detectionTypes Field Values
The detectionTypes field can contain any of the following predefined values:
Has Malops
Has suspicions
malopSphere
Self
Attachment
Machines
MD5 signature
File name
self
SHA1 Signature
SHA256 Signature
Automatic execution name
Machine
Registry entry
Scheduled Task
Service
Type
Automatic execution
T1060 - Registry Run Keys / Startup Folder : Autorun JavaScript Value
T1060 - Registry Run Keys / Startup Folder : Registry entry JavaScript value
Registry entry file
Registry entry name
Remove time
File
is CLSID
Is pointing to temporary folder
T1112 - Modify Registry : Unusual file name for registry entry by operating system
Rare Registry Key
Registry events
Value
transaction id
T1043 - Commonly Used Port : High Data Volume Transmitted To Malicious Address
T1043 - Commonly Used Port : Absolute High Transmitted Bytes
T1043 - Commonly Used Port : Address Accessed by Malware
Received bytes
Transmitted bytes
Connected to a blocklist IP address
T1043 - Commonly Used Port : Connected to a blocklist domain
T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Connected to a blocklist domain
T1043 - Commonly Used Port : Blocklist URL Domain
Blocklist URL Domain List
Creation time
T1043 - Commonly Used Port : Connection to an address used by malware
Network access to a web service that is known to demonstrate malicious behavior. Can include downloading unauthorized software to a device, disrupting normal operation or gathering sensitive information
T1188 - Multi-hop Proxy, T1079 - Multilayer Encryption : Connection to TOR address
Creation Time
A browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format
A site designed to secretly hijack the target’s device to mine cryptocurrencies
Detection events
Direction
DNS query
T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Malicious Domain
Domain name
Connection name
End time
T1043 - Commonly Used Port : External Connection of a Malicious Process
T1043 - Commonly Used Port : External Connection to Well Known Port
First seen time
T1048 - Exfiltration Over Alternative Protocol : Connected to ftp port
Has Suspicions
T1043 - Commonly Used Port : Internal Connection of a Malicious Process
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Connected to IRC port
Connection to proxy
Is external
Is incoming
Is live connection
Is live owner process
Opened by legitimate process
Process Malicious by Hash
Opened by malware
Is proxy connection
Suspicious
Is well known port
Detection status
Local address
Local port
Significantly low ratio of address for machine
Significantly low ratio of address for process
Significantly low ratio of address for process on machine
T1043 - Commonly Used Port : Connected to mail port
T1043 - Commonly Used Port : Malicious Address
T1043 - Commonly Used Port : Connection to Malicious Address
A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form
Malicious URL domains
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Outgoing connection with listening socket
Owner machine
Owner process
Owner user
Associated listening socket
An app-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise
Port description
Port type
Process name
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare address for process
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare Address Location by Process
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare address for machine
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare remote address country for machine
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare remote address country for process
T1043 - Commonly Used Port, T1071 - Standard Application Layer Protocol : Rare connection direction for process
T1065 - Uncommonly Used Port : Rare port for address
T1065 - Uncommonly Used Port : Rare port for process
T1065 - Uncommonly Used Port : Rare port type for process
receivedBytesCount
Is related to Malop
Remote address
Remote address Location
Remote address type
Classification type
Remote address name
Remote machine
Remote port
Server address
Server port
State
T1065 - Uncommonly Used Port : Malicious Domain
T1065 - Uncommonly Used Port : Suspicious URL-Domain
uspicious URL-Domain list
T1188 - Multi-hop Proxy, T1079 - Multilayer Encryption : Connected to Tor port
transmittedBytesCount
Transport protocol
Device configurations that may put corporate and personal data at risk
Irrelevant or unsolicited content that is disseminated for the purposes of advertising, phishing or spreading malware
T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Suspicious URL-Domain
URL domains
An app-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) format
A browser-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format
A browser-based communication that includes the device’s physical geo-location in an unencrypted (or easily decrypted) format
Allow Privilege Escalation
Commands
Image ID
Image Name
IP
Mounts
Name
Ports
Processes
Status
Users
Application Control blocked application on blocklist
Known malware detected by Cybereason Anti-Malware
Malicious process behavior
Connection associated with this event
Engine
Decision Time
Detection value
Detection type
Domain name associated with this event
Detection event
Exploitation attempt
File associated with this event
Process used Download and Execute
Download from malicious domain
Process ran malicious command
Malicious floating module
Associated with Malops
Associated with suspicions
Machines associated with the detection event
Malicious document detected
Associated Malops
Msrpc event type
Suspected remote IP addresses
offending user
Script engine
Malware detection by Anti-Malware Artificial Intelligence classification
Connected user
Hosts file
IP address
Blocklist source domain
Blocklist target domain
Source and target domain
Malware source domain
Malware target domain
Non Default Resolver - Domain to Domain
Record type
Resolvers
Sinkhole source domain
Sinkhole target domain
Source domain
T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Malicious Source Domain
Target domain
T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Malicious Target Domain
TTL range
Blocklist evidence
Source domain and target IP
Low Max TTL
Malware evidence
Non Default Resolver - Domain to IP
Sinkholed Domain
Target IP
Blocklist domain
Source IP and target domain
Malware domain
Non Default Resolver - IP to Domain
Record Type
Sinkhole domain
TTL Range
Domain Does Not Exists
Has Connection To Malicious Domain
Error code
Has resolved classification
Is internal domain
Never seen resolved in organization
Never seen resolved second level domain in organization
Source IP address
Source IP
Address reputation
T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Blocklist domain
Classification comment
Classification link
Classification user
Was ever resolved
Ever Resolved Domain
Was ever resolved as a second level domain
Ever Resolved Second Level Domain
Has resolved classification evidence
Good Domain
Indifferent Domain
Is internal second level domain
Malicious Domain
Is reverse lookup
Suspicious Domain
Is torrent domain
Unknown Domain
Reputation
Malware Domain
Related to Malop
Second level domain
Sinkhole Domain
Top level domain
sourceDomain
targetDomain
targetIpAddress
Driver name
Known Malicious Driver
T1109 - Component Firmware : Known Malicious Driver
Malicious Tool Driver
T1109 - Component Firmware : Malicious Tool Driver Suspicion
Malware Driver
T1109 - Component Firmware : Malware Driver Suspicion
Driver filename
T1109 - Component Firmware : New driver
T1109 - Component Firmware : New drivers count is above threshold
T1109 - Component Firmware : Rare driver
Unwanted Driver
T1109 - Component Firmware : Unwanted Driver Suspicion
Email Address
User accounts
Display names
Event
null
Product-specific type of event
Action name
Arguments
Path
Executable
A malware that attempts to obtain escalated system privilleges
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior
A malicious application that demonstrates harmful behavior and disrupts the device
Application Identifier
Process(es) attempted to execute malicious file
Attempt execution processes
Registry Key
Associated Registry entries
Remediation status
Detection time
Blocklist file
Blocked file hash
Canonized Path
Marked for prevention
Detection name
Comments
Company name
An app-based communication that includes a credit card number in an unencrypted (or easily decrypted) format
Cves
Document contains autorun macro
Document contains Dynamic Data Exchange (DDE)
Document contains dropper macro
Document contains macro
Document contains malformed header
Document contains malicious macro
Document contains obfuscated macro
Document contains suspicious embedded object
Downloaded from domain
Sender email address
Email message ID
Email subject
Downloaded from IP address
The file’s origin URL
The file’s referral URL
T1406 - Obfuscated Files or Information : Dual extension on file name
Scheduled task actions running this file
T1106 - Execution through API : Executed by Process
An app-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format
Extension type
File events
File description
File hash
Quarantine actions
Creation quarantine action
File Reputation Suspicion
File version
File Version
Hacking Tool
Found in a registry entry
Has classification
Legitimate Classification
Non Legitimate Classification
T1406 - Obfuscated Files or Information : Obscured file extension evidence
Recognized Product
Benign
Internal name
Downloaded from Internet
Located on removable device
Is installer
Is classification not found
Signed
Is suspicious
Legal copyright
Legal trademarks
T1406 - Obfuscated Files or Information : Malformed ELF file
A malware that steals bank credentials
Reputation type
A malware that aggressively displays ads, negatively affecting user productivity and device performance
A malware that blocks access to a device until a ransom is paid
A malware that causes SMS related charges
T1044 - File System Permissions Weakness : Image file has a malicious signature
A malware that is monitoring and collecting information about a user and the device
Malicious Tool
A malware that obtains unauthorized access to the person’s mobile device
T1036 - Masquerading : Malware
T1036 - Masquerading : Masquerading as movie Evidence
T1219 - Remote Access Tools : Remote malicious tool resources
Mimikatz file characteristics
Mimikatz suspicion
Modification time
Mount Point
Mounted As
T1406 - Obfuscated Files or Information : Multiple company names
Multiple Hash For PE Information
Original file name
Original file
Private build marker
Product name
Product title
Product type
Product version
Quarantined file
Ransomware
Malicious by Signatures analysis evidence
Malicious by Signature analysis
Malicious by Anti-Malware evidence
Malicious by Anti-Malware
T1406 - Obfuscated Files or Information : Right to left file extension evidence
Second extension type
Apps that are not installed through official channels, such as through official app stores or an EMM, are unlikely to have gone through the rigorous quality checks expected of an app store release and therefore may be poorly written or malicious
T1116 - Code Signing : Signature bad chain of trust
T1116 - Code Signing : Signature expired
T1116 - Code Signing : Signature explicitly revoked
T1116 - Code Signing : Signature mismatch
T1116 - Code Signing : Signature misuse
T1116 - Code Signing : Unsigned
T1116 - Code Signing : Signature could not be verified
T1116 - Code Signing : Signature unrecognized root certificate
T1116 - Code Signing : Signature user distrust
Signature verified
Signature Verified
Signed by Apple
Signed by Cybereason
Signed by Linux
Signed by Microsoft
Signed by operation system
File is Signed
Signer
Internal/External Signer
Size
Special build
Suspicious screen saver
Temporary Folder
Unknown and unclassified
T1129 - Execution through Module Load : Unknown and Unsigned
Unsigned file with a known signed version
T1116 - Code Signing : Unsigned file with a known signed version
T1116 - Code Signing : Unsigned file
Unverified
T1116 - Code Signing : Unverified
Potentially unwanted program
Vulnerable App Installed
Allowlist
WMI persistent objects
File event instance name
Event type
File information
First access timestamp
Is alternate data stream
Is hidden file
New path after rename event
File path
File hash comment
First detection time
File hash score
Threat remediation confidence level low
Threat remediation confidence level high
Threat remediation confidence level medium
File hash user
Icon
Icon md5 hex
SHA1 Hex Signature
File Hash
Function Details
Exporting module
Function Name
Hook Offset
Hooked modules
Hooking module
Group
Group name
Used by malware
Address
Blocklist IP
City name
Country code
Country name
Related DHCP interfaces
Related gateway interfaces
Malicious reputation
Reputation source
Is DHCP
Gateway
Safe Address
Indifferent Address
Malicious Address
Suspicious Address
Unknown Address
Latitude
Longitude
Malicious address
Malicious by Cybereason block list
Malicious by TOR list
Custom Reputation
Region
Version
IP range name
Mask
Subnet
Count
Ip Range Scan
Scanned range
sourceAddress
Event counter
Attribute list
Distinguished name
Search filters
Last seen time
Process
Scope of search
Address type
Connections
Local address and port
Listening connection end time
Owner module
DHCP server address
DNS server address
LAN name
IP address of the network’s gateway
MAC address of the network’s gateway
Local network’s IP range
Network interfaces
Local network’s default search domain
Link to the element
Connected SSIDs
User
LUID
Client Remote Session
Logon session name
Empty or null work station evidence
Logon application type
Logon Type
Pass the Hash
Stolen credentials used in Pass the Hash attack (ATT&CK: Lateral Movement - Pass the Hash)
Pass The Ticket
T1097 - Pass the Ticket : Pass The Ticket Remote Session
Pass The Ticket Remote Sessions
Session with credentials mismatch (ATT&CK: Lateral Movement - Pass the Ticket)
Proxies
Remote network machine
Server Remote Session
Unexpected key length evidence
Windows logon details
Unexpected NTLM key evidence
Android Device - Compatibility Not Tested By Google
Active users
Canonical name
Company
DNS host name
Department
Description
Display name
Location
Machine role
Organizational unit (OU)
Organization
Security identifier (SID)
Not verified Android Debug Bridge (ADB) apps installed
Cybereason for Mobile not activated on all profiles fot Android For Work
Registry entries
BlueBorn vulnerability evidence
Client interactions
Machine name
DNS change
Gateway change
Google Play Protect disabled (ATT&CK: Initial Access)
Network proxy change evidence
Network proxy change
Unknown download sources enabled evidence (ATT&CK: Initial Access)
Unknown download sources enabled (ATT&CK: Initial Access)
CPU count
Developer Options enabled
Device model
DNS cache
Machine domain name
Drivers
Device Encryption not set up
Active user
Free disk space
Free memory
Malicious processes
Has removable device
T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Has Removable Device
T1109 - Component Firmware : Spreading driver
High Number of Downloaded Processes
High Number of New Processes
T1078 - Valid Accounts : High users count
IMEI
Is connected to Cybereason
Is Android
Is domain controller
Is iOS
Is isolated
Is laptop
Is Linux
Is Mac
Outdated
Has suspicious processes
Is Windows
Is Windows desktop
Is Windows Server
A modified build of an operating system that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack
Last Communicated
Local Networks
Once the lock screen is disabled the device encryption is rendered useless against physical attacks
Login actions
Last time logon file not found
Logon sessions
T1100 - Web Shell : Web shells evidence
Malicious tools
MBR Hash
MDM ID
Stagefright vulnerability (ATT&CK: Initial Access)
Mount points
Network machine
T1017 - Application Deployment Software : New administrator tool
OS Type
OS minor version
OS version
Over-The-Air (OTA) updates disabled
Owner organization
Device Pin
Platform architecture
Suspicious profile added evidence (ATT&CK: Persistence)
Suspicious profile added (ATT&CK: Persistence)
Pylum ID
Removable devices
Running malicious tool
Running web shells
Scanning activity (ATT&CK: Discovery)
SELinux disabled evidence
SELinux Disabled
Server interactions
Services
Sensor group
Spreading drivers
SSL/TLS downgrade evidence (ATT&CK: Network Effects)
SSL/TLS downgrade (ATT&CK: Network Effects)
Suspicious processes
Time since last communication
Machine timezone
Total disk space
Total memory
Uptime
Once developer mode is enabled sideloading from unknown sources, USB debugging and other configurations that can lead to security risks can be enabled
USB Debugging mode enabled (ATT&CK: Privilege escalation)
Vulnerable Android version (ATT&CK: Privilege Escalation)
Vulnerable, non-upgradeable Android version
Vulnerable iOS version (ATT&CK: Privilege Escalation)
Vulnerable, mon-upgradeable iOS version
An older version of an OS that is more vulnerable to known security exploits
Zero ARP Entries Above Threshold
Anomalies types
IP address of client machine for attacker
IP address of server machine for attacker
First time detected on attacking machine
Client machine
IP address of client machine
Port on client machine
Process initiating interaction
User on client machine
Interaction description
Interaction protocol
Machine role in interaction
Interaction type
Timestamp for maximum period
Timestamp for minimum period
Receiver machine for Pass the Hash evidence
T1075 - Pass the Hash : Pass the hash receiver suspicion
Sender machine for Pass the Hash evidence
T1075 - Pass the Hash : Pass the hash sender suspicion
Server machine
IP address of server machine
Port on server machine
Process initiating interaction on the server machine
User on server machine
Interaction unique value
Compromised user
IP address for victim client machine
IP address for victim server machine
First time detected on victim machine
Number of processes to remediate
Affected machines
Affected users
Command lines
Root casue
Decision statuses
Decoded command lines
Root cause type
Detection value types
Detection values
Malop activity types
Exploit detection types
File paths
Files for remediation
Files for un-remediation
Has processes to remediate
Icon base64
Last activity type
Last update time
New suspects
The primary Malop type
Primary root cause elements
Processes for remediation
Related malops
Root cause elements company: product
Root cause element hashes
Root cause element names
Root cause element types
Root cause elements
Script detection type
Signers
Decision feature
Malicious activity type
Malop activity type
Malop last update time
Malop start time
related malops
Suspects
Suspect features
Malop has suspended processes
Root cause
Detection Type
Process Name
null
Has Ransomware processes suspended
Mitigated
Malop detection types
Start time
New Suspicions
Remediation type
Root cause elements company and product
Suspects Host Processes
Suspects Injecting Processes
Suspects Processes
Suspects with no TID
Total number of incoming connections
Total number of outgoing connections
Total received bytes
Total transmitted bytes
Message
loadedModule
minionHost
process
pylum
minions
myMinion
rpcServices
Address (in Decimal)
Blocklist module
Prevent Execution FileHash
Module name
Allocated Protection
Malformed Executable Header
Header Protection
Malicious module prevented by App Control
Export Name
Fake OWAAuth
Fake OWAAuth Suspicion
T1116 - Code Signing : Unsigned with a signed version
Has registry entry
Suspicious module was loaded in memory
Module prevented by App Control
Is never in loader DB
File From Temp
Is floating code
Malicious File
Not in loader db
PE Header Allocated Size
Size Of Image
T1176 - Browser Extensions : Unsigned or Unverified
Unsigned with a signed version
Potentially Unwanted Program
Mount point creation time
Mount point credentials user
Device name
Mount point name
Mount point end time
Files
T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Active removable device
T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Inactive removable device
Removable device
Media type
Mount user
Mounted From
T1025 - Data from Removable Media, T1092 - Communication Through Removable Media : Unusual removable device
Volume name
Authentication Level
Authentication Service
Creation Timestamp
Msrpc Name
Endpoint
Event Counter
Event source
Impersonation level
Interface Name
Interface UUID
Last seen timestamp
Network Address
Operation Number
Operation Name
Options
Owner Machine
Protocol
Network interface name
Flags
Gateway address
Identifier
Internal IP addresses
Local networks the network interface is registered on
Hardware address (MAC)
Network statistics
Domain FQDN
Host
Object access name
The file that the process opened
machines
users
Pod containers
UID
T1086 - PowerShell : Obfuscated powershell payload
T1086 - PowerShell, T1027 - Obfuscated Files or Information : Obfuscated powershell payload
Android device possible tampering evidence Defense Evasion, Persistence
Android Device possible tampering
Android device possible tampering suspicion Defense Evasion, Persistence
T1188 - Multi-hop Proxy, T1079 - Multilayer Encryption : Tor Browser Evidence
Abnormal Process Activity Evidence
Abnormal Process Activity Malop
Abnormal Process Activity Suspicion
T1055 - Process Injection : Abnormal RWX section count by machine
T1055 - Process Injection : Abnormal RWX section count
T1043 - Commonly Used Port : High number of internal connections
T1043 - Commonly Used Port : Absolute High Number of Internal Outgoing Embryonic Connections
High volume external connections
High volume connections to malicious address
Masquerading as a Windows accessibility feature
Unrecognized process connects to Malware Address
Benign process connects to Malware Address
T1015 - Accessibility Features : Accessibility Feature binary swapped for other executable (ATT&CK: Persistence)
T1015 - Accessibility Features : Accessibility feature abuse
T1015 - Accessibility Features : Accessibility feature abuse (ATT&CK: Persistence, Privilege Escalation - Accessibility Features)
T1015 - Accessibility Features, T1112 - Modify Registry : Accessibility feature abusing by registry modification
T1036 - Masquerading : The process is masquerading as a Windows accessibility feature
T1015 - Accessibility Features, T1036 - Masquerading : The process is masquerading as a Windows accessibility feature
T1087 - Account Discovery : Account Discovery (ATT&CK: Reconnaissance)
T1087 - Account Discovery, T1033 - System Owner/User Discovery : Accounts discovery (ATT&CK: Discovery - System Owner/User Discovery)
Accounts discovery
Accounts discovery (ATT&CK: Discovery - System Owner/User Discovery)
T1089 - Disabling Security Tools : Add firewall rule
Addresses used by malwares
T1077 - Windows Admin Shares : Administrative share mount attempt (ATT&CK: Lateral Movement - Windows Admin shares)
Administrative share mount attempt (ATT&CK: Lateral Movement - Windows Admin shares)
Injected children
Interactions
T1096 - NTFS File Attributes : Alternate Data Stream hiding
Always-on VPN app set evidence (ATT&CK: Collection, Credential Access)
Always-on VPN app set (ATT&CK: Collection, Credential Access)
Suspension of Anti-Malware (ATT&CK: Defense Evasion - Disabling Security Tools)
Malicious application evidence
Malicious application
Malicious application suspicion (ATT&CK: Initial Access)
Out of compliance app
App tampering evidence (ATT&CK: Defense Evasion, Persistence)
App tampering
App tampering suspicion (ATT&CK: Defense Evasion, Persistence)
Process ID
Architecture
Network handoff
Automatic executions
T1012 - Query Registry : Autorun related registry key query
Autorun related registry key query
Autorun related registry key query (ATT&CK: Discovery - Query Registry)
Blocklist modules
Blocklist domains (Connection)
Blocklist domain to domain DNS
Blocklist domains (domain to domain DNS - source)
Blocklist domains (domain to domain DNS - target)
Blocklist domains (unresolved DNS)
Blocklist Domains
Blocklist domains (DNS)
Blocklist domains (reversed DNS)
Blocklist IP addresses
T1129 - Execution through Module Load : Blocklist module
Blocklist domains (URL)
Blocklist file hash
Blocked execution files
Blocked Moduls
Captive Portal usage (ATT&CK: Collection, Credential Access)
Certutil.exe used to decode data
Certutil.exe file download
T1105 - Remote File Copy : certutil.exe suspicious file download
T1140 - Deobfuscate/Decode Files or Information : certutil.exe used to encode data
Children
Children created by thread
Execution of a Malicious Script by a child process
Clear command line
Interactions with process as client
Command line
Add firewall rule in command line
Command Line Contains Temp
T1043 - Commonly Used Port : Connecting to a Known Malicious Address
Connection to blocklist IP address
Connection to blocklist domain
Connection to a malicious address
Connection to malicious address
Connection to a malicious domain
T1043 - Commonly Used Port , T1041 - Exfiltration Over Command and Control Channel : Connection to a malicious domain
T1079 - Multilayer Encryption : Connection to Tor domain by a process which is not a browser
Connections of host process
Connections to Malicious Domain
Connections to malware address
Connection to Tor domain
Covert process execution
Covert Process Fully Hidden from Scanning API
Covert process parameters override
Covert Process Partially Hidden from Scanning API
Covert Process (ATT&CK: Persistence, Defense Evasion)
CPU time
T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup account creation
T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup admin account creation
local group account was created
T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup admin account creation (ATT&CK: Persistence: Create Account)
T1069 - Permission Groups Discovery, T1136 - Create Account : Localgroup remote user account creation
A process has been created via the Win32_Product::Install WMI method (ATT&CK: Execution)
A service has been started via the Win32_BaseService::Start WMI method (ATT&CK: Execution)
Created by WMI
Created children
Creator process
Creator thread
Credential interaction loaded modules
Attempted credential theft
CVE-2020-0601 - attempted exploitation
T1216 - Signed Script Proxy Execution : Cscript command line contains temp
T1059 - Command-Line Interface, T1216 - Signed Script Proxy Execution : Cscript command line contains temp
T1203 - Exploitation for Client Execution: Process attempted to exploit known CVE evidence
T1203 - Exploitation for Client Execution : The process attempted to exploit a known CVE
T1203 - Exploitation for Client Execution : Process attempted to exploit a known CVE
CVE Events
Daemon anomaly evidence
Data compression tool evidence
Data compression tool
Decoded command line
T1068 - Exploitation for Privilege Escalation : Running Injected code by deleted process
T1502 - Parent PID Spoofing : Deleted parent process
T1055 - Process Injection : Detected injected process
T1055 - Process Injection : Detected injecting process
T1055 - Process Injection : Detected Injecting To Protected Process
T1483 - Domain Generation Algorithms : Domain Generation Algorithm
Different Signer Modules
Unknown DLL was loaded in a suspicious manner (ATT&CK: Privilege Escalation)
Connected to DNS Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)
Blocklist domain-to-IP DNS queries
Suspicious Domain-to-IP DNS queries
Blocklist IP-to-domain DNS queries
Suspicious IP-to-Domain DNS queries
Remote System Discovery
Domain enumeration (ATT&CK: Discovery: Remote system discovery, Network Share Discovery)
T1018 - Remote System Discovery, T1135 - Network Share Discovery : Domain host enumeration (ATT&CK: Discovery: Remote system discovery, Network Share Discovery)
T1018 - Remote System Discovery, T1135 - Network Share Discovery, T1482 - Domain Trust Discovery : Enumeration of the trust relationship between the workstation and the domain (ATT&CK: Discovery: Remote system discovery, Network Share Discovery)
T1482 - Domain Trust Discovery : Domain Trust Relationship Reconnaissance
T1482 - Domain Trust Discovery : Domain Trust Relationship Reconnaissance (ATT&CK: Reconnaissance - Remote System Discovery)
T1406 - Obfuscated Files or Information : Multiple extensions
T1406 - Obfuscated Files or Information : Obscured extension
Dynamic configuration connections
Elevating Privilege Child Processes
Elevating Privileges (ATT&CK: Privilege Escalation)
T1044 - File System Permissions Weakness : Elevating privileges to child process
Executing process
Process is a descendant of a MS office application
Malicious use of PsExec (ATT&CK: Lateral Movement - Remote Services)
T1036 - Masquerading, T1158 - Hidden Files and Directories : Process execution from Recycle Bin
Process execution from Recycle Bin
T1036 - Masquerading, T1158 - Hidden Files and Directories : Process execution from Recycle Bin (ATT&CK: Defense Evasion, Persistence - Hidden Files and Directories)
Evidence of a process run in context of a Pass the Hash attack (ATT&CK: Lateral Movement - Pass the Hash)
T1075 - Pass the Hash : Process run in context of a Pass the Hash attack
Process prevented by App Control
Exploit attempt
T1203 - Exploitation for Client Execution : Exploit Kit Evidence
T1203 - Exploitation for Client Execution : Exploit Kit Suspicion
T1049 - System Network Connections Discovery : Explorer.exe IP Discovery Suspicion
External connections
Failed to access file
T1038 - DLL Search Order Hijacking : Fake Unsigned Module
Fake Modules
T1036 - Masquerading : Fake OWAAuth Module
Fake OWAAuth Modules
T1036 - Masquerading : Fake OWAAuth Module Suspicion
File or directory discovery
Executed a allowlisted file
File-less malware
T1170 - Mshta : Fileless malware
T1063 - Security Software Discovery : Firewall discovery (ATT&CK: Discovery - Security Software Discovery)
Firewall discovery
Firewall discovery (ATT&CK: Discovery - Security Software Discovery)
Firewall hole punching (ATT&CK: Defense Evasion - Disabling Security Tools)
First Execution of Downloaded Process
Process flags
fsutil.exe deleted the Update Sequence Number journal change
Update Sequence Number journal deletion
T1107 - File Deletion, T1070 - Indicator Removal on Host : fsutil.exe deleted the Update Sequence Number journal change (ATT&CK: Defense Evasion - File Deletion, Indicator Removal on Host)
Ftp activity as part of a suspicious execution chain
T1048 - Exfiltration Over Alternative Protocol, T1105 - Remote File Copy : FTP communication
Connected to FTP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)
T1105 - Remote File Copy : ftp.exe is descendant of a suspicious process
Hacker tool children
Hacking Tool With Suspicious Parent
Hacking Tool With Suspicious Parent (ATT&CK: Defense Evasion, Execution)
T1043 - Commonly Used Port : Has Absolute High Volume Connection To Malicious Address
T1043 - Commonly Used Port : Has Absolute High Volume External Outgoing Connection
T1060 - Registry Run Keys / Startup Folder : Has automatic execution
Registry Run Keys / Startup Folder : Process with registry entry
Connection to Blocklist IP evidence
Blocklist IP - Domain to Domain evidence
Has blocked modules
Executes known hacker tool
Has children
Has client interaction
Has Connection to Malware Addresses
Process has connections
Has DNS Query From Suspicious Domain
Has DNS Query To Suspicious Domain
Has external connection
T1043 - Commonly Used Port : Has External Connection To Well Known Port
Has incoming connections
Has injected children
T1055 - Process Injection : Suspicious injection
Has internal connection
Connected to internal address
Has opened socket
Has Low TTL DNS Query
Has Mail Connection
Has Malicious Connection
Has malicious connections
T1129 - Execution through Module Load : Module in temporary folder
T1116 - Code Signing : Unsigned with a signed version module
Non Default Resolver
Contains a module not found in loader db
Has outgoing connections
Contains floating executable code
Has a rare known hacker tool child process
Rare external connection
Rare internal connection
Rare internal connection evidence
Loaded a rare module
Rare remote address
Rare remote address evidence
Malicious module was loaded in memory
Contains mismatching section
Attempt to manipulate Cybereason sensor detected evidence
Attempt to manipulate Cybereason sensor detected
Has server interaction
Has Suspicious DnsQuery Domain To Domain
T1041 - Exfiltration Over Command and Control Channel : Has Suspicious External Connection
Has Suspicious External Connection (ATT&CK: Exfiltration, Command and Control)
T1041 - Exfiltration Over Command and Control Channel : Has Suspicious Internal Connection
Suspicious Internal Connection
Has unresolved DNS queries
Has Unresolved Query From Suspicious Domain
Has visible windows
Has windows
Ratio of file hash
Hidden loaded module
T1129 - Execution through Module Load, T1055 - Process Injection : Hidden Loaded Module
Hidden Loaded Module
Suspicious hidden loaded module (ATT&CK: Defense Evasion)
Hidden Process
Hidden Process (ATT&CK: Defense Evasion - Rootkit)
High Data Transmitted (ATT&CK: Exfiltration)
Process running injected code transmitted high volume of data
Unrecognized process or process running injected code transmitted high volume of data
High Internal Outgoing Embryonic Connection Rate
T1046 - Network Service Scanning, T1049 - System Network Connections Discovery : High ip scan rate evidence
Many external connections
T1048 - Exfiltration Over Alternative Protocol : High Number Of External Connections
Many internal connections
High Number Of Internal Connections
High Unresolved-Resolved Rate
Hooked functions
Host process
Host user
Hosted injected children
Hosting Injected Thread
Hosting Injected Thread (ATT&CK: Defense Evasion - Process Injection)
Connected to HTTP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)
Executable image file hash
Image file
Image file hash
Multiple company names in image file
Image file path
Unsigned image file
T1116 - Code Signing : Unsigned image file with signed version
Unverified Signature
Incoming connections
Incoming connections of host process
Incoming external connections
Incoming internal connections
T1202 - Indirect Command Execution : Indirect Command Execution (ATT&CK: Defense Evasion Indirect Command Execution)
Injected Child Processes
Injected PowerShell process
T1055 - Process Injection : Injected Protected Process
Injection into a protected process (ATT&CK: Defense Evasion, Privilege Escalation - Process Injection)
Injection user mismatch
Injected thread running with elevated privileges
T1055 - Process Injection : Injecting To Protected Process
Injection method
Running Injected code in critical process (ATT&CK: Defense Evasion - Process Injection)
Running Injected code by child of legitimate process (ATT&CK: Defense Evasion - Process Injection)
Process integrity
Internal connections
Internal Network Access
Internal outgoing embryonic connections
Connection to External IP discovery service or known used legitimate websites for malicious activity
T1046 - Network Service Scanning, T1049 - System Network Connections Discovery : IP Discovery Suspicion
IP range scan set
IP scanned rate 10 seconds
Ip scanned rate 30 seconds
Ip scanned rate 60 seconds
Suspicious iOS app evidence
Suspicious iOS App
Suspicious iOS app suspicion
Is aggregated process
Is Apple System Process
Is chain of injections
Is .NET process inspected
Downloaded From the Internet
Is encoded commandline
Executed by WMI
Is full memory dump
Is hidden process
Is hosting injected thread
Is identified product
Signed image file
Signed and verified
Image file verified
Is injected
In injected with research
Is injecting
Injector not shell runner
Is injector shell
Injector signed by Microsoft
Installer
Is live process
Malicious by Hash
Malicious process
Is Microsoft System Process
Is minion host
Netsh process
Not shell runner
Operating System Process
PowerShell process
Indicates whether the process is protected or not
Sandbox Process
Is scheduled task
Service Host
Is suspended
Device jailbroken/rooted evidence (ATT&CK: Privilege Escalation)
Device jailbroken/rooted
Device jailbroken/rooted suspicion (ATT&CK: Privilege Escalation)
Java-based Malware
Keylogger Method
Known malicious tool indications
Process has a suspicious hash
Known ransomware indications
Known unwanted indications
Evidence of use of the LaZagne recon tool
T1081 - Credentials in Files, T1087 - Account Discovery : LaZagne recon tool (ATT&CK: Credential Access - Credentials in Files)
Last minute instances
Time of last process in group
LDAP queries
Running Injected code by legit process (ATT&CK: Defense Evasion - Process Injection)
Shell process connects to a remote address and allows interactive commands
Listening connections
Loaded modules
Local connections
T1070 - Indicator Removal on Host : Event log deletion evidence
T1070 - Indicator Removal on Host : Log deletion (ATT&CK: Defense Evasion: Indicator Removal on Host)
Logon script registration
Logon script registration (ATT&CK: Lateral Movement, Persistence - Logon Scripts)
Logon session
Low TTL DNS Queries
Read LSASS encryption keys (ATT&CK: Credential Access)
Read Sensitive information from main authentication package (ATT&CK: Credential Access)
The process performed a malicious read/write memory access to a sensitive process.
Write to LSASS samsrv.dll (ATT&CK: Credential Access)
Read Local Security Authority (ATT&CK: Credential Access)
Read LSASS sensitive information (ATT&CK: Credential Access)
LSASS virtual memory read action (ATT&CK: Credential Access)
LSASS virtual memory write action (ATT&CK: Credential Access)
Obscured file extension evidence
Mail connections
Accessing address used by malware
Malicious Code Injection
Malicious use of a Domain Generation Algorithm
Malicious by Obscured Extension
Malicious by Obscured Extension
Malicious By Floating Code
High volume of transmitted data by injected process
High volume of transmitted data
Cybereason Threat Intelligence identified a loaded module as a malicious tool
Cybereason Threat Intelligence identified a loaded module as malicious
Process opened a malicious file
Cybereason Threat Intelligence identified a loaded module as ransomware
Suspicious scanning activity by an elevated process
Process is performing suspicious scanning activities
Suspicious scanning activity
Cybereason Threat Intelligence identified an Unwanted Module
Process has loaded Cobalt Strike Beacon
Malicious connection domains
Malicious source domains
Malicious target domains
Malicious unresolved domains
Malicious domains
Malicious resolved domains
Malicious resolved to domains
Process has loaded PowerShell Empire
Malicious use of PowerShell
Malicious execution of shell process
Malicious fake module
Firewall hole punching
Process has loaded a malicious tool
T1037 - Logon Scripts : Running Injected code
T1055 - Process Injection : Injecting Code into a process
Malicious Injected Code by Hosting Injection
Malicious reputation addresses
Process has loaded a Meterpreter agent
Process has loaded Mimikatz (ATT&CK: Credential Access)
Fileless protection detection suspicion
Fileless protection: Prevented successfully
Executed a file with a malicious hash
Executed a potentially malicious file
T1193 - Spearphishing Attachment : Malicious opened files suspicions
Malicious PowerShell framework
Running Injected floating code (ATT&CK: Defense Evasion - Process Injection)
Process has loaded a PeddleCheap agent
Malicious Privilege Escalation
Malicious System Volume Information execution path or name
Dropped a script
T1064 - Scripting : Malicious script execution
Unexpected script execution
Ransomware behavior
Image file has a malicious signature
Remote Access Trojan
Cybereason Threat Intelligence identified a malicious tool
Malicious tool modules
Malicious Tool Module
Loaded module with malicious tool indicators
Malicious use of an OS process
Malicious Remote Execution (ATT&CK: Lateral Movement - Remote Services)
AppLocker Bypass via Regsvr32 utility and COM scriptlets
Abuse of the Regsvr32 utility module (ATT&CK: Defense Evasion, Execution - Regsvr32)
T1117 - Regsvr32 : AppLocker Bypass via Regsvr32 utility and COM scriptlets
Use of legitimate OS process for persistence
T1044 - File System Permissions Weakness : Malicious use of OS process suspicion
Web shell execution
T1100 - Web Shell : Web shell suspicion
Malop list
Cybereason Threat Intelligence identified a malicious executable
Malware classification modules
Malware
Malware Module
T1129 - Execution through Module Load : Malware module indications
Man In The Middle activity
Many Record-Not-Exists Unresolved DNS Query
Matched Activities
Dumped lsass process memory evidence
Dumped lsass process memory suspicion
Memory usage
Remote malicious tool resources
T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz execution was detected
T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : This process executing mimikatz
T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz execution evidence
T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz execution suspicion
T1003 - Credential Dumping, T1081 - Credentials in Files, T1098 - Account Manipulation : Mimikatz resource evidence
The process is executing Mimikatz (ATT&CK: Credential Access)
MITM attack via ARP evidence (ATT&CK: Network Effects)
MITM attack via ARP
MITM attack via ARP suspicion (ATT&CK: Network Effects)
MITM (ATT&CK: Network Effects)
MITM attack via ICMP redirect evidence (ATT&CK: Network Effects)
MITM attack via ICMP redirect
MITM attack via ICMP redirect suspicion (ATT&CK: Network Effects)
MITM attack
Rogue Access Point (ATT&CK: Network Effects)
Rogue Access Point
Rogue access point nearby evidence (ATT&CK: Network Effects)
Rogue access point (ATT&CK: Network Effects)
MITM attack with fake SSL certificate evidence (ATT&CK: Network Effects)
MITM - Fake SSL Certificate
MITM attack with fake SSL certificate (ATT&CK: Network Effects)
MITM attack through SSL Strip evidence (ATT&CK: Network Effects)
MITM attack through SSL Strip
MITM attack through SSL strip suspicion (ATT&CK: Network Effects)
MITM attack (ATT&CK: Network Effects)
Modules loaded from the temporary directory
Module not in loader DB
Msbuild exhibited suspicious behaviour related to code execution (ATT&CK: Defense Evasion, Execution - Trusted Developer Utilities)
Process is a suspicious executable descendant of a MS office application
MSBuild activity as part of a suspicious execution chain
MSBuild was executed by an MS Office application (ATT&CK: Defense Evasion, Execution - Trusted Developer Utilities)
msbuild exhibits unusual behavior evidence
Multiple Hashes For unsigned PE Information
Multiple names found for the same hash
File with matching hash and mismatching size
Multiple Record-Not-Exists Unresolved DNS Query
Net.exe activity as part of a suspicious execution chain
Net.exe conducted suspicious activity (ATT&CK: Privilege Escalation, Discovery)
net.exe add user to local admin group evidence
net.exe is used to create a user or add a user to a group
Net.exe is used to add user to a group
net.exe conducted suspicious activity
net.exe is descendant of a suspicious process
netsh.exe disabled firewall
netsh.exe disabled firewall (ATT&CK: Defense Evasion - Disabling Security Tools)
T1016 - System Network Configuration Discovery : Network configuration discovery (ATT&CK: Discovery - Network Configuration Discovery)
Network configuration discovery
Network configuration discovery (ATT&CK: Discovery - System Network Configuration Discovery)
Network scanner
T1135 - Network Share Discovery : Network Share Discovery (ATT&CK: Reconnaissance)
New process
Evidence of a new process
Multiple new processes created
T1050 - New Service : New Service
New Service was unconventionally created
New service (ATT&CK: Persistence, Privilege Escalation - New Service)
Fileless protection detection evidence
Fileless protection prevention evidence
Non-default resolver DNS queries
Non Executable Extension
Command line environment variable obfuscation evidence (ATT&CK: Defense Evasion)
Command line environment variable (ATT&CK: Defense Evasion)
Command line keyword obfuscation (ATT&CK: Defense Evasion)
Object access
MS Office process adds an executable file to disk
MS Office dropper behavior was detected
Opened files
Original Injector process
OS process that is not in its original location
T1036 - Masquerading : Unsigned OS process not in original location
A payload was run using osascript JavaScript
Outgoing connections
Outgoing connections of host process
Outgoing external connections
Outgoing internal connections
Overpass the hash
Process was initiated by a malicious packed binary
Packed Process
T1045 - Software Packing : Packed process suspicion
Parent process and creator process mismatch (ATT&CK: Defense Evasion)
Parent from removable device
Parent of PowerShell running JS
Parent process
T1091 - Replication Through Removable Media : Parent running from removable device
Parent process name
Parent process not executed by administrator user
T1502 - Parent PID Spoofing : Parent Process Does Not Match Hierarchy
Parent process not executed by system user
Process executed by PsExec
Client interactions as Pass the Hash
Server interactions as Pass the Hash
T1201 - Password Policy Discovery : Password policy discovery (ATT&CK: Discovery - Password policy discovery)
Password policy discovery
Password policy discovery (ATT&CK: Discovery - Password policy discovery)
T1069 - Permission Groups Discovery : Permission Groups Discovery (ATT&CK: Reconnaissance)
T1048 - Exfiltration Over Alternative Protocol, T1105 - Remote File Copy : ftp suspicious activity
Obfuscated PowerShell command
Attempted file download by a PowerShell process (ATT&CK: Execution - PowerShell)
T1086 - PowerShell : PowerShell executed with invoked Cmdlet to execute a value stored as environment variable
Execution of the Invoke command by PowerShell
Power shell modules
PowerShell Commandline Has HKCU Registry Key
PowerShell downloader
PowerShell adds executable file to disk
PowerShell dropper behavior was detected
PowerShell Commandline Has Email Address
PowerShell with encoded command
T1064 - Scripting : Powershell executed by word process
PowerShell Executing Invoke Expression
PowerShell Commandline Has IP Address
PowerShell Commandline Has HKLM Registry Key
Loaded PowerShell Module
Privilege escalation tool execution
T1086 - PowerShell : Powerup execution suspicion
Privilege Escalation
Privilege Escalation to SYSTEM (ATT&CK: Privilege Escalation)
Privilege Escalation to Admin (ATT&CK: Privilege Escalation)
T1057 - Process Discovery : Process Discovery (ATT&CK: Reconnaissance)
Local process discovery
Process discovery (ATT&CK: Discovery)
Elevation of Privileges evidence (ATT&CK: Privilege Escalation)
Elevation of Privileges
Elevation of Privileges suspicion (ATT&CK: Privilege Escalation)
Attempt to execute malicious file
Process attempted to execute malicious file (ATT&CK: Execution)
Process prevented by App Control - Evidence
Malicious process prevented by App Control - Suspicion
Persistent modifications to devices’ file systems (ATT&CK: Defense Evasion, Persistence)
Persistent modifications to devices’ file systems
T1055 - Process Injection : Injection detection via memory activity
Has prevented modules
Ratio of process
Untrusted profile evidence (ATT&CK: Persistence)
Untrusted Profile
Untrusted profile suspicion (ATT&CK: Persistence)
Suspicious behavior similar to PowerShell Inveigh script
T1040 - Network Sniffing : Process exhibits behavior related to powershell Inveigh script
Remote Execution Process (PsExec)
An encoded payload was run using Python
Affected files
Ransomware auto blocking file hash
Suspended
Ransomware by file manipulation
Cybereason Threat Intelligence identified an executable as ransomware
Ransomware by shadow copy deletion
Ransomware classification mudules
Ransomware Module
Ransomware module indications
Rare child process
Rare Extension
Rare Extension Type
Rare external connections
Rarely executed as a registry entry
Rare Non Default Resolver
Rare PE mismatch
Rare module not in loader db
Rare internal connections
Rare Listening Connection
Executed by local system user
Rare module registry entry
Rare execution not by local system user
Rare parent
Contains rare floating executable code
Rare process
Rare Process Run by Service
Rare remote addresses
Rare Service Running Process
Rare Unsigned For Company
Suspicious Cscript Java based malware
Connected to RDP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)
T1076 - Remote Desktop Protocol : Remote Desktop Protocol has been enabled (ATT&CK: Lateral Movement - Enable Remote Desktop Protocol)
RDP enabled
Remote Desktop Protocol enabled (ATT&CK: Lateral Movement - Enable Remote Desktop Protocol)
Suspicious executable was reflectively loaded
T1129 - Execution through Module Load : Blocklist executable loaded in memory
T1214 - Credentials in Registry : Registry credentials dump
reg.exe executed SAM registry dump
SECURITY Registry dump
reg.exe executed SYSTEM registry dump
reg.exe command line contains temporary folder
T1219 - Remote Access Tools : Suspicious reg.exe command line contains temporary folder
T1121 - Regsvcs/Regasm : Regasm has tried to uninstall a library (ATT&CK: Defense Evasion, Execution - Regsvcs/Regasm)
Registry key creation (ATT&CK: Persistence)
Registry key deletion (ATT&CK: Persistence or Defense Evasion)
Registry key modification (ATT&CK: Persistence)
T1121 - Regsvcs/Regasm : Regsvcs has tried to uninstall a library (ATT&CK: Defense Evasion, Execution - Regsvcs/Regasm)
T1076 - Remote Desktop Protocol : Remote Desktop Protocol has been started
T1076 - Remote Desktop Protocol, T1112 - Modify Registry : Remote Desktop Protocol Registry has Been Enabled
T1005 - Data from Local System : Querying local terminal service status
T1076 - Remote Desktop Protocol : Remote Desktop Protocol Service has Been Started
Remote Execution of PowerShell
T1021 - Remote Services : Remote Service Creation Evidence
T1021 - Remote Services : Remote Service Creation (ATT&CK: Lateral movement - Service Execution)
Remote session
T1018 - Remote System Discovery : Remote System Discovery (ATT&CK: Reconnaissance)
A process has been remotely created via the Win32_Product::Install WMI method (ATT&CK: Execution, Lateral Movement)
A suspicious process has been remotely created via the Win32_Product::Install WMI method (ATT&CK: Execution, Lateral Movement)
A service has been remotely started via the Win32_BaseService::Start WMI method (ATT&CK: Execution, Lateral Movement)
Well-known Windows executable renamed (ATT&CK: Defense Evasion)
Well-known Microsoft Windows executable was renamed for defense evasion purposes (ATT&CK: Defense Evasion)
Resolved DNS queries from domain to domain
Resolved DNS queries from domain to IP
Resolved DNS queries from IP to Domain
Hidden by a rootkit
Connected to RPC Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)
Msrpc requests
Running from temporary folder
ARP scan evidence (ATT&CK: Discovery)
ARP scan (ATT&CK: Discovery)
IP scan evidence
IP scan
TCP scan evidence (ATT&CK: Discovery)
TCP scan (ATT&CK: Discovery)
UDP scan evidence (ATT&CK: Discovery)
UDP scan (ATT&CK: Discovery)
T1046 - Network Service Scanning : Scanning activity
Scheduled task
T1053 - Scheduled Task : Scheduled Tasks as system (ATT&CK: Persistence)
T1053 - Scheduled Task : Scheduled Tasks discovery (ATT&CK: Reconnaissance)
Local scheduled tasks discovery
Scheduled tasks discovery (ATT&CK: Discovery - Scheduled Task Discovery)
T1053 - Scheduled Task : Scheduled Tasks reboot persistence (ATT&CK: Persistence)
Screen Saver Not Executed By Explorer
T1015 - Accessibility Features : Screen Saver With Children
Search for files containing passwords evidence
Search for files containing passwords (ATT&CK: Credential Access - Credentials in Files)
Seen Creation
Interactions with process as server
T1035 - Service Execution : Service started (ATT&CK: Execution - Service Execution)
Service started (ATT&CK: Execution - Service Execution)
T1050 - New Service : Service Process
Service without service host
T1007 - System Service Discovery : System services discovery (ATT&CK: Discovery - System Services Discovery)
System services discovery
System services discovery (ATT&CK: Discovery - System Services Discovery)
T1059 - Command-Line Interface : Running Injected code by shell
T1064 - Scripting : Shell with an unexpected parent
T1203 - Exploitation for Client Execution : Shell with an unexpected parent
Process renamed a shell process image file
T1203 - Exploitation for Client Execution : Shell with elevated privileges
Shell With Elevated Privileges
T1490 - Inhibit System Recovery : Shell Executing VSSAdmin Delete Shadows
T1055 - Process Injection : Floating code was found in the process
T1055 - Process Injection : Process memory contains shellcode
The process contains shellcode
T1055 - Process Injection : A remote process injected shellcode into the victim process
T1055 - Process Injection : The process injected shellcode
This process injected shellcode into the victim process
Shellcode Execution
Cscript running files from temporary folder
Sideloaded apps evidence (ATT&CK: Initial Access)
Sideloaded apps
Sideloaded apps (ATT&CK: Initial Access)
T1218 - Signed Binary Proxy Execution : Signed OS process not in original location
Significant File
Site Insight - link tapped
Site Insight - link visited evidence (ATT&CK: Initial Access)
Site Insight - link visited (ATT&CK: Initial Access)
Connected to SMTP Port (ATT&CK: Command And Control - Commonly Used Port, Standard Application Layer Protocol)
Indicates there is evidence that this process connects to an outgoing SSH port
Process created autorun file
Sticky keys images renamed
Suspicious file renamed for login bypass
Attempt to stop or disable the Cybereason service
T1063 - Security Software Discovery : Attempt to stop or disable the Cybereason service
Suspended anti virus evidence
T1015 - Accessibility Features : Suspicions Screen Saver
suspicious powershell commands were identified
Suspicious Domain-to-Domain DNS queries
Suspicious external connections
Malicious Injected Code
Suspicious internal connections
Has suspicious mail connections
Suspicious Screen Saver
Image file has a suspicious signature
T1086 - PowerShell : Suspicious use of PowerShell
T1035 - Service Execution : svchost loaded by new parent process
0 - svchost is not loaded directly by SCM
T1035 - Service Execution : svchost host loaded by unsigned parent process
T1082 - System Information Discovery : System information discovery
System information discovery
System information reconnaissance (ATT&CK: Discovery - System Information Discovery)
T1016 - System Network Configuration Discovery : System Network Configuration Discovery
T1049 - System Network Connections Discovery : System Network Connections Discovery (ATT&CK: Reconnaissance)
System network connections discovery
System network connections discovery (ATT&CK: Reconnaissance)
T1033 - System Owner/User Discovery : System Owner/User Discovery
T1124 - System Time Discovery : System time discovery (ATT&CK: Discovery - System Time Discovery)
System user
System Tampering (ATT&CK: Defense Evasion, Persistence)
System Tampering
Consumed API
Number of threads
Device connected to threat map evidence (ATT&CK: Network Effects)
Device connected to threat map (ATT&CK: Network Effects)
Threat map nearby
Thread ID
T1127 - Trusted Developer Utilities : application with unusual network connection (ATT&CK: Defense Evasion, Execution - Trusted Developer Utilities)
Number of instances
Total number of connections
Bypass UAC through registry modification (ATT&CK: Defense Evasion)
UNC path
UNC Command Path
Uncommon System Volume Information execution path
Suspicious System Volume Information execution path (ATT&CK: Defense Evasion, Persistence - Hidden Files and Directories)
cmstp.exe loaded scrobj.dll module
T1191 - CMSTP : cmstp.exe abused to execute arbitrary code (ATT&CK: Defense Evasion, Execution - CMSTP)
rundll32.exe uncommon execution evidence
T1085 - Rundll32, T1050 - New Service : rundll32.exe OS process abuse (ATT&CK: Command and Control, Lateral Movement - Remote File Copy)
Unexpected AuditObject access by a PowerShell automation process (ATT&CK: Credential Access, Execution - PowerShell)
T1003 - Credential Dumping : Audit object access evidence
T1003 - Credential Dumping : Audit object access lsass evidence
One of the Windows credential resources was accessed by a shell process
T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access NTDS file evidence
T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access NTDS file via shadow copy evidence
T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access SAM file evidence
T1003 - Credential Dumping, T1081 - Credentials in Files : Audit object access SAM file via shadow copy evidence
T1214 - Credentials in Registry : Audit object access SAM key evidence
T1003 - Credential Dumping, T1081 - Credentials in Files, T1214 - Credentials in Registry : Unexpected AuditObject Access of a shell process
Unexpected AuditObject Access of Unknown Process (ATT&CK: Credential Access)
Unexpected AuditObject Access of Unsigned Process (ATT&CK: Credential Access)
Unexpected AuditObject Access of Unsigned and Unknown Process Suspicion (ATT&CK: Credential Access)
Unexpected behaviour from service host
Process Image with Unknown Classification Injecting or Running Injected code
Process with unknown reputation
Unsigned and unknown by a company that normally signs
Unsigned and Unknown With Well Known Port Connections
Unknown Unsigned With Suspicious Extension
Unresolved domain DNS lookups
Unresolved IP DNS lookups
Blocklist unresolved domain DNS queries
Suspicious Unresolved Domain DNS queries
Unresolved DNS Queries from Non-existent Record
Unsecured WiFi Network (ATT&CK: Network Effects)
Signed and Unsigned Modules
Unsigned file with a signed version
Unsigned with a signed version modules
Cybereason Threat Intelligence identified an Unwanted Executable
Unwanted classification modules
Potentially Unwanted Program Module
T1129 - Execution through Module Load : Unwanted module indications
T1490 - Inhibit System Recovery : VSSAdmin Delete Shadows
T1107 - File Deletion : wbadmin.exe deleted the backup catalog evidence
Backup catalog deletion
T1107 - File Deletion : wbadmin.exe deleted the backup catalog (ATT&CK: Defense Evasion - File Deletion)
T1100 - Web Shell : Web shell evidence
Well Known Port External Connections
T1028 - Windows Remote Management : WinRM code execution (ATT&CK: Execution, Lateral Movement - Windows Remote Management)
WMI Activities
Wmi client machine
Wmi client pid
Wmi is local
Wmi operation
WMI Persistent objects
WMI Persistent Objects Activities
WMI Query objects
WMI Query Objects Activities
WMI Queries
Process created remotely by WMI (ATT&CK: Lateral Movement)
Possibly malicious process created remotely by WMI
Suspicious process created remotely by WMI (ATT&CK: Lateral Movement)
A suspicious service has been remotely started via the Win32_BaseService::Start WMI method (ATT&CK: Execution, Lateral Movement)
T1047 - Windows Management Instrumentation : WNIC Delete Shadows
xcopy running file from temporary folder
Suspicious instance of Xcopy running file from a temporary folder (ATT&CK: Command and Control - Remote Access Tools)
injected
injector
module
Discovery type
Proxy name
URL of the PAC
Port
address
extendedInfo
minionHostInfo
minionInfo
ownerMachine
Quarantine time
fileHash
Quarantine file status
Requester
Key
Data
First seen
Registry data type
Registry entry type
Registry operation type
Registry path
Registry process
Last seen
Authentication protocol
Client
Client logon session
Client user
User and remote machine
Pass the Ticket
Unauthorized credential usage (ATT&CK: Lateral Movement - Pass the Ticket)
Resource type
Server
Server logon session
domainToDomain
ownerProcess
resolver
domainToIp
Multiple Addresses For Domain
ipToDomain
Resource
Resource name
Role
Role name
Author
Scheduled task name
Enabled
Scheduled task actions
Time of last run
Last modified by
Task state
Binary file
Binary file was changed
Command line arguments
Driver
Is active
Is Auto Restart
Is system process
Service name
Is new server
Last binary file
Last Service Start User
T1035 - Service Execution : Microsoft PsExec Service
T1035 - Service Execution : Rare Active Service
T1035 - Service Execution : Rare Disable Service
T1035 - Service Execution : Rare Service
T1035 - Service Execution : Rare Start Type
Service start user
Service start name was changed
Service state
Service sub-state
Service type
Start type
File Path
Suspicion of %s
domain
Domain Not Exists
resolvers
ipAddress
Associated domain
User Canonical Name
Country
User creation time
User display name
Logon name
Email address
Member of
Primary group ID
SAM account name
Active Directory SID
Active Directory text country
Title
Comment
Scheduled tasks created
detection events
Domain
Downloaded processes count
Domain\User Name
Associated email addresses
Has malicious process
Using power tool
Has unusual process with external connections
Running suspicious process
Launched suspicious process outside normal hours
High Number of Machines
Irregular time of day activity
Is admin
Local system
Is System or Root
New IT Tool For User
New process count
Number of machines
Last Machine Logged in to
Password age in days
Privileges
User to Admin
Rare processes with external connection
Running malicious process
Running IT Tool
Running Rare Process With External Connections
T1078 - Valid Accounts : Trespassing user by suspicious activity
Scheduled tasks modified
User name
UserIdentity
Client Ip
Client Machine
Client Pid
Client Process
WMI activity name
Executed Processes
Is local
WMI Persistent Object
Server Owner Process
Server User
WMI Class
WMI Queries single string
WMI Query Object
Client IP Address
Client Network Machine
Consumer Action
Consumer File Path
Consumer Image File
Consumer Name
Creating process
Filter Name
Filter Query
Persistent type
WMI Activity
Query
Query time
Query type
Note
If you have created custom detection rules, the values for these custom rules are not included in the list above.