Alert Types That Use the Windows Index
The Alert Types listed below use the Windows Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.
To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.
Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.
Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.
- Abnormal Parent / Child Process
- Backup Catalogs Deleted by Ransomware
- Bad Reputation Login
- Command Anomaly
- Encoded PowerShell
- External Account Login Failure Anomaly
- External Brute-Forced Successful User Login
- External Credential Stuffing
- External Password Spraying
- External RDP BlueKeep
- External RDP Suspicious Outbound
- External User Login Failure Anomaly
- Hydra Password Guessing Hack Tool
- Impossible Travel Anomaly
- Internal Account Login Failure Anomaly
- Internal Brute-Forced Successful User Login
- Internal Credential Stuffing
- Internal Password Spraying
- Internal RDP BlueKeep
- Internal RDP Suspicious Outbound
- Internal User Login Failure Anomaly
- Login Time Anomaly
- Malware on Disk
- Microsoft Entra Application Configuration Changes
- Microsoft Entra Application Permission Changes
- Microsoft Entra Apps Modified to Allow Multi-Tenant Access
- Microsoft Entra BitLocker Key Retrieval
- Microsoft Entra Changes to Conditional Access Policy
- Microsoft Entra Changes to Device Registration Policy
- Microsoft Entra Changes to Privileged Account
- Microsoft Entra Changes to Privileged Role Assignment
- Microsoft Entra Custom Domains Changed
- Microsoft Entra Federation Modified
- Microsoft Entra Guest User Invited by Non-Approved Inviters
- Microsoft Entra ID Discovery Using AzureHound
- Microsoft Entra PIM Setting Changed
- Microsoft Entra Privileged Account Assignment or Elevation
- Microsoft Entra Sign-in Failure
- Microsoft Entra Suspicious Sign-in Activity
- Microsoft Entra Unusual Account Creation
- Mimikatz Credential Dump
- Mimikatz DCSync
- Office 365 Admin Audit Logging Disabled
- Office 365 Content Filter Policy Changed
- Office 365 Malware Filter Policy Changed
- Office 365 Multiple Files Restored
- Office 365 Multiple Users Deleted
- Office 365 Network Security Configuration Changed
- Office 365 Password Policy Changed
- Office 365 Sharing Policy Changed
- Office 365 User Network Admin Changed
- Password Cracking with Hashcat
- Password Resets Anomaly
- Password Spraying Attempts with DSACLS
- Potentially Malicious Windows Event
- PowerShell Remote Access
- Process Anomaly
- RDP Port Opening
- RDP Registry Modification
- RDP Reverse Tunnel
- RDP Session Hijacking
- RDP Settings Hijacking
- RDP Suspicious Logon
- RDP Suspicious Logon Attempt
- Sensitive Windows Active Directory Attribute Modification
- Sensitive Windows Network Share File or Folder Accessed
- SMB Impacket Lateralization
- SMB Specific Service Installation
- SMB Suspicious Copy
- Steal or Forge Kerberos Tickets
- Suspicious Access Attempt to Windows Object
- Suspicious Activity Related to Security-Enabled Group
- Suspicious Connection to Another Process
- Suspicious Handle Request to Sensitive Object
- Suspicious LSASS Process Access
- Suspicious Powershell Script
- Suspicious Process Creation Commandline
- Suspicious Windows Active Directory Operation
- Suspicious Windows Logon Event
- Suspicious Windows Network Connection
- Suspicious Windows Process Creation
- Suspicious Windows Registry Event: Impact
- Suspicious Windows Registry Event: Persistence
- Suspicious Windows Service Installation
- Uncommon Process Anomaly
- User Asset Access Anomaly
- User Login Location Anomaly
- User Process Usage Anomaly
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
Abnormal Parent / Child Process
A process that typically launches a small, consistent number of child processes has launched a new child process. Investigate the new child process or the parent process to see if it is benign.
This alert type has the following subtype categories:
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Relationship Anomaly (XT1002)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is parent_child
.
Severity
25
Alert Subtype: Machine Learning Anomaly Detection
The xdr_event.subtype.name
for this alert subtype in the Interflow data is machine_learning_anomaly_detection
.
Key Fields and Relevant Data Points
process_name
— name of the processparent_proc_name
— name of the parent processhostip
— host IP addresshostip_host
— host namestability
— score measuring the time since the parent process launched the last child processdiversity
— score measuring the number of child processes that the parent process spawneddays_stable
— time since the parent process launched the last child processchild_count
— number of child processes that the parent process spawned
Use Case with Data Points
Each pair of parent/child processes (parent_proc_name
and process_name
) is examined periodically. If a parent process (parent_proc_name
) with a small number of child processes (diversity
, child_count
) has not launched a new child process (process_name
) for a long time (stability
, days_stable
) launches a new child process from a host (srcip_host
), an alert is triggered.
Alert Subtype: Rule Based Detection
The Parent/Child Suspicious Process Creation rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent/Child Suspicious Process Creation alert types.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Parent/Child Suspicious Process Creation Alert Type
Backup Catalogs Deleted by Ransomware
The wbadmin.exe
utility was used to delete the backup catalog. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Indicator Removal on Host (T1070 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_delete_backup_catalogs
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the host on which the ransomware action happenedhostip_host
— host nameprocess_name
— name of the executed processevent_data.CommandLine
— command that was executed to delete the backup catalog
Use Case with Data Points
If wbadmin.exe
is used to delete the backup catalog, an alert is triggered. The Interflow includes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).
Bad Reputation Login
A successful login was observed from an IP address with a history of malicious activity. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Bad Reputation (XT2010)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is bad_reputation_login
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user name
Use Case with Data Points
The login records are checked for every source IP address (srcip
). If a source IP address has successful login records and its reputation (srcip_reputation
) is bad (except brute-forcer and scanner), an alert is triggered. A sample Interflow includes source IP address (srcip
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), login type (login_type
), and user name (username
).
Command Anomaly
A command has been executed an anomalously large number of times compared to its typical executions or those of other commands. Investigate the command and the user to determine if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is command_anomaly
.
Severity
15
Key Fields and Relevant Data Points
command
— command executedactual
— actual number of executions in the periodtypical
— typical number of executions in the periodcwd
— current working directory from which the command executedhostip
— host from which the command was runhostip_host
— host nameusername
— user name who ran the command
Use Case with Data Points
The number of times a command (command
) has been executed is calculated periodically. If the volume (actual
) is much larger than the typical volume (typical
) of the command or other commands in any period, an alert is triggered. The Interflow includes the directory from which the command was executed (cwd
), the host and source IP addresses (hostip
and srcip
) from which the command was executed, and the name of the user who ran the command (username
).
Encoded PowerShell
A Windows host executed an encoded PowerShell script. Investigate the script contents to see if it is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is encoded_powershell
.
Severity
80
Key Fields and Relevant Data Points
srcip
— source IP addresshostip
— IP address of the Windows hosthostip_host
— host nameevent_data.ContextInfo
— PowerShell script contextevent_data.Payload
— PowerShell script payload
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script whose context (event_data.ContextInfo
) includes flags that indicate encoding or obfuscation of the script, an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script context (event_data.ContextInfo
), and script payload (event_data.Payload
).
External Account Login Failure Anomaly
An anomalously large number of user login failures was observed for an account. Check with the user.
This alert type has the following subtypes:
This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.
The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_cloud_account_login_failure
.
Severity
45
Key Fields and Relevant Data Points
srcip_usersid
— cloud account user IDscrip_username
— cloud account user nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addresslogin_type
— type of loginsrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes are calculated periodically for every account (srcip_usersid
). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Alert Subtype: Office 365 / Entra ID
The Office 365 / Entra ID alert subtype is the same as the External Account Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Office 365 and Microsoft Entra ID (formerly Azure AD).
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_cloud_account_login_failure_o365_azure
.
Alert Subtype: Windows Security Events
The Windows Security Events alert subtype is the same as the External Account Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from all Windows security events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_cloud_account_login_failure_windows
.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Brute-Forced Successful User Login
A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.
This alert type has the following subtypes:
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_success_brute_forcer
.
Severity
90
Alert Subtype: Source IP Based
The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
The xdr_event.subtype.name
for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip
.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related External User Login Failure Anomaly
Use Case with Data Points
The login records are checked for every external source IP address (srcip
). An alert is triggered if that IP address:
- Has so many failed login attempts that it triggered the External User Login Failure Anomaly, and
- Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
The xdr_event.subtype.name
for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip_usersid
.
Key Fields and Relevant Data Points
srcip_usersid
— Windows SID associated with the source IP addresssrcip
— source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related External Account Login Failure Anomaly
Use Case with Data Points
The login records to a user account (srcip_usersid
) are checked for every external source IP address (srcip
). An alert is triggered if that user account:
-
Has so many failed login attempts that it triggered the External Account Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Credential Stuffing
An anomalously large amount of username/password testing was observed on AWS, Okta, or Windows. Check the activity after successful logins, and consider blocking the source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_credential_stuffing
.
Severity
50
Key Fields and Relevant Data Points
msg_class
— name of the service:cloudtrail
for AWS,okta
for Okta,Microsoft-Windows-Security-Auditing
for Windowsservice_id
— specific account ID of a servicelogin_failure_rate
— rate of login failures per minute in the periodunknown_users_rate
— rate of unknown user names per minute in the periodunknown_users_to_login_failures
— ratio of unknown user names to login failures in the periodsuspicious_ips
— suspicious source IP addresses (up to 100)possible_breached_ips
— list of malicious IPs that may have successful breach activities
Use Case with Data Points
External credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class
), tenant's account ID on that service (service_id
), suspicious source IP address (suspicious_ips
), login failure rate (login_failure_rate
), unknown user rate (unknown_users_rate
), the ratio of unknown users to login failures (unknown_users_to_login_failures
), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Password Spraying
.An anomalously large number of failed logins with unknown user names was observed on external Windows authentication services. Check the activity after successful logins, and consider blocking the source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Sub-technique: Password Spraying (T1110.003 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_password_spray
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP address generating a failed loginor
event_data.Workstation
— workstation generating a failed loginThe key field for this alert type can be either
srcip
orevent_data.Workstation
, depending on the data feed.srcip_host
— source host nameevent_id
— Windows event ID corresponding to the login failureslogin_type
— type of login protocol; the available values vary byevent_id
actual
— actual number of failed logins with unknown user names in a 5-minute periodtypical
— typical number of failed logins with unknown user names in a 5-minute periodpassword_spray_user_summary
— list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)
Use Case with Data Points
If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip
or event_data.Workstation
), timestamp, the type of login (login_type
), the number of failed logins (actual
), the usual number of failed logins (typical
), and a sampling of the user names used in the attack (password_spray_user_summary
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External RDP BlueKeep
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [External] Privilege Escalation (TA0004 )
-
Technique: Exploitation for Privilege Escalation (T1068 )
-
Tags: [External; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_rdp_bluekeep
.
Severity
80
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip_host
— source host namedstip_host
— destination host name
Use Case with Data Points
If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External RDP Suspicious Outbound
Non-standard tools connecting to TCP port 3389 were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR App Anomaly (XT2003)
-
Tags: [External; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_rdp_suspicious_outbound
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP address of the host that connects to TCP port 3389 with a non-standard toolsrcip_host
— source host nameprocess_name
— process name
Use Case with Data Points
Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip
) and the process name (process_name
). The following are the standard tools:
- mstsc.exe
- RTSApp.exe
- RTS2App.exe
- RDCMan.exe
- ws_TunnelService.exe
- RSSensor.exe
- RemoteDesktopManagerFree.exe
- RemoteDesktopManager.exe
- RemoteDesktopManager64.exe
- mRemoteNG.exe
- mRemote.exe
- Terminals.exe
- spiceworks-finder.exe
- FSDiscovery.exe
- FSAssessment.exe
- MobaRTE.exe
- chrome.exe
- thor.exe
- thor64.exe
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External User Login Failure Anomaly
An anomalous number of login failures was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, or Google Workspace. For Okta, an anomalous number of multi-factor authentication (MFA) failures was observed. Check with the user.
This alert type has the following subtypes:
This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.
The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_login_fail
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addressdstip_host
— destination host nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.login_type
— type of login, such asssh_traffic
,okta_log
, oraws_cloudtrail
srcip_host
— source host namesrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes are calculated periodically for every source (srcip
) and destination (dstip
) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Alert Subtype: Office 365 / Entra ID
The Office 365 / Entra ID alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Office 365 and Microsoft Entra ID (formerly Azure AD).
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_user_login_fail_o365_azure
.
Alert Subtype: Source IP Based
The Source IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_user_login_fail_srcip
.
Alert Subtype: Destination IP Based
The Destination IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_user_login_fail_dstip
.
Alert Subtype: Kerberos Events
The Kerberos Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Kerberos events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_user_login_fail_kerberos
.
Alert Subtype: Source IP Based Windows Logon Events
The Source IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Windows logon events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_user_login_fail_src_win_logon
.
Alert Subtype: Destination IP Based Windows Logon Events
The Destination IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Windows logon events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isexternal_user_login_fail_dst_win_logon
.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Hydra Password Guessing Hack Tool
A user on a Windows host executed a command-line script that launched either the hydra.exe command or a command using known Hydra style parameters, which may be an inappropriate use of the Hydra password guessing tool.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Hydra]
Event Name
The xdr_event.name
for this alert type in the Interflow data is hydra_password_guessing_hack_tool
.
Severity
90
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running hydra.exe for password cracking.event_data.CommandLine
— command used to run the toolcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a PowerShell script with a context that includes one or more flags (event_data.Image
or event_data.CommandLine
indicating usage of the Hydra password guessing hack tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or script payload (event_data.CommandLine
).
Validation / Remediation
Check the body of the Powershell script that is reported on the Windows host to identify whether the contents of the script are actually malicious. If malicious, consider quarantining the host.
Potential False Positives
The running of any executable named hydra.exe
or a command that has parameters of -u
and -p
or ^user^
and ^pass^
triggers this alert.
Impossible Travel Anomaly
A user logged in from locations that are geographically impossible to travel between in the time frame. Check with the user.
This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.
The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.
For the Impossible Travel Anomaly, there are two chances for ingestion delay, so the slowest of the two records will define the delay. This alert type is also sensitive to the order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Location Anomaly (XT2001)
-
Tags: [User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_impossible_travel
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the source usersrcip_username
— source user namesrcip
— source IP addresssrcip_host
— source host namesrcip_geo
— source IP address geo location, including latitude and longitudedistance_deviation
— deviation in distance (miles) between the two login locationstime_deviation
— deviation in time (seconds) between the two login eventstravel_speed
— calculated speed for the user to travel between the two location (miles/hour)appid_name
— application name for the login eventlast_login_time
— time of 2nd login, event 2 (E2)_id2
— ID of E2_index2
— index of E2srcip2
— source IP address of E2srcip_geo2
— source IP address geo location of E2, including latitude and longitudeengid_gateway
— gateway IP address, used to determine geo location when source IP address is private
Use Case with Data Points
Login events (E1 and E2) are examined for a user (srcip_usersid
), to see if the login locations (srcip_geo
and srcip_geo2
), that are at least 100 miles apart, changed faster (travel_speed
= distance_deviation
/time_deviation
) than possible with the typical commercial flight speed of 600 miles/hour.
E1 is the basis for the Interflow. The srcip_usersid
and srcip_username
identify the user, appid_name
identifies the application, and last_login_time
identifies the time when the 2nd login event happened. You can find detailed information about E2 by checking id2
in index2
, source IP (srcip2
), and geo location (srcip_geo2
).
Internal Account Login Failure Anomaly
An anomalously large number of login failures from an internal source IP address to an internal destination IP address was observed for an account. Check with the user.
This alert type has the following subtypes:
This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.
The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_cloud_account_login_failure
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— account user IDor
-
srcip_username
— account user name, enriched fromevent_data.targetusername
The key field for this alert type can be either
srcip_usersid
orsrcip_username
, depending on the data feed. event_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addresslogin_type
— type of loginsrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes between any internal IP addresses are calculated periodically for every account (srcip_usersid
). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Alert Subtype: Windows Logon Events
The Windows Logon Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Windows logon events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_cloud_account_login_failure_win_logon
.
Alert Subtype: Kerberos Events
The Kerberos Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Kerberos events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_cloud_account_login_failure_kerberos
.
The NTLM Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from NTLM events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_cloud_account_login_failure_ntlm
.
Alert Subtype: Hibun Security Logs
The Hibun Security Logs alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Hibun security logs.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_cloud_account_login_failure_hibun
.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Brute-Forced Successful User Login
A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.
This alert type has the following subtypes:
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_success_brute_forcer
.
Severity
95
Alert Subtype: Source IP Based
The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
The xdr_event.subtype.name
for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip_usersid
.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related Internal User Login Failure Anomaly
Use Case with Data Points
The login records to an internal IP address (dstip
) are checked for every internal source IP address (srcip
). An alert is triggered if that IP address:
-
Has so many failed login attempts that it triggered the Internal User Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host name (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
The xdr_event.subtype.name
for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip
.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related Internal Account Login Failure Anomaly
Use Case with Data Points
The login records to a user account (srcip_usersid
) are checked for every internal source IP address (srcip
). An alert is triggered if that user account:
-
Has so many failed login attempts that it triggered the Internal Account Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host name (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Password Spraying
An anomalously large number of failed logins with unknown user names was observed on internal Windows authentication services. Check the activity after successful logins, and consider blocking the internal source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Sub-technique: Password Spraying (T1110.003 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_password_spray
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP address generating a failed loginor
event_data.Workstation
— workstation generating a failed loginThe key field for this alert type can be either
srcip
orevent_data.Workstation
, depending on the data feed.srcip_host
— source host nameevent_data.WorkstationName
— workstation associated with the alertingsrcip
(when applicable)event_id
— Windows event ID corresponding to the login failureslogin_type
— type of login protocol; the available values vary byevent_id
actual
— actual number of failed logins with unknown user names in a 5-minute periodtypical
— typical number of failed logins with unknown user names in a 5-minute periodpassword_spray_user_summary
— list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)
Use Case with Data Points
If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip
or event_data.Workstation
), timestamp, the type of login (login_type
), the number of failed logins (actual
), the usual number of failed logins (typical
), and a sampling of the user names used in the attack (password_spray_user_summary
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Credential Stuffing
An anomalously large amount of username/password testing was observed on an internal Windows authentication service. Check the activity after successful logins, and consider blocking the internal source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_credential_stuffing
.
Severity
75
Key Fields and Relevant Data Points
msg_class
—Microsoft-Windows-Security-Auditing
for Windowsservice_id
— specific account ID of a servicelogin_failure_rate
— rate of login failures per minute in the periodunknown_users_rate
— rate of unknown user names per minute in the periodunknown_users_to_login_failures
— ratio of unknown user names to login failures in the periodsuspicious_ips
— suspicious source IP addresses (up to 100)possible_breached_ips
— list of malicious IP addresses that may have successful breach activities
Use Case with Data Points
Internal credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class
), tenant's account ID on that service (service_id
), suspicious source IP address (suspicious_ips
), login failure rate (login_failure_rate
), unknown user rate (unknown_users_rate
), the ratio of unknown users to login failures (unknown_users_to_login_failures
), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal RDP BlueKeep
The use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed between internal hosts. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Privilege Escalation (TA0004 )
-
Technique: Exploitation for Privilege Escalation (T1068 )
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_rdp_bluekeep
.
Severity
90
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip_host
— source host namedstip_host
— destination host name
Use Case with Data Points
If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal RDP Suspicious Outbound
Non-standard tools from an internal host connecting to TCP port 3389 in the other internal host were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008)
-
Technique: Remote Services (T1021)
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_rdp_suspicious_outbound
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP address of the host that connects to TCP port 3389 with a non-standard toolsrcip_host
— source host nameprocess_name
— process name
Use Case with Data Points
Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip
) and the process name (process_name
). The following are the standard tools:
- mstsc.exe
- RTSApp.exe
- RTS2App.exe
- RDCMan.exe
- ws_TunnelService.exe
- RSSensor.exe
- RemoteDesktopManagerFree.exe
- RemoteDesktopManager.exe
- RemoteDesktopManager64.exe
- mRemoteNG.exe
- mRemote.exe
- Terminals.exe
- spiceworks-finder.exe
- FSDiscovery.exe
- FSAssessment.exe
- MobaRTE.exe
- chrome.exe
- thor.exe
- thor64.exe
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal User Login Failure Anomaly
An anomalous number of login failures between internal IP addresses was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, Google Workspace, Salesforce, or Microsoft Entra ID (formerly Azure Active Directory). Check with the user.
This alert type has the following subtypes:
This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.
The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_login_fail
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP addressservice_id
— source domain, workstation, organization, or servicedstip
— destination IP addressdstip_host
— destination host nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.login_type
— type of login, such asssh_traffic
,okta_log
, oraws_cloudtrail
srcip_host
— source host namesrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes between internal IP addresses are calculated periodically for every source (srcip
) and destination (dstip
) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Alert Subtype: Source IP Based
The Source IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_user_login_fail_srcip
.
Alert Subtype: Destination IP Based
The Destination IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_user_login_fail_dstip
.
The NTLM Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from NTLM events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_user_login_fail_ntlm
.
Alert Subtype: Kerberos Events
The Kerberos Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Kerberos events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_user_login_fail_kerberos
.
Alert Subtype: Windows Logon Events
The Windows Logon Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
-
The subtype is for data sources from Windows Logon events.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isinternal_user_login_fail_win_logon
.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Login Time Anomaly
A user logged in at an abnormal time. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
This alert type reads the System Timezone in Global Settings and puts the timezone into the alert descriptions. In Global Settings, set your timezone relative to UTC.
When a Login Time Anomaly occurs, the timezone is bound to the alert description with the following priorities:
-
The timezone inferred from
engid_gateway
takes precedence over the DP timezone, but only when it is present. Ifengid_gateway
is present, the description will use the timezone where the login actually happened. -
If
engid_gateway
is not present, the DP timezone setting is used.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Time Anomaly (XT4005)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_login_time
.
Severity
40
Key Fields and Relevant Data Points
srcip_usersid
— key ID of the source useror
event_data.TargetUserName
— name of the user (Windows event)-
The key field for this alert type can be either
srcip_usersid
orevent_data.TargetUserName
, depending on the data feed. srcip_username
— source user namesrcip_host
— host name of corresponding source IP addresssrcip_geo.countryName
— source countryactual_range
— actual login time rangetypical_range
— typical login time range
Use Case with Data Points
Every user's (srcip_usersid
) login time (actual
) is compared to the typical login times (typical_range
). If it is outside the range, an alert is triggered. The Interflow includes information such as the source user name (srcip_username
), source host name (srcip_host
), and source country (srcip_geo.countryName
), as well as the destination host (dstip_host
).
Malware on Disk
Sophos is deprecated from this alert type as of the 5.2.0 release. It is replaced by Sophos alert integration.
Malicious software or a potentially unwanted application was found on a device and reported as not cleaned. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Miscellaneous Malware (XT6001)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is malware_on_disk
.
Severity
90 (Windows Defender)
80 (Sophos)
Key Fields and Relevant Data Points
hostip
— IP address of the hostfile_path
— file pathcomputer_name
— computer namemalware_engine
— malware engine, can beSophos
orWindows Defender
group
— type of malwaretype
— status of malware
Use Case with Data Points
If either of the following occurs, an alert is triggered:
- Windows Defender indicates a failure or error when taking actions to protect the system
- Sophos engine indicates there is uncleaned malware
A sample Interflow includes the computer name (computer_name
), malware engine (malware_engine
), host IP address (hostip
), path to the file (file_path
), type of malware (group
, for Sophos), and status of the malware (type
, for Sophos).
Microsoft Entra Application Configuration Changes
The Microsoft Entra Application Configuration Changes rules are used to identify suspicious Microsoft Entra application configuration changes. Any one or more of these will trigger the Microsoft Entra Application Configuration Changes alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_application_configuration_changes
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Application Configuration Changes Alert Type
Microsoft Entra Application Permission Changes
The Microsoft Entra Application Permission Changes rules are used to identify suspicious Microsoft Entra application permission changes. Any one or more of these will trigger the Microsoft Entra Application Permission Changes alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_application_permission_changes
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Application Permission Changes Alert Type
Microsoft Entra Apps Modified to Allow Multi-Tenant Access
Microsoft Entra ID (formerly Azure Active Directory) observed an application being modified to allow multi-tenant access. Check with the organization to be sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_ad_add_app_multitenant
.
Severity
75
Key Fields and Relevant Data Points
srcip_usersid
— user ID that modified the property changeactivityDisplayName
— description of the actiontargetResources.modifiedProperties.displayName
— properties that were changed
Use Case with Data Points
If Microsoft Entra ID detects any user (srcip_usersid
) changing an application to allow multi-tenant access, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
), activity name (activityDisplayName
), and name of the changed property (targetResources.modifiedProperties.displayName
).
Microsoft Entra Bitlocker Key Retrieval
The Microsoft Entra Bitlocker Key Retrieval rules are used to identify suspicious Microsoft Entra Bitlocker key retrieval activity. Any one or more of these will trigger the Microsoft Entra Bitlocker Key Retrieval alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_bitlocker_key_retrieval
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra BitLocker Key Retrieval Alert Type
Microsoft Entra Changes to Conditional Access Policy
The Microsoft Entra Changes to Conditional Access Policy rules are used to identify suspicious Microsoft Entra changes to conditional access policy. Any one or more of these will trigger the Microsoft Entra Changes to Conditional Access Policy alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_suspicious_changes_to_conditional_access_policy
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert Type
Microsoft Entra Changes to Device Registration Policy
The Microsoft Entra Changes to Device Registration Policy rules are used to identify suspicious Microsoft Entra changes to device registration policy. Any one or more of these will trigger the Microsoft Entra Changes to Device Registration Policy alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_changes_to_device_registration_policy
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Device Registration Policy Alert Type
Microsoft Entra Changes to Privileged Account
The Microsoft Entra Changes to Privileged Account rules are used to identify suspicious Microsoft Entra changes to privileged account. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Account alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_changes_to_privileged_account
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Privileged Account Alert Type
Microsoft Entra Changes to Privileged Role Assignment
The Microsoft Entra Changes to Privileged Role Assignment rules are used to identify suspicious Microsoft Entra changes to privileged role assignment. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Role Assignment alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_changes_to_privileged_role_assignment
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert Type
Microsoft Entra Custom Domains Changed
Microsoft Entra ID (formerly Azure Active Directory) observed a custom domain being changed. Check with the organization to be sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Domain Policy Modification (T1484 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_ad_change_domain
.
Severity
75
Key Fields and Relevant Data Points
srcip_usersid
— user account that made the domain changeactivityDisplayName
— activity display nameactivity_name
— action descriptiontargetResources.modifiedProperties
— properties that were changed
Use Case with Data Points
If Microsoft Entra ID detects any user (srcip_usersid
) changing a custom domain, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
) and activity name (activity_name
).
Microsoft Entra Federation Modified
The Microsoft Entra Federation Modified rules are used to identify suspicious Microsoft Entra federation modified activity. Any one or more of these will trigger the Microsoft Entra Federation Modified alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_federation_modified
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Federation Modified Alert Type
Microsoft Entra Guest User Invited by Non-Approved Inviters
The Microsoft Entra Guest User Invited by Non-Approved Inviters rules are used to identify suspicious Microsoft Entra guest user invited by non-approved inviters. Any one or more of these will trigger the Microsoft Entra Guest User Invited by Non-Approved Inviters alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_guest_user_invited_by_non_approved_inviters
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Guest User Invited by Non-Approved Inviters Alert Type
Microsoft Entra ID Discovery Using AzureHound
The Microsoft Entra ID Discovery using AzureHound rules are used to identify Microsoft Entra ID discovery using Azurehound. Any one or more of these will trigger the Microsoft Entra ID Discovery using Azurehound alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_discovery_using_azurehound
.
Key Fields and Relevant Data Points
srcip_username
— user name of the account involved in the eventsrcip
— IP address of the login clientsrcip_host
— host name of the login clientUserAgent
— user agentstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra ID Discovery Using Azurehound Alert Type
Microsoft Entra PIM Setting Changed
The Microsoft Entra PIM Setting Changed rules are used to identify suspicious Microsoft Entra PIM setting changed. Any one or more of these will trigger the Microsoft Entra PIM Setting Changed alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_pim_setting_changed
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra PIM Setting Changed Alert Type
Microsoft Entra Privileged Account Assignment or Elevation
The Microsoft Entra Privileged Account Assignment or Elevation rules are used to identify suspicious Microsoft Entra privileged account assignment or elevation. Any one or more of these will trigger the Microsoft Entra Privileged Account Assignment or Elevation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_privileged_account_assignment_or_elevation
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert Type
Microsoft Entra Sign-in Failure
The Microsoft Entra Sign-in Failure rules are used to identify suspicious Microsoft Entra sign-in failures. Any one or more of these will trigger the Microsoft Entra Sign-in Failure alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_sign_in_failures
.
Key Fields and Relevant Data Points
srcip_username
— user name of the account involved in the eventsrcip
— IP address of the login clientsrcip_host
— host name of the login clientlogin_result
— login result of user login eventsazure_ad.status.failureReason
— reason for the login failurestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Sign-in Failure Alert Type
Microsoft Entra Suspicious Sign-in Activity
The Microsoft Entra Suspicious Sign-in Activity rules are used to identify suspicious Microsoft Entra sign-in activity. Any one or more of these will trigger the Microsoft Entra Suspicious Sign-in Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_suspicious_sign_in_activity
.
Key Fields and Relevant Data Points
srcip_username
— user name of the account involved in the eventsrcip
— IP address of the login clientsrcip_host
— host name of the login clientlogin_result
— login result of user login eventsazure_ad.status.failureReason
— reason for the login failurestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Microsoft Entra Sign-In Activity Alert Type
Microsoft Entra Unusual Account Creation
The Microsoft Entra Unusual Account Creation rules are used to identify Microsoft Entra unusual account creation activity. Any one or more of these will trigger the Microsoft Entra Unusual Account Creation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_unusual_account_creation
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Unusual Account Creation Alert Type
Mimikatz Credential Dump
A potential Mimikatz memory dump was observed. Check the process to determine whether the host is compromised. Consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: OS Credential Dumping (T1003 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mimikatz_mem_scan
.
Severity
90
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameaccess_subject
— process attempting access-
access_mask
— mask that the suspicious process used to obtain access privileges (different access masks indicate different capabilities obtained by the suspicious process)
Use Case with Data Points
If a process (access_subject
) on a Windows host (srcip
) tries to access lsass.exe with a special access mask (access_mask
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the process performing mimikatz activity (access_subject
), and the access mask used to acquire access privilege (access_mask
).
Mimikatz DCSync
An attempt to replicate Active Directory for the first time on a domain controller, or the first time by that account, has occurred. Evaluate whether the replication is intended and, if not, consider disabling the account involved in the replication and investigate for further signs of compromise.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: OS Credential Dumping (T1003 )
-
Tags: [Internal, Active Directory]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mimikatz_dcsync
.
Severity
90
Key Fields and Relevant Data Points
hostip
— IP address of the targeted domain controllerevent_data.SubjectUserSid
— source user ID associated with the account attempting replicationhostip_host
— host name of the targeted domain controllerevent_data.SubjectUserName
— name of the account that attempted the Active Directory replicationevent_data.SubjectDomainName
— domain of the account that attempted the Active Directory replication
Use Case with Data Points
This alert is triggered when replication of an Active Directory domain controller (hostip
) occurs for the first time or is attempted by a user account or computer account (event_data.SubjectUserName
) that has rarely occurred (days_silent
) or never initiated replication on that DC before. The Interflow includes the IP address of the targeted domain controller (hostip
), the account (event_data.SubjectUserName
) attempting the replication and its domain (event_data.SubjectDomainName
), and the replication operation attempted (event_data.Properties
). (For guidance understanding the GUID in the event_data.Properties field, refer to Microsoft Documentation.)
Validation / Remediation
To triage an alert of this type, consider first verifying whether the Active Directory replication event was expected. If the replication is not intended, then the alert has indicated that a DCSync attack is highly likely. This attack can be very severe, because all password hashes stored on the targeted domain controller might have been dumped. Disable the account involved in the replication as soon as possible and further investigate the account for any signs of compromise.
There is no simple remediation for a confirmed DCSync attack. Evaluate the overall risks of credential leakage and apply appropriate corrective actions, including minimizing accounts with permissions to perform Active Directory replication, and forcing a change of credentials for accounts with weak passwords.
Potential False Positives
The following will trigger an alert:
-
Set up of a new DC
-
Replication of a DC for the first time
Office 365 Admin Audit Logging Disabled
Office 365 admin audit logging was disabled. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_admin_audit_logging_disabled
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationName
— organization with audit logging
Use Case with Data Points
Office 365 monitors each Office 365 account (srcip_usersid
) for admin audit logging status. If admin audit logging is disabled, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
) and organization name (OrganizationName
).
Office 365 Content Filter Policy Changed
The Microsoft Exchange content policy was changed. An overly permissive content policy can allow spammers to send your organization unwanted email. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_content_filter_policy_changed
.
Severity
40
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization with the Microsoft content policy changeOrganizationName
— organization with the Microsoft content policy change
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in each organization (OrganizationId
) for a Microsoft Exchange content policy change. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 File Sharing with Outside Entities
An Office 365 account shared multiple files with entities outside of the organization. Check with the user to make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Transfer Data to Cloud Account (T1537 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_outside_entity_file_sharing
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountsrcip
— source IP address of the sharing actionsrcip_host
— source host namesrcip_geo.countryName
— source country
Use Case with Data Points
Office 365 monitors sharing with outside entities for each Office 365 account (srcip_usersid
). If an account shares multiple files with outside entities, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
), source IP address (srcip
), and source country (srcip_geo.countryName
).
Office 365 Malware Filter Policy Changed
The Microsoft Exchange malware filter policy changed. An overly permissive malware filter policy can allow attackers to send malicious attachments to your organization. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_malware_filter_policy_changed
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization with the Microsoft Exchange malware policy changeOrganizationName
— organization with the Microsoft Exchange malware policy change
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for Microsoft Exchange malware policy changes. If a change is discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Multiple Files Restored
Office 365 observed that multiple files were restored in a short period. Check with the user.
XDR Kill Chain
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_multi_file_restore
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountEventSource
— event sourcesrcip
— source IP address that caused the restoresrcip_host
— source host name
Use Case with Data Points
Office 365 periodically checks file restore records. If multiple file restore records are detected within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), event source (EventSource
), and source IP address (srcip
).
Office 365 Multiple Users Deleted
Office 365 observed that multiple users were deleted in a short period. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Account Access Removal (T1531 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_multi_user_deleted
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountEventSource
— event sourcesrcip
— source IP address that did the deletionsrcip_host
— source host name
Use Case with Data Points
Office 365 periodically checks user deletion records. If multiple users were deleted within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), event source (EventSource
), and source IP address (srcip
).
Office 365 Network Security Configuration Changed
Office 365 identified a change to your organization's network security configuration, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_security_conf_changed
.
Severity
70
Key Fields and Relevant Data Points
srcip_usersid
— key ID for ther Office 365 accountOrganizationId
— ID of the organization whose security configuration changedOrganizationName
— name of the organization whose security configuration changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for network security configuration changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Password Policy Changed
Office 365 identified a change to your organization's password policy, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Authentication Process (T1556 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_password_policy_changed
.
Severity
40
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization whose password policy changedOrganizationName
— name of the organization whose password policy changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for sharing policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Sharing Policy Changed
Office 365 identified a change to your organization's sharing policy, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_sharing_policy_changed
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization whose sharing policy changedOrganizationName
— name of the organization whose sharing policy changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for password policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 User Network Admin Changed
The Office 365 account’s network admin information was changed. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_user_network_admin_changed
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationName
— name of the organization
Use Case with Data Points
Office 365 monitors the network admin information for each Office 365 account (srcip_usersid
). If changes to the network admin are discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
) and organization name (OrganizationName
).
Password Cracking with Hashcat
A user from a Windows host executed a command-line script that launched either the hashcat.exe command or a command using known Hashcat parameters (-a -m 1000 -r). The Hashcat command is known to use a SAM file from the Windows registry along with a password list to crack passwords.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Hashcat]
Event Name
The xdr_event.name
for this alert type in the Interflow data is password_cracking_with_hashcat
.
Severity
90
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running the hashcat toolevent_data.CommandLine
— command used to run the toolcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a PowerShell script with a context that includes one or more flags (event_data.Image
or event_data.CommandLine
) indicating usage of the Hashcat password cracking tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or script payload (event_data.CommandLine
).
Validation / Remediation
Check the body of the Powershell script that is reported on the Windows host to identify whether the contents are actually malicious. If malicious, consider quarantining the host.
Potential False Positives
The running of any executable named hashcat.exe
or any command that uses the hashcat signature parameter list (-a -m 1000 -r
).
Password Resets Anomaly
An account reset/changed one or more target accounts' passwords an anomalously large number of times. Check the subject account and major target accounts.
This alert type has the following subtype:
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is password_resets_anomaly
.
Severity
30
Key Fields and Relevant Data Points
event_data.SubjectDomainName
— domain to which theSubjectUserName
belongsevent_data.SubjectUserName
— user name of the account that resets/changes the passwordactual
— actual time of the password resets/changes made by the usertypical
— expected maximum time of password resets/changes made by the user
Use Case with Data Points
The daily number of password reset/change actions of a user (SubjectDomainName
+ SubjectUserName
) are monitored by (actual
), which is compared with a dynamic upper threshold of (typical
). An alert is triggered when the actual number exceeds the threshold.
Validation / Remediation
Validate the alert by checking the account activity on the date. If the number of resets/changes are abnormal, check the target user names that are being reset to verify if the action is expected.
Potential False Positives
False positives can be triggered in the following situations:
-
Traffic pattern change, such as when an account is newly added or has some systematic change from the typical number of resets/changes
-
Resets of usually silent accounts
Alert Subtype: Windows Account Password Reset Anomaly
The xdr_event.subtype.name
for this alert subtype in the Interflow data is windows_account_password_resets_anomaly
.
Password Spraying Attempts Using Dsacls
A user from a Windows host executed a command-line script to launch a command that by name and parameter list indicates an attempt to abuse dsacls.exe for password spraying.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [Internal] Defense Evasion (TA0005 )
-
Technique: System Binary Proxy Execution (T1218)
-
Tags: [Password Spray;Dsacls]
Event Name
The xdr_event.name
for this alert type in the Interflow data is password_spraying_attempts_using_dsacls
.
Severity
50
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running dsacls for password crackingevent_data.CommandLine
— command used to run the toolevent_data.OriginalFileName
— actual file name that was executedcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a dsacls.exe
with a context that includes one or more flags (event_data.Image
, event_data.CommandLine
, or event_data.OriginalFileName
including /user
and /passwd
as parameters). This indicates possible usage of Dcacls as a password spraying tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or the original file name (event_data.OriginalFileName
), and script commandline (event_data.CommandLine
).
Validation / Remediation
Check whether the usage was actually malicious. If so, consider quarantining the Windows host.
Potential False Positives
This alert could be triggered even if the use is a legitimate use of dsacls
to bind to an LDAP session.
Potentially Malicious Windows Event
The Potentially Malicious Windows Event rules are used to identify suspicious activity with Windows events. This is a generic rule name. Any one or more of these will trigger the Potentially Malicious Windows Event alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_malicious_event
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Potentially Malicious Event Alert Type
PowerShell Remote Access
A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is powershell_cnc
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the Windows hosthostip_host
— host nameremote_ip
— IP address of the remote host involved in the scriptevent_data.ScriptBlockText
— contents of the PowerShell script
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script that includes potential communication (event_data.ScriptBlockText
) with a remote host (remote_ip
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script body (event_data.ScriptBlockText
), and the remote host IP address (remote_ip
).
PowerShell Remote Access
A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is powershell_cnc
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the Windows hosthostip_host
— host nameremote_ip
— IP address of the remote host involved in the scriptevent_data.ScriptBlockText
— contents of the PowerShell script
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script that includes potential communication (event_data.ScriptBlockText
) with a remote host (remote_ip
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script body (event_data.ScriptBlockText
), and the remote host IP address (remote_ip
).
Process Anomaly
A process has been launched an anomalously large number of times. Investigate the process and the user to see if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is bad_process
.
Severity
15
Key Fields and Relevant Data Points
process_name
— name of the processhostip
— host IP addresshostip_host
— host nameactual
— actual number of launches in the periodtypical
— typical number of launches in the period
Use Case with Data Points
The number of times a process (process_name
) has been launched is calculated periodically. If the volume (actual
) is much larger than the typical volume (typical
) of the command or other commands in any period, an alert is triggered. The Interflow includes the (hostip
) who launched the process.
RDP Port Opening
Netsh commands to open TCP port 3389 were observed. This could indicate Sarwent malware attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_port_opening
.
Severity
50
Key Fields and Relevant Data Points
hostip
— source IP address that executes the commandhostip_host
— host nameevent_data.CommandLine
— command that was executedprocess_name
— process name
Use Case with Data Points
Commands that open TCP port 3389 are monitored, and if netsh commands are seen, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the command used (event_data.CommandLine
).
RDP Registry Modification
Modifications of the property values of fDenyTSConnections
and UserAuthentication
to enable remote desktop connections were observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Registry (T1112 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_registry_modification
.
Severity
50
Key Fields and Relevant Data Points
hostip
— IP address of the host that made the setting changehostip_host
— host nameevent_data.TargetObject
— name of the registry keyevent_data.Details
— value of the registry
Use Case with Data Points
The property values of fDenyTSConnections
and UserAuthentication
are monitored, and if a possible malicious modification of the settings to enable remote desktop connections is observed, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the registry name (event_data.TargetObject
).
RDP Reverse Tunnel
An svchost
hosting RDP termsvcs
communicating with the loopback address on TCP port 3389 was observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Protocol Tunneling (T1572 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_reverse_tunnel
.
Severity
80
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process communicating with the loopback address
Use Case with Data Points
If an svchost hosting RDP termsvcs communicating with the loopback address is found on TCP port 3389, an alert is triggered. A sample Interflow includes the host IP address (hostip
) and host name (hostip_host
).
RDP Session Hijacking
A suspicious RDP session using tscon.exe
or MSTSC shadowing was observed. This could indicate a hijacked RDP session. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Lateral Movement (TA0008 )
-
Technique: Remote Service Session Hijacking (T1563 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_session_hijacking
.
Severity
50
Key Fields and Relevant Data Points
hostip
— host IP address that executes the commandhostip_host
— host nameevent_data.CommandLine
— command line usedprocess_name
— process name
Use Case with Data Points
If an RDP session redirect using tscon.exe or MSTSC is detected, an alert is triggered. A sample Interflow includes the host IP address (hostip
), name of the process used (process_name
), and command used (event_data.CommandLine
).
RDP Settings Hijacking
Changes to RDP terminal services settings were observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Registry (T1112 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_settings_hijack
.
Severity
50
Key Fields and Relevant Data Points
hostip
— IP address of the host that made the setting changehostip_host
— host nameevent_data.TargetObject
— name of the registry key-
event_data.EventType
— event type on the registry key (SetValue, DeleteValue) event_data.Details
— value of the registry
Use Case with Data Points
RDP terminal service settings are monitored, and if changes are found to these settings, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the registry name (event_data.TargetObject
).
RDP Suspicious Logon
An RDP logon with a local source IP address was observed. This could indicate a tunneled logon. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Protocol Tunneling (T1572 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_suspicious_logon
.
Severity
75
Key Fields and Relevant Data Points
hostip
— host IP address of the RDP serverevent_data.TargetDomainName
— domain of the login accountevent_data.TargetUserName
— user name of the login accounthostip_host
— host name
Use Case with Data Points
Remote desktop logins are monitored, and if a local source IP address is seen, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and host name (hostip_host
).
RDP Suspicious Logon Attempt
An authenticated user who is not allowed to log on remotely attempted to connect through RDP. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_suspicious_logon_attempt
.
Severity
75
Key Fields and Relevant Data Points
hostip
— host IP address of the RDP serverhostip_host
— host nameevent_data.AccountDomain
— account domain of the user who attempts to connectevent_data.AccountName
— account name of the user who attempts to connectevent_data.ClientAddress
— IP address of the user who attempts to connect
Use Case with Data Points
Windows remote desktop logins are monitored, and if a user who is not allowed to remotely log in tries to log in with RDP, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and host name (hostip_host
).
Sensitive Windows Active Directory Attribute Modification
The Sensitive Windows Active Directory Attribute Modification rules are used to identify suspicious activity with sensitive Windows Active Directory attribute modification. Any one or more of these will trigger the Sensitive Windows Active Directory Attribute Modification alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_ad_sensitive_attribute_modification
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type
Sensitive Windows Network Share File or Folder Accessed
The Sensitive Windows Network Share File or Folder Accessed rules are used to identify suspicious activity with Windows network share file or folder access. Any one or more of these will trigger the Sensitive Windows Network Share File or Folder Accessed alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_sensitive_networkshare
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type
SMB Impacket Lateralization
The execution of wmiexec, dcomexec, atexec, smbexec or PSExec
from the Impacket framework was observed. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Windows Management Instrumentation (T1047 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_impacket_lateralization
.
Severity
80
Key Fields and Relevant Data Points
srcip
— source IP addresshostip
— host IP addresshostip_host
— host nameevent_data.CommandLine
— command line of the command that was executedevent_data.ParentCommandLine
— command line of the parent process
Use Case with Data Points
If a Windows host (srcip
) executes a command (wmiexec, dcomexec, atexec, smbexec
, or PSExec
) from the Impacket framework, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the command executed (event_data.CommandLine
).
SMB Specific Service Installation
A specific service installation used by the Impacket tool or Metasploit was observed. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: System Services (T1569 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_hack_smbexec
.
Severity
80
Key Fields and Relevant Data Points
srcip
— source IP addressevent_data.ServiceName
— name of the service installedhostip
— host IP addresshostip_host
— host name
Use Case with Data Points
If a Windows host (srcip
) installs a specific service installation that is used by the smbexec.py
tool, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the service installed (event_data.ServiceName
).
SMB Suspicious Copy
A suspicious copy command from a remote C$ or ADMIN$ share was observed. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: Collection (TA0009 )
-
Technique: Data from Network Shared Drive (T1039 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_suspicious_copy
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP addresshostip
— host IP addresshostip_host
— host nameevent_data.CommandLine
— command line of the copy command
Use Case with Data Points
If a Windows host (srcip
) uses the copy command to copy files from a remote C$ or ADMIN$ share, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the command executed (event_data.CommandLine
).
Steal or Forge Kerberos Tickets
The Steal or Forge Kerberos Tickets rules are used to identify suspicious activity to steal or forge Kerberos tickets. Any one or more of these will trigger the Steal or Forge Kerberos Tickets alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_steal_or_forge_kerberos_tickets
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namewineventlog_user
— Windows user who executed the scriptevent_data.ScriptBlockText
— Powershell script block textevent_id
— Windows event ID associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Steal or Forge Kerberos Tickets Alert Type
Suspicious Access Attempt to Windows Object
The Suspicious Access Attempt to Windows Object rules are used to identify suspicious activity with access attempt to Windows objects. Any one or more of these will trigger the Suspicious Access Attempt to Windows Object alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_object_access_suspicious_attempt
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Access Attempt to Windows Object Alert Type
Suspicious Activity Related to Security-Enabled Group
The Suspicious Activity Related to Security-Enabled Group rules are used to identify suspicious activity related to security-enabled groups. Any one or more of these will trigger the Suspicious Activity Related to Security-Enabled Group alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_activity_related_to_security_enabled_group
.
Key Fields and Relevant Data Points
hostip
— host IP addressevent_id
— Windows event ID associated with the activityhostip_host
— host nameevent_data.SubjectUserName
— subject user name associated with the activityevent_data.SubjectUserSid
— subject user SID associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type
Suspicious Connection to Another Process
The Suspicious Connection to Another Process rules are used to identify suspicious connection to another process. Any one or more of these will trigger the Suspicious Connection to Another Process alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_connection_process
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Connection to Another Process Alert Type
Suspicious Handle Request to Sensitive Object
The Suspicious Handle Request to Sensitive Object rules are used to identify suspicious activity with handle requests to sensitive Windows objects. Any one or more of these will trigger the Suspicious Handle Request to Sensitive Object alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_handle_request
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Handle Request to Sensitive Object Alert Type
Suspicious LSASS Process Access
The Suspicious LSASS Process Access rules are used to identify suspicious process access to or from the Local Security Authority Subsystem Service (LSASS). Any one or more of these will trigger the Suspicious LSASS Process Access alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_process_access_lsass
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.SourceImage
— source image path associated with the activityevent_data.TargetImage
— target image path associated with the activitywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious LSASS Process Access Alert Type
Suspicious Powershell Script
The Suspicious Powershell Script rules are used to identify suspicious activity relating to PowerShell scripts. Any one or more of these will trigger the Suspicious PowerShell Script alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_powershell_script
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namewineventlog_user
— Windows user who executed the scriptevent_data.ScriptBlockText
— Powershell script block textstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Powershell Script Alert Type
Suspicious Process Creation Commandline
The Suspicious Process Creation Commandline rules are used to identify suspicious activity relating to command-line process creation. Any one or more of these will trigger the Suspicious Process Creation Commandline alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_commandline
.
Key Fields and Relevant Data Points
hostip
— host IP addressevent_data.CommandLine
— process creation command linehostip_host
— host namewineventlog_user
— Windows user who executed the commandstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Process Creation Commandline Alert Type
Suspicious Windows Active Directory Operation
The Suspicious Windows Active Directory Operation rules are used to identify suspicious activity with Windows Active Directory operation. Any one or more of these will trigger the Suspicious Windows Active Directory Operation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_ad_suspicious_operation
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Active Directory Operation Alert Type
Suspicious Windows Network Connection
The Suspicious Windows Network Connection rules are used to identify suspicious Windows network connection activities. Any one or more of these will trigger the Suspicious Windows Network Connection alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_windows_network_connection
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process associated with the activitywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Network Connection Alert Type
Suspicious Windows Logon Event
The Suspicious Windows Logon Event rules are used to identify suspicious activity with Windows Logons. Any one or more of these will trigger the Suspicious Windows Logon alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_logon_event
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Logon Event Alert Type
Suspicious Windows Process Creation
The Suspicious Windows Process Creation rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_suspicious_process_creation
.
Key Fields and Relevant Data Points
hostip
— host IP addressprocess_name
— process associated with the activityhostip_host
— host namewineventlog_user
— Windows user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Windows Suspicious Process Creation Alert Type
Suspicious Windows Registry Event: Impact
The Suspicious Windows Registry Event: Impact rules are used to identify suspicious Windows registry events usually in the impact stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Impact alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_windows_registry_event_impact
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process associated with the activityevent_data.TargetObject
— target registryevent_data.Details
— value set to the registrywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Registry Event: Impact Alert Type
Suspicious Windows Registry Event: Persistence
The Suspicious Windows Registry Event: Persistence rules are used to identify suspicious Windows registry events usually in the persistence stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Persistence alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_windows_registry_event_persistence
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process associated with the activityevent_data.TargetObject
— target registryevent_data.Details
— value set to the registrywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Registry Event: Persistence Alert Type
Suspicious Windows Service Installation
The Suspicious Windows Service Installation rules are used to identify suspicious activity with service installation. Any one or more of these will trigger the Suspicious Windows Service Installation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_service_installation
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Service Installation Alert Type
Uncommon Process Anomaly
An asset launched a process that has never been seen before (or has very rarely been seen). This could indicate a malware attack.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is network_uncommon_process
.
Severity
30
Key Fields and Relevant Data Points
hostip
— IP address of the host running the processhostip_host
— host nameprocess_name
— name of the processwineventlog_user
— user that created the processdays_silent
— number of days since this process was last seen
Use Case with Data Points
If a process (process_name
) has never been observed by Stellar Cyber or been seen very rarely (days_silent
), an alert is triggered. The Interflow includes the user (process_user
) and host (srcip
) that executed the process.
User Asset Access Anomaly
A user who typically uses a small, consistent number of assets logged in to a new asset. Investigate the asset and user to see if this was expected.
This alert type has the following subtype:
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR UBA (XTA0004)
-
Technique: XDR Asset Anomaly (XT4004)
-
Tags: [Internal; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_asset_access
.
Severity
30
Key Fields and Relevant Data Points
srcip_usersid
— source user IDdstip_host
— host name of corresponding destination IP addresssrcip_host
— host name of corresponding source IP addresssrcip_username
— source user namestability
— score measuring the time since the last new asset was accesseddays_stable
— time since the last new asset was accesseddiversity
— score measuring the number of assets that the user accessedchild_count
— number of assets that the user accessed
Use Case with Data Points
Users (srcip_usersid
and srcip_username
) with a small number of assets (diversity
, child_count
) who also have not used a new asset (srcip_host
) for a long time (stability
, days_stable
) are examined. If a new asset appears on a host (srcip_host
) with this user, an alert is triggered.
The user is identified with the scrip_userid
and scrip_username
fields. The asset is identified with the scrip_host
field. Active Directory, which is identified from the dstip_host
field, provides the relationship between the user and the asset. Stability is identified with the stability
field and diversity is identified with the diversity
field.
The SMB User Based alert subtype is the same as the User Asset Access Anomaly alert type above, with the following differences:
-
The subtype is more specific to SMB users authenticating to a new asset. It uses network traffic to monitor the network shares the users accessed.
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data issmb_user_asset_access
. -
It has the following Key Fields and Relevant Data Points.
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addressevent_summary.ueba_smb_username
— SMB user that accessed the assetsstability
— score measuring the time since the last new asset was accesseddays_stable
— time since the last new asset was accesseddiversity
— score measuring the number of assets that the user accessedchild_count
— number of assets that the user accessed
User Login Location Anomaly
A login to a user account occurred from a source IP address that is anomalously distant from the nearest location typically observed for logins to that user account.
This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.
The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Location Anomaly (XT2001)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_login_region
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the source userdistance_deviation
— deviation in distance between two login locations (miles)srcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputationsrcip_geo.countryName
— source country namesrcip_geo.region
— source region namesrcip_geo.city
— source city namedstip_host
— host name of corresponding destination IP addresslogin_type
— type of login
Use Case with Data Points
Successful login events for certain login types (login_type
) of a user (srcip_usersid
) from a source host (srcip_host
) and country location (srcip_geo.countryName
are examined. If the detected login location is too far away (distance_deviation
in miles) from that user's typical locations, an alert is triggered. The source host's reputation (srcip_reputation
) is also checked. Map views of the Interflow include data points for the closest typical
login locations for the user.
User Process Usage Anomaly
A user who typically executes a small, consistent number of processes suddenly executed a new process. Investigate the process, to see if it is benign. Check with the user to see if this process was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: [User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_uncommon_process
.
Severity
10
Key Fields and Relevant Data Points
srcip_usersid
— non-Windows source user IDor
user.identifier
— Windows source user IDThe key field for this alert type can be either
srcip_usersid
oruser.identifier
, depending on the data feed.process_name
— name of the processhostip
— IP address of the hosthostip_host
— host namesrcip_username
— source user namewineventlog_user.name
— source user name (Windows)user.name
— source user name (Windows)stability
— score measuring the time since the last new process was executeddays_stable
— time since the last new process was executeddiversity
— score measuring the number of processes that the user executedchild_count
— number of processes that the user executed
Use Case with Data Points
Looks for a user (srcip_usersid
or user.identifier
and a srcip_username
) with a small number of processes (diversity
, child_count
) who also has not used a new process for a long time (stability
, days_stable
). If a new process (process_name
) appears on a host (srcip_host
) with this user and connects to another host (dstip_host
), an alert is triggered.
The user is identified with the scrip_userid
or user.identifier
and scrip_username
fields. The process is identified with the process_name
field. The host on which the user is running the process is identified with the srcip_host
field. The destination of the traffic generated by the process is identified with the dstip_host
field. Stability is identified with the stability
field, and diversity is identified with the diversity
field.
Volume Shadow Copy Deletion via WMIC
The wmic.exe
utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Inhibit System Recovery (T1490 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_wmicredit
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the host where the Shadow Copy was deletedhostip_host
— host nameprocess_name
— name of the executed processevent_data.CommandLine
— command that was executed to delete the Shadow Copy
Use Case with Data Points
If wmic.exe
is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow includes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).
Volume Shadow Copy Deletion via VssAdmin
The vssadmin.exe
utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Inhibit System Recovery (T1490 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_vssadminedit
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the host where the Shadow Copy was deletedhostip_host
— host nameprocess_name
— name of the executed processevent_data.CommandLine
— command that was executed to delete the Shadow Copy
Use Case with Data Points
If vssadmin.exe
is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow ibncludes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).