Tactics, Techniques, and Procedures (TTPs) are behaviors, methods, or patterns of activity used by a threat actor, or group of threat actors.
Events and alerts are tagged with TTPs to provide context around attacks and behaviors leading up to attacks that are detected and prevented by policy actions. Events and alerts may also be tagged with MITRE Techniques. See the MITRE Techniques Reference for a full list of MITRE techniques in the Carbon Black Cloud console.
Important: Carbon Black is replacing the terms
blacklist and
whitelist with
banned list and
approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
| Tag | Where It's Detected | Category | How It's Set | Description |
|---|---|---|---|---|
| ACCESS_CALENDAR (Severity: Medium) | Sensor | Data at Risk | A filesystem filter driver is set to identify a read access based on target file extension. | Access the calendar application data files. For example Outlook. |
| ACCESS_CLIPBOARD (Severity: Medium) | Sensor | Data at Risk | The Win32 API GetClipboardData() is called. | Access clipboard application data. |
| ACCESS_CONTACTS (Severity: Medium) | Sensor | Data at Risk | A filesystem filter driver is set to identify a read access based on target file extension. | Access contact list/phone list application data. |
| ACCESS_DATA_FILES (Severity: Medium) | Sensor | Data at Risk | A filesystem filter driver is set to identify a read access based on target file extension. | Access data files. |
| ACCESS_EMAIL_DATA (Severity: Medium) | Sensor | Data at Risk | A filesystem filter driver is set to identify a read access based on target file extension. | Access email contents. |
| ACTIVE_CLIENT (Severity: Low) | Sensor | Network Threat | A network filter driver is set to identify the successful initiation of IPv4 or IPv6 connections. | Application successfully initiated a network connection. |
| ACTIVE_SERVER (Severity: Medium) | Sensor | Network Threat | A network filter driver is set to identify accepted IPv4 or IPv6 connections. | Application successfully accepted a network connection. |
| ADAPTIVE_WHITE_APP (Severity: None) | Analytics | Malware & Application Abuse | A hash lookup has identified an executable with reputation: ADAPTIVE_WHITE_APP. App is also (not signed) and (new i.e. age < 30 days). | An unknown application that scanned clean. |
| ATTEMPTED_CLIENT (Severity: Low) | Sensor | Network Threat | A network filter driver is set to identify the unsuccessful initiation of IPV4 or IPv6 connections. | Application attempted to initiate a network connection (and failed). |
| ATTEMPTED_SERVER (Severity: None) | Sensor | Network Threat | A network filter driver is set to identify the unsuccessful acceptance of IPV4 or IPv6 connections. | Application attempted to accept a network connection (and failed). |
| BEACON (Severity: Medium) | Analytics | Network Threat | A failed network socket connection was enforced at the network filter driver, including the use of userland hooks. | Low Reputation application (ADAPTIVE_WHITE or worse) running for the first time attempted to beacon over http/s to a server, unsuccessfully. |
| BUFFER_OVERFLOW_CALL (Severity: Medium) | Sensor | Emerging Threats | Userland hooks are set to identify API calls from writeable memory. | Application attempted a system call from a buffer overflow. |
| BYPASS_POLICY (Severity: High) | Sensor | Emerging Threats | Identified a driver callback that includes specially crafted command line arguments. | Application attempted to bypass the device's default security policy. |
| CODE_DROP (Severity: Medium) | Sensor | Malware & Application Abuse | A filesystem filter driver is set to identify the creation of a new binary or script, based on target file extension. | Application dropped an executable or script. |
| COMPANY_BANNED (Severity: High) | Sensor | Malware & Application Abuse | The hash of a binary has been banned from executing, placed on the COMPANY_BANNEDLIST. | Application is on the company banned list. |
| COMPANY_BLACKLIST (Severity: High) | Sensor | Malware & Application Abuse | The hash of a binary has been banned from executing, placed on the COMPANY_BLACKLIST. | Application is on the company banned list. |
| COMPROMISED_PARENT (Severity: None) | Sensor | Process Manipulation | Userland hooks are set to identify processes that complete buffer overflow, process hollowing or code injection by compromised app such as, email, office, or browsers apps. | Parent process has been compromised due to process modifications such as buffer overflow, code injection, or process hollowing. |
| COMPROMISED_PROCESS (Severity: Medium) | Sensor | Process Manipulation | Userland hooks are set to identify processes that complete buffer overflow, process hollowing or code injection by compromised app such as, email, office, or browsers apps. | Process has been compromised due to process modifications such as buffer overflow, code injection, or process hollowing. |
| CONNECT_AFTER_SCAN (Severity: None) | Analytics | Network Threat | Analytics checks to see if a connection has been made after an initial port scan. | A connection has been made after an initial port scan. |
| COPY_PROCESS_MEMORY (Severity: High) | Sensor | Data at Risk | Userland hooks are set to identify an application that took a memory snapshot of another process. | Application took a memory snapshot of another process |
| DATA_TO_ENCRYPTION (Severity: None) | Sensor | Data at Risk | A process attempts to modify a ransomware canary file. | An application tried to modify one of the special ransomware canary files that the Carbon Black Cloud placed in the file system. These files are sensor-controlled and should never be modified by any application other than the Carbon Black Cloud. |
| DETECTED_BLACKLIST_APP (Severity: High) | Sensor & Analytics | Malware & Application Abuse | Hash of discovered executable has reputation: COMPANY_BLACKLIST. | A Blacklisted application has been detected on the filesystem. |
| DETECTED_MALWARE_APP (Severity: High) | Sensor & Analytics | Malware & Application Abuse | Hash or local scan of discovered executable has reputation: KNOWN_MALWARE | Malware application has been detected on the filesystem. |
| DETECTED_PUP_APP (Severity: High) | Sensor & Analytics | Malware & Application Abuse | Hash or local scan of discovered executable has reputation: PUP | Potentially Unwanted Application (PUP) has been detected on the filesystem. |
| DETECTED_SUSPECT_APP (Severity: High) | Sensor & Analytics | Malware & Application Abuse | Hash or local scan of discovered executable has reputation: SUSPECT_MALWARE | Suspect Application has been detected on the filesystem. |
| DUMP_PROCESS_MEMORY (Severity: Medium) | Sensor | Data at Risk | Userland API hooks are set to detect a process memory dump. | Application created a memory dump of another process on the filesystem |
| EMAIL_CLIENT (Severity: Low) | Sensor | Network Threat | A network filter driver is set to identify client connections that use an email protocol (e.g.SMTP, SMTPS, POP3, POP3S. IMAP, IMAP2, IMAPS). | Non-Email application (i.e. unknown) is acting like an email client and sending data on an email port. |
| ENUMERATE_PROCESSES (Severity: Medium) | Sensor | Generic Suspect | Userland API hooks are set to detect process enumeration. | Process is attempting to obtain a list of other processes executing on the host. |
| FAKE_APP (Severity: High) | Analytics | Malware & Application Abuse | A filesystem driver is set to identify "well known" windows applications by path (e.g. explorer, winlogin, lsass, etc) which are executed from the wrong directory. | Application that is potentially impersonating a well-known application. |
| FILE_TRANSFER (Severity: High) | Sensor | Network Threat | A network filter driver is set to identify successfully established, connected or rejected IPV4 or IPv6 connections on FTP. | Application is attempting to transfer a file over the network. |
| FILE_UPLOAD (Severity: Medium) | Analytics | Network Threat | Userland hooks, network filter driver and file system filter driver are set to identify processes that perform memory scraping followed by a network connection. | Application is potentially uploading stolen data over the network. |
| FILELESS (Severity: Critical) | Analytics | Emerging Threats | A driver callback is identified that includes command line arguments to execute a script from command line or registry | A script interpreter is acting on a script that is not present on disk. |
| FIXED_PORT_LISTEN (Severity: Low) | Sensor | Network Threat | An IPv4 or IPv6 network filter driver has been set to listen for connections on a fixed port | Application is listening on a fixed port. |
| HAS_BUFFER_OVERFLOW (Severity: Low) | Sensor | Emerging Threats | Userland hooks are set to identify API calls from writeable memory | This process has exhibited a buffer overflow. |
| HAS_COMPROMISED_CODE (Severity: High) | Sensor | Process Manipulation | A COMPROMISED_PROCESS has called one of a large variety of high risk functions. | A compromised process had called one of multiple functions |
| HAS_INJECTED_CODE (Severity: None) | Analytics | Process Manipulation | The analytics keeps track if a process has been compromised and then injects code into another process. | The process is running injected code. |
| HAS_MALWARE_CODE (Severity: High) | Sensor | Process Manipulation | A MALWARE_APP has performed a process injection using one of a variety of high risk techniques. | Process has been injected into by known malware. |
| HAS_PACKED_CODE (Severity: Low) | Sensor | Process Manipulation | Userland hooks have identified an API call from writeable memory. | Application contains dynamic code (i.e. writable memory & not buffer overflow). |
| HAS_PUP_CODE (Severity: High) | Sensor | Process Manipulation | A PUP_APP has performed a process injection using one of a variety of techniques. | Process has been injected into by a PUP. |
| HAS_SCRIPT_DLL (Severity: Low) | Sensor | Generic Suspect | A driver routine is set to identify processes that load an in-memory script interpreter. | Process loads an in-memory script interpreter. |
| HAS_SUSPECT_CODE (Severity: High) | Sensor | Process Manipulation | A SUSPECT_APP has performed a process injection using one of a variety of techniques. | Process has been injected into by suspect malware. |
| HIDDEN_PROCESS (Severity: High) | Sensor | Generic Suspect | Events attributed to a process which is not visible to periodic user level process calls. | Sensor has detected a hidden process. |
| HOLLOW_PROCESS (Severity: None) | Sensor | Process Manipulation | Multiple user level hooks are set to identify a specific sequence of calls that indicate a process is being replaced with another. | A technique used to hide the presence of a process, typically performed by creating a suspended process, replacing it with a malicious one. |
| IMPERSONATE_SYSTEM (Severity: None) | Analytics | Process Manipulation | Is set when the username that is associated with a process changes during the course of execution to NT AUTHORITY\SYSTEM. | Tracks the username that is associated with a process and watches for change of associated username to system/root. |
| IMPERSONATE_USER (Severity: None) | Analytics | Process Manipulation | Is set when the username that is associated with a process changes during the course of execution to something other than NT AUTHORITY\SYSTEM. | Tracks the username that is associated with a process and watches for change of associated username from system/root to that of another user. |
| INDIRECT_COMMAND_EXECUTION (Severity: Low) | Sensor | Malware & Application Abuse | Various system utilities may have been used to execute commands, possibly without invoking cmd. | System utility used to indirectly execute another command. |
| INJECT_CODE (Severity: Medium) | Sensor | Process Manipulation | Multiple kernel, OS and User level techniques are set to identify applications attempting to inject code into another process space | Application is attempting to inject code into another process. |
| INJECT_INPUT (Severity: Medium) | Sensor | Generic Suspect | Userland hooks are set to identify an attempt to inject input into process | Application is attempting to inject input into process. |
| INSTALL (Severity: Low) | Sensor | Generic Suspect | A filesystem filter driver is set to identify the creation of new binaries or scripts based on target file extension by installer executable | Install process is running. |
| INTERNATIONAL_SITE (Severity: Low) | Analytics | Network Threat | Geographic IP is set to identify the source or destination of IPv4 and IPv6 connections. | Application attempt to communicate with a peer IP address located in another country (excluding into US) |
| IRC (Severity: Medium) | Sensor | Network Threat | An IPv4 or IPv6 network filter driver is set to identify connections using common IRC ports | Application attempt to communicate over Internet Relay Chat port. |
| KERNEL_ACCESS (Severity: None) | Sensor | Malware & Application Abuse | A process attempts to modify the system's master boot record (MBR). | An application attempts to directly access the system's hard drive to write data into the MBR portion of the disk. Malware uses this tactic to alter system behavior on startup. |
| KNOWN_APT (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: APT | Application is Advanced Persistent Threat. |
| KNOWN_BACKDOOR (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: backdoor | Application is a known backdoor into the system. |
| KNOWN_DOWNLOADER (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: downloader | Application is a known malicious downloader. |
| KNOWN_DROPPER (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: dropper | Application is a known dropper of executables |
| KNOWN_KEYLOGGER (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: keylogger | Application known to monitor keyboard input. |
| KNOWN_PASSWORD_STEALER (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: password stealer | Application known to steal passwords. |
| KNOWN_RANSOMWARE (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: ransomware | Application is known Ransomware. |
| KNOWN_ROGUE (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: rogue | Application is known as a rogue application. |
| KNOWN_ROOTKIT (Severity: None) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: rootkit | Application is a known root kit. |
| KNOWN_WORM (Severity: Critical) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: worm | Application is a known worm. |
| LEVERAGES_SYSTEM_UTILITY (Severity: High) | Analytics | Emerging Threats | Various system utilities may have been used to perform malicious activity. | A system utility was used for potentially malicious purposes. |
| LOW_REPUTATION_SITE (Severity: Medium) | Analytics | Network Threat | A network filter driver is set to identify connections to a peer IP address or Domain that has a low site reputation score | Application made a network connection to a peer with low reputation. |
| MALWARE_APP (Severity: Critical) | Analytics | Malware & Application Abuse | A hash lookup or local scanner has identified a running executable that has reputation: MALWARE | Application is a known Malware application. |
| MALWARE_DROP (Severity: High) | Sensor | Malware & Application Abuse | A CODE_DROP has been detected where the dropped application has the reputation: KNOWN_MALWARE : SUSPECT_MALWARE | Application dropped a malware application. |
| MALWARE_SERVICE_DISABLED (Severity: Not applicable) | Sensor | Policy Action | The analytics receives this info from the sensor and sets this value accordingly. | Malware service detected and disabled by a policy. |
| MALWARE_SERVICE_FOUND (Severity: Not applicable) | Sensor | Policy Action | The analytics receives this info from the sensor and sets this value accordingly. | Malware service detected by a policy. |
| MODIFY_KERNEL (Severity: Critical) | Sensor | Process Manipulation | A userland hook has identified a process that modified kernel space | Application modified system kernel.via NullPage Allocation |
| MODIFY_MEMORY_PROTECTION (Severity: Medium) | Sensor | Process Manipulation | A userland hook is set to detect a process modifying the memory permissions of a secondary process | Application modify memory protection settings for the process. |
| MODIFY_OWN_PROCESS (Severity: Medium) | Sensor | Process Manipulation | A userland hook is set to detect a process that opens a handle to itself. | Application attempted to open its own process with permissions to modify itself. |
| MODIFY_PROCESS_EXECUTION (Severity: None) | Sensor | Process Manipulation | A userland hook is set to identify attempts to modify the execution context in another process thread. | Application attempted to modify the execution context in another process thread (either EAX or EIP) |
| MODIFY_PROCESS (Severity: Medium) | Sensor | Process Manipulation | A userland hook is set to identify applications attempting to open another process | Application attempted to open another process with permissions to modify the target. |
| MODIFY_SENSOR (Severity: Critical) | Sensor | Emerging Threats | A userland hook is set to identify an attempt to modify or disable the Carbon Black Cloud Sensor | Tamper Protection - Application attempted to modify Carbon Black Cloud Sensor. |
| MODIFY_SERVICE (Severity: High) | Sensor | Process Manipulation | A userland hook is set to identify applications that attempt to control, create or delete a windows service | Application attempted to control, create or delete a windows service. |
| MONITOR_MICROPHONE (Severity: Medium) | Sensor | Data at Risk | A userland hook is set to identify applications attempting to monitor the microphone | Application attempted to monitor the microphone. |
| MONITOR_USER_INPUT (Severity: Medium) | Sensor | Data at Risk | A userland hook is set to identify applications attempting to monitor user input | Application attempted to monitor user input (keyboard or mouse). |
| MONITOR_WEBCAM (Severity: Medium) | Sensor | Data at Risk | A userland hook is set to identify applications attempting to monitor the onboard camera | Application attempted to monitor web camera. |
| NETWORK_ACCESS (Severity: Low) | Sensor | Network Threat | An IPv4 or IPv6 network filter driver has successfully initiated or accepted a network connection | Application successfully initiated or accepted a network connection |
| NON_STANDARD_PORT (Severity: None) | Sensor | Network Threat | Network filter driver verifies ports for common protocols. Identifies non-trusted applications from making non-http requests. | The process of passing network traffic on an alternative port to which it was assigned by the IANA Internet Assigned Numbers Authority (IANA); for example, passing FTP on port 8081 when it is normally configured to listen on port 21. |
| OS_DENY (Severity: None) | Sensor | Operating System Action | Analytics receives this info from the sensor and sets this value accordingly. | The attempted action was denied by the operating system. |
| PACKED_CALL (Severity: Medium) | Sensor | Emerging Threats | A userland hook is set to identify API calls from writeable memory | Application attempted a system call from dynamic code (i.e. writable memory & not buffer overflow) |
| PACKED_CODE (Severity: None) | Analytics | Process Manipulation | Depending on the arguments to script interpreters and applications, this is set when the arguments are related to encoding, obfuscating, file-less execution, etc. | The process contains unpacked code. |
| PERSIST (Severity: None) | Sensor | Generic Suspect | A file system driver is set to identify registry modifications that enable persistence upon reboot or application removal also known as auto-start extensibility points (ASEP) | Persistent application. |
| PHISHING (Severity: None) | Sensor | Generic Suspect | A driver callback is identified where an email application launches a web browser. | Email client launching a browser. |
| PHONE_HOME (Severity: Medium) | Sensor | Network Threat | An IPv4 or IPv6 network filter driver is set to identify client connections to a host that had performed a port scan against a Sensor | Application attempt to connect back to a scanning host. |
| POLICY_DENY (Severity: Not applicable) | Sensor | Policy Action | The analytics receives this info from the sensor and sets this value accordingly. | The attempted action was denied due to policy. |
| POLICY_TERMINATE (Severity: Not applicable) | Sensor | Policy Action | The analytics receives this info from the sensor and sets this value accordingly. | The process was terminated due to policy. |
| PORTSCAN (Severity: None) | Sensor | Network Threat | N consecutive scans on different ports from the same host are detected. | A port scan is conducted. |
| PRIVILEGE_ESCALATE (Severity: None) | Analytics | Process Manipulation | Is set when the username that is associated with a process changes during the course of execution to "NT AUTHORITY\SYSTEM" or the process has gained the admin privilege. | Checks to see whether the actual SYSTEM privilege is associated with the process (not just the username context). |
| PROCESS_IMAGE_REPLACED (Severity: None) | Sensor | Process Manipulation | Userland hooks watch for specific APIs being invoked that involve overwriting of the main executable section of a process, and other related manipulations such as suspending and unmapping sections. | Application has had its primary executable code replaced with other code. |
| PUP_APP (Severity: High) | Analytics | Malware & Application Abuse | A hash lookup or local scanner has identified a running executable that has reputation: PUP | Application is a Potentially Unwanted Program. |
| RAM_SCRAPING (Severity: Medium) | Sensor & Analytics | Data at Risk | User land hook is set to detect an application's attempt to read process memory. | When a process tries to scrape the memory utilized by another process. |
| READ_PROCESS_MEMORY (Severity: Medium) | Sensor | Data at Risk | A userland hook is set to detect applications attempting to read process memory. | Application is attempting to read process memory. |
| READ_SECURITY_DATA (Severity: High) | Sensor | Data at Risk | A userland hook is set to detect an application attempting to read privileged security information. | Application is attempting to read privileged security information (for example, lsass.exe). |
| REVERSE_SHELL (Severity: High) | Sensor & Analytics | Emerging Threats | A userland hook is set to identify a process that reads from or writes to console via a network connection | Command shell (e.g. cmd.exe) interactively receiving commands from a network parent |
| RUN_ANOTHER_APP (Severity: Low) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute another application. | Application attempted to execute another application. |
| RUN_BLACKLIST_APP (Severity: High) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is COMPANY_BLACKLIST | Application attempted to execute a blacklisted application. |
| RUN_BROWSER (Severity: Low) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP & child_proc is a common browser executable | Application attempted to execute a browser. |
| RUN_CMD_SHELL (Severity: Low) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is a windows shell | Application attempted to execute a command shell. |
| RUN_MALWARE_APP (Severity: Critical) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is MALWARE_APP | Application attempted to execute a malware application. |
| RUN_NET_UTILITY (Severity: High) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child target process is a common network utility such as "netsh.exe" | Application attempted to execute a network utility application. |
| RUN_PUP_APP (Severity: High) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is PUP_APP | Application attempted to execute a PUP application. |
| RUN_SUSPECT_APP (Severity: High) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is SUSPECT_APP. | Application attempted to execute a application with a suspect reputation. |
| RUN_SYSTEM_APP (Severity: Low) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP &and child process is a system app (application or dll located in the "windows", "windows\system32", "windows\sysWOW64", "\windows\WinSxS\**" directories ). | Application attempted to execute a systems application. |
| RUN_SYSTEM_UTILITY (Severity: Medium) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is a system utility such as regedit. | Application attempted to run a system utility (for example, regedit) |
| RUN_UNKNOWN_APP (Severity: None) | Sensor | Malware & Application Abuse | A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is UNKNOWN_APP. | Application tried to execute an application with unknown reputation. |
| SCREEN_SHOT (Severity: None) | Sensor | Data at Risk | Win32 API SendInput() is used to synthesize a PrintScreen key press or Win32 API CreateCompatibleBitmap() is called. | A screenshot is taken on the machine. |
| SECURITY_CONFIG_DOWNGRADE (Severity: High) | Analytics | Emerging Threats | Windows Firewall or other system security configurations have been changed or downgraded, lowering its security posture. | A Windows security configuration has been downgraded. |
| SET_APP_CONFIG (Severity: Medium) | Sensor | Generic Suspect | A userland hook is set to identify apps that modify the registry (Microsoft Office Security keys) or set system application configuration parameters | Application set system application configuration parameters. |
| SET_APP_LAUNCH (Severity: Medium) | Sensor | Generic Suspect | A userland hook is set to identify apps that attempt to modify registry to effect when or how another application may be launched (Autoruns key, Run, RunOnce, Load, Shell and Open Commands) | Application attempted to modify keys to effect when/how another application may be launched |
| SET_BROWSER_CONFIG (Severity: Low) | Sensor | Generic Suspect | A userland hook is set to identify apps that attempt to modify registry (Install ActiveX controls, Internet Settings, System Certificates, Internet Explorer keys, browser helper objects, COM InProcServer) | Application attempted to modify the browser settings. |
| SET_LOGIN_OPS (Severity: Medium) | Analytics | Emerging Threats | Set by monitoring registry modifications to keys related to Win log on process. | Application attempted to modify process associated with Win log on or user name. |
| SET_REBOOT_OPS (Severity: Low) | Sensor | Generic Suspect | A userland hook is set to identify apps that attempt to modify registry ( BootExecute, Session Manager File Operations) | Application attempted to set reboot configuration operations. |
| SET_REMOTE_ACCESS (Severity: Medium) | Sensor | Emerging Threats | A userland hook is set to identify apps that attempt to modify registry (SecurePipeServers winreg settings, lanman parameters, etc) | Application attempted to set remote access configuration. |
| SET_SYSTEM_AUDIT (Severity: High) | Sensor | Generic Suspect | A userland hook is set to identify apps that attempt to modify registry (TaskManager keys, DisableRegistryTools) | Application attempted to set the system audit parameters. |
| SET_SYSTEM_CONFIG (Severity: Medium) | Sensor | Generic Suspect | A userland hook is set to identify applications that attempt to modify registry such as Uninstall keys or wallpaper, as well as attempt to modify system configuration data files | Application attempted to set system config parameters. |
| SET_SYSTEM_FILE (Severity: None) | Sensor | Malware & Application Abuse | A process attempts to modify the system's master boot record (MBR). | An application attempts to directly access the system's hard drive to write data into the MBR portion of the disk. Malware uses this tactic to alter system behavior on startup. |
| SET_SYSTEM_SECURITY (Severity: Medium) | Sensor | Generic Suspect | A userland hook is set to identify apps that attempt to modify registry (Autoruns key, UserInit, Run, RunOnce, Load, BootExecute, AppInit_DLLs, Shell and Open Commands, Uninstall Keys, COM InProcServer, Install ActiveX controls etc.) | Application attempts to set or change system security operations. |
| SUSPECT_APP (Severity: High) | Sensor & Analytics | Malware & Application Abuse | A hash lookup or local scanner has identified a running executable that has reputation: SUSPECT. App is also (not signed) | Application is suspected malicious by AV. |
| SUSPENDED_PROCESS (Severity: Medium) | Sensor | Process Manipulation | A userland hook is set to identify a process that was created in the suspended state | A process created in a suspended state is being modified (pre-execution). |
| SUSPICIOUS_BEHAVIOR (Severity: Medium) | Analytics | Generic Suspect | A userland hook is set to identify applications executing code from dynamic memory (e.g. from a Buffer Overflow or unpacked code) and are making calls to applications which typically do not communicate on the network (e.g. "calc.exe") making network connections, etc. | Application unusual behavior warrants attention. |
| SUSPICIOUS_DOMAIN (Severity: High) | Sensor & Analytics | Network Threat | Network filter driver is set to identify when INTERNATIONAL_SITE is an ISO 3166-1 Country Code (e.g. CU, IR, SD, SY, IQ, LY, KP, YE, etc) | Application is connecting to a suspicious network domain.(based upon ISO 3166-1 country codes). |
| SUSPICIOUS_SITE (Severity: Medium) | Sensor & Analytics | Network Threat | An IPv4 or IPv6 network filter driver is set to identify accepted connections from a suspicious INTERNATIONAL_SITE (e.g. domains in RU, CN) | Application accepts an inbound network connection from a suspicious international site. |
| UNKNOWN_APP (Severity: None) | Sensor & Analytics | Malware & Application Abuse | A hash lookup has identified a running executable that has reputation: not_listed (i.e. unknown). App is also (not signed) | Application is unknown reputation. |
