An Indicator Set is a group of related ATIs (detection rules) for the platform specified by its name.
To view and manage Indicator Sets, a console user must have Manage indicator sets permission enabled. This permission is enabled by default for Administrators and Power Users. See User Role Permissions for details on enabling user permissions
The following list describes default Indicator Sets provided with the initial release of v8.0.0 and the types of ATIs they contain. Note that Indicator sets may be added, removed, or modified in cloud-based updates or future versions of Carbon Black App Control. See Updates to Indicator Sets.
- Windows Admin Tool Tracking – The ATIs in this group are designed to track legitimate admin tools that attackers commonly abused. A good example of this is psexec activity. While psexec activity is normally used legitimately, its use in attacks is also prevalent and tracking of this activity is so helpful in forensics investigations that alerting on this activity was included in advanced detection. However, unlike other groupings, the rules contained here are likely to generate events that are not indicative of malicious activity. Therefore, consider disabling this updater in certain environments.
- Windows Application Behavior – The ATIs in this group detect behavior that is not normally expected from the type of application performing it. For example, one ATI in this group called “Possible exploit of document handling application” reports an event if an application such as Microsoft Excel creates an unknown executable.
- Windows POS Indicators – The ATIs in this group are specific to file and registry artifacts created during attacks on point-of-sale (POS) style systems. They are based on publicly released information about these types of attacks.
- Windows Process Injection – The ATIs in this group detect injection of suspicious code into specific system processes. For example, one ATI in this group, “Possible password hash tool execution”, reports an event if a process tries to harvest cached password hashes on a system. In general, this indicator set reports issues involving memory rules.
- Windows Ransomware Indicators – The ATIs in this group are designed to identify signs of ransomware-type malware such as cryptolocker/cryptoblocker and associated variants. Both registry- and file-based activities are included. Indicators are based both on malware analysis and published reports.
- Windows Startup Configuration – The ATIs in this group detect suspicious changes to the Windows startup configuration.
- Windows Suspicious Based on File Name – The ATIs in this group detect files whose names indicate that they are suspicious or malicious. For example, if a file has a name or file extension that is similar to a legitimate file but is modified slightly, an ATI in this group reports it. Files with the names of known malware or suspicious extensions are also reported.
- Windows Suspicious Based on Parent – The ATIs in this group detect suspicious activity based on the parent process of an executable.
- Windows Suspicious Based on Path – The ATIs in this group detect file activity in suspicious location, such as file execution in the Recycle Bin or System Volume.
- Windows Suspicious Based on Path and File Name – The ATIs in this group detect suspicious activity based on both file path and file name. For example, one ATI reports System files executing outside the System folder. Another indicator in this group reports execution of rarely used system utilities.
- Windows System Configuration – The ATIs in this group detect suspicious system configuration activity, such as firewall or name resolution tampering, or installation of a language pack.
- Mac Application Behavior – The ATIs in this group detect behavior that is not normally expected from the type of application performing it. For example, one ATI in this group reports an event if an application such as Microsoft Excel creates an unknown executable. Another ATI in this group detects shells being spawned from a browser.
- Mac Shell Activity – The ATIs in this group detect suspicious use of a command shell.
- Mac Suspicious Based on Path – The ATIs in this group detect activities that are suspicious because of where they are attempted, such as execution attempts from the Trash folder.
- Mac Suspicious Based on Path and File Name – The ATIs in this group detect unusual behaviors from a known path. For example, one indicator in this group reports an event if a file is created that is indicative of a known backdoor.
- Mac System Configuration – The ATIs in this group detect suspicious changes to system configuration, such as attempts to escalate privileges.
- Linux Possible Backdoor – The ATIs in this group detect files associated with backdoors to the Linux secure shell.
- Linux Startup Configuration – The ATIs in this group detect suspicious changes to the Linux startup configuration.