bypass

  • Attempt to stop or disable the Cybereason service

  • T1063 - Security Software Discovery : Attempt to stop or disable the Cybereason service

  • Suspended anti virus evidence

  • T1015 - Accessibility Features : Suspicions Screen Saver

  • suspicious powershell commands were identified

  • Suspicious Domain-to-Domain DNS queries

  • Suspicious external connections

  • Malicious Injected Code

  • Suspicious internal connections

  • Has suspicious mail connections

  • Suspicious Screen Saver

  • Image file has a suspicious signature

  • T1086 - PowerShell : Suspicious use of PowerShell

  • T1035 - Service Execution : svchost loaded by new parent process

  • 0 - svchost is not loaded directly by SCM

  • T1035 - Service Execution : svchost host loaded by unsigned parent process

  • T1082 - System Information Discovery : System information discovery

  • System information discovery

  • System information reconnaissance (ATT&CK: Discovery - System Information Discovery)

  • T1016 - System Network Configuration Discovery : System Network Configuration Discovery

  • T1049 - System Network Connections Discovery : System Network Connections Discovery (ATT&CK: Reconnaissance)

  • System network connections discovery

  • System network connections discovery (ATT&CK: Reconnaissance)

  • T1033 - System Owner/User Discovery : System Owner/User Discovery

  • T1124 - System Time Discovery : System time discovery (ATT&CK: Discovery - System Time Discovery)

  • System user

  • System Tampering (ATT&CK: Defense Evasion, Persistence)

  • System Tampering

  • Consumed API

  • Number of threads

  • Device connected to threat map evidence (ATT&CK: Network Effects)

  • Device connected to threat map (ATT&CK: Network Effects)

  • Threat map nearby

  • Thread ID

  • T1127 - Trusted Developer Utilities : application with unusual network connection (ATT&CK: Defense Evasion, Execution - Trusted Developer Utilities)

  • Number of instances

  • Total number of connections

  • Bypass UAC through registry modification (ATT&CK: Defense Evasion)

  • UNC path

  • UNC Command Path

  • Uncommon System Volume Information execution path

  • Suspicious System Volume Information execution path (ATT&CK: Defense Evasion, Persistence - Hidden Files and Directories)

  • cmstp.exe loaded scrobj.dll module

  • T1191 - CMSTP : cmstp.exe abused to execute arbitrary code (ATT&CK: Defense Evasion, Execution - CMSTP)

  • rundll32.exe uncommon execution evidence

  • T1085 - Rundll32, T1050 - New Service : rundll32.exe OS process abuse (ATT&CK: Command and Control, Lateral Movement - Remote File Copy)

  • Unexpected AuditObject access by a PowerShell automation process (ATT&CK: Credential Access, Execution - PowerShell)

  • T1003 - Credential Dumping : Audit object access evidence

  • T1003 - Credential Dumping : Audit object access lsass evidence

  • One of the Windows credential resources was accessed by a shell process

  • T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access NTDS file evidence

  • T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access NTDS file via shadow copy evidence

  • T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access SAM file evidence

  • T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access SAM file via shadow copy evidence

  • T1214 - Credentials in Registry : Audit object access SAM key evidence

  • T1003 - Credential Dumping, T1081 - Credentials in Files, T1214 - Credentials in Registry : Unexpected AuditObject Access of a shell process

  • Unexpected AuditObject Access of Unknown Process (ATT&CK: Credential Access)

  • Unexpected AuditObject Access of Unsigned Process (ATT&CK: Credential Access)

  • Unexpected AuditObject Access of Unsigned and Unknown Process Suspicion (ATT&CK: Credential Access)

  • Unexpected behaviour from service host

  • Process Image with Unknown Classification Injecting or Running Injected code

  • Process with unknown reputation

  • Unsigned and unknown by a company that normally signs

  • Unsigned and Unknown With Well Known Port Connections

  • Unknown Unsigned With Suspicious Extension

  • Unresolved domain DNS lookups

  • Unresolved IP DNS lookups

  • Blocklist unresolved domain DNS queries

  • Suspicious Unresolved Domain DNS queries

  • Unresolved DNS Queries from Non-existent Record

  • Unsecured WiFi Network (ATT&CK: Network Effects)

  • Signed and Unsigned Modules

  • Unsigned file with a signed version

  • Unsigned with a signed version modules

  • Cybereason Threat Intelligence identified an Unwanted Executable

  • Unwanted classification modules

  • Potentially Unwanted Program Module

  • T1129 - Execution through Module Load : Unwanted module indications

  • T1490 - Inhibit System Recovery : VSSAdmin Delete Shadows

  • T1107 - File Deletion : wbadmin.exe deleted the backup catalog evidence

  • Backup catalog deletion

  • T1107 - File Deletion : wbadmin.exe deleted the backup catalog (ATT&CK: Defense Evasion - File Deletion)

  • T1100 - Web Shell : Web shell evidence

  • Well Known Port External Connections

  • T1028 - Windows Remote Management : WinRM code execution (ATT&CK: Execution, Lateral Movement - Windows Remote Management)

  • WMI Activities

  • Wmi client machine

  • Wmi client pid

  • Wmi is local

  • Wmi operation

  • WMI Persistent objects

  • WMI Persistent Objects Activities

  • WMI Query objects

  • WMI Query Objects Activities

  • WMI Queries

  • Process created remotely by WMI (ATT&CK: Lateral Movement)

  • Possibly malicious process created remotely by WMI

  • Suspicious process created remotely by WMI (ATT&CK: Lateral Movement)

  • A suspicious service has been remotely started via the Win32_BaseService::Start WMI method (ATT&CK: Execution, Lateral Movement)

  • T1047 - Windows Management Instrumentation : WNIC Delete Shadows

  • xcopy running file from temporary folder

  • Suspicious instance of Xcopy running file from a temporary folder (ATT&CK: Command and Control - Remote Access Tools)

  • injected

  • injector

  • module

  • Discovery type

  • Proxy name

  • URL of the PAC

  • Port

  • address

  • extendedInfo

  • minionHostInfo

  • minionInfo

  • ownerMachine

  • Quarantine time

  • fileHash

  • Quarantine file status

  • Requester

  • Key

  • Data

  • First seen

  • Registry data type

  • Registry entry type

  • Registry operation type

  • Registry path

  • Registry process

  • Last seen

  • Authentication protocol

  • Client

  • Client logon session

  • Client user

  • User and remote machine

  • Pass the Ticket

  • Unauthorized credential usage (ATT&CK: Lateral Movement - Pass the Ticket)

  • Resource type

  • Server

  • Server logon session

  • domainToDomain

  • ownerProcess

  • resolver

  • domainToIp

  • Multiple Addresses For Domain

  • ipToDomain

  • Resource

  • Resource name

  • Role

  • Role name

  • Author

  • Scheduled task name

  • Enabled

  • Scheduled task actions

  • Time of last run

  • Last modified by

  • Task state

  • Binary file

  • Binary file was changed

  • Command line arguments

  • Driver

  • Is active

  • Is Auto Restart

  • Is system process

  • Service name

  • Is new server

  • Last binary file

  • Last Service Start User

  • T1035 - Service Execution : Microsoft PsExec Service

  • T1035 - Service Execution : Rare Active Service

  • T1035 - Service Execution : Rare Disable Service

  • T1035 - Service Execution : Rare Service

  • T1035 - Service Execution : Rare Start Type

  • Service start user

  • Service start name was changed

  • Service state

  • Service sub-state

  • Service type

  • Start type

  • File Path

  • Suspicion of %s

  • domain

  • Domain Not Exists

  • resolvers

  • ipAddress

  • Associated domain

  • User Canonical Name

  • Country

  • User creation time

  • User display name

  • Logon name

  • Email address

  • Member of

  • Primary group ID

  • SAM account name

  • Active Directory SID

  • Active Directory text country

  • Title

  • Comment

  • Scheduled tasks created

  • detection events

  • Domain

  • Downloaded processes count

  • Domain\User Name

  • Associated email addresses

  • Has malicious process

  • Using power tool

  • Has unusual process with external connections

  • Running suspicious process

  • Launched suspicious process outside normal hours

  • High Number of Machines

  • Irregular time of day activity

  • Is admin

  • Local system

  • Is System or Root

  • New IT Tool For User

  • New process count

  • Number of machines

  • Last Machine Logged in to

  • Password age in days

  • Privileges

  • User to Admin

  • Rare processes with external connection

  • Running malicious process

  • Running IT Tool

  • Running Rare Process With External Connections

  • T1078 - Valid Accounts : Trespassing user by suspicious activity

  • Scheduled tasks modified

  • User name

  • UserIdentity

  • Client Ip

  • Client Machine

  • Client Pid

  • Client Process

  • WMI activity name

  • Executed Processes

  • Is local

  • WMI Persistent Object

  • Server Owner Process

  • Server User

  • WMI Class

  • WMI Queries single string

  • WMI Query Object

  • Client IP Address

  • Client Network Machine

  • Consumer Action

  • Consumer File Path

  • Consumer Image File

  • Consumer Name

  • Creating process

  • Filter Name

  • Filter Query

  • Persistent type

  • WMI Activity

  • Query

  • Query time

  • Query type

Note

If you have created custom detection rules, the values for these custom rules are not included in the list above.