Tactics, Techniques, and Procedures (TTPs) are behaviors, methods, or patterns of activity used by a threat actor, or group of threat actors.

Events and alerts are tagged with TTPs to provide context around attacks and behaviors leading up to attacks that are detected and prevented by policy actions. Events and alerts may also be tagged with MITRE Techniques. See the MITRE Techniques Reference for a full list of MITRE techniques in the Carbon Black Cloud console.

Important: VMware Carbon Black is replacing the terms blacklist and whitelist with banned list and approved list. Notice will be provided in advance of terminology updates to APIs, TTPs, and Reputations.
Tag Where It's Detected Category How It's Set Description
ACCESS_CALENDAR (Severity: Medium) Sensor Data at Risk A filesystem filter driver is set to identify a read access based on target file extension. Access the calendar application data files. For example Outlook.
ACCESS_CLIPBOARD (Severity: Medium) Sensor Data at Risk The Win32 API GetClipboardData() is called. Access clipboard application data.
ACCESS_CONTACTS (Severity: Medium) Sensor Data at Risk A filesystem filter driver is set to identify a read access based on target file extension. Access contact list/phone list application data.
ACCESS_DATA_FILES (Severity: Medium) Sensor Data at Risk A filesystem filter driver is set to identify a read access based on target file extension. Access data files.
ACCESS_EMAIL_DATA (Severity: Medium) Sensor Data at Risk A filesystem filter driver is set to identify a read access based on target file extension. Access email contents.
ACTIVE_CLIENT (Severity: Low) Sensor Network Threat A network filter driver is set to identify the successful initiation of IPv4 or IPv6 connections. Application successfully initiated a network connection.
ACTIVE_SERVER (Severity: Medium) Sensor Network Threat A network filter driver is set to identify accepted IPv4 or IPv6 connections. Application successfully accepted a network connection.
ADAPTIVE_WHITE_APP (Severity: None) Analytics Malware & Application Abuse A hash lookup has identified an executable with reputation: ADAPTIVE_WHITE_APP. App is also (not signed) and (new i.e. age < 30 days). An unknown application that scanned clean.
ATTEMPTED_CLIENT (Severity: Low) Sensor Network Threat A network filter driver is set to identify the unsuccessful initiation of IPV4 or IPv6 connections. Application attempted to initiate a network connection (and failed).
ATTEMPTED_SERVER (Severity: None) Sensor Network Threat A network filter driver is set to identify the unsuccessful acceptance of IPV4 or IPv6 connections. Application attempted to accept a network connection (and failed).
BEACON (Severity: Medium) Analytics Network Threat A failed network socket connection was enforced at the network filter driver, including the use of userland hooks. Low Reputation application (ADAPTIVE_WHITE or worse) running for the first time attempted to beacon over http/s to a server, unsuccessfully.
BUFFER_OVERFLOW_CALL (Severity: Medium) Sensor Emerging Threats Userland hooks are set to identify API calls from writeable memory. Application attempted a system call from a buffer overflow.
BYPASS_POLICY (Severity: High) Sensor Emerging Threats Identified a driver callback that includes specially crafted command line arguments. Application attempted to bypass the device's default security policy.
CODE_DROP (Severity: Medium) Sensor Malware & Application Abuse A filesystem filter driver is set to identify the creation of a new binary or script, based on target file extension. Application dropped an executable or script.
COMPANY_BANNED (Severity: High) Sensor Malware & Application Abuse The hash of an binary has been banned from executing, placed on the COMPANY_BANNEDLIST. Application is on the company banned list.
COMPANY_BLACKLIST (Severity: High) Sensor Malware & Application Abuse The hash of an binary has been banned from executing, placed on the COMPANY_BLACKLIST. Application is on the company banned list.
COMPROMISED_PARENT (Severity: None) Sensor Process Manipulation Userland hooks are set to identify processes that complete buffer overflow, process hollowing or code injection by compromised app such as, email, office, or browsers apps. Parent process has been compromised due to process modifications such as buffer overflow, code injection, or process hollowing.
COMPROMISED_PROCESS (Severity: Medium) Sensor Process Manipulation Userland hooks are set to identify processes that complete buffer overflow, process hollowing or code injection by compromised app such as, email, office, or browsers apps. Process has been compromised due to process modifications such as buffer overflow, code injection, or process hollowing.
CONNECT_AFTER_SCAN (Severity: None) Analytics Network Threat Analytics checks to see if a connection has been made after an initial port scan. A connection has been made after an initial port scan.
COPY_PROCESS_MEMORY (Severity: High) Sensor Data at Risk Userland hooks are set to identify an application that took a memory snapshot of another process. Application took a memory snapshot of another process
DATA_TO_ENCRYPTION (Severity: None) Sensor Data at Risk A process attempts to modify a ransomware canary file. An application tried to modify one of the special ransomware canary files that the Carbon Black Cloud placed in the file system. These files are sensor-controlled and should never be modified by any application other than the Carbon Black Cloud.
DETECTED_BLACKLIST_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash of discovered executable has reputation: COMPANY_BLACKLIST. A Blacklisted application has been detected on the filesystem.
DETECTED_MALWARE_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash or local scan of discovered executable has reputation: KNOWN_MALWARE Malware application has been detected on the filesystem.
DETECTED_PUP_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash or local scan of discovered executable has reputation: PUP Potentially Unwanted Application (PUP) has been detected on the filesystem.
DETECTED_SUSPECT_APP (Severity: High) Sensor & Analytics Malware & Application Abuse Hash or local scan of discovered executable has reputation: SUSPECT_MALWARE Suspect Application has been detected on the filesystem.
DUMP_PROCESS_MEMORY (Severity: Medium) Sensor Data at Risk Userland API hooks are set to detect a process memory dump. Application created a memory dump of another process on the filesystem
EMAIL_CLIENT (Severity: Low) Sensor Network Threat A network filter driver is set to identify client connections that use an email protocol (e.g.SMTP, SMTPS, POP3, POP3S. IMAP, IMAP2, IMAPS). Non-Email application (i.e. unknown) is acting like an email client and sending data on an email port.
ENUMERATE_PROCESSES (Severity: Medium) Sensor Generic Suspect Userland API hooks are set to detect process enumeration. Process is attempting to obtain a list of other processes executing on the host.
FAKE_APP (Severity: High) Analytics Malware & Application Abuse A filesystem driver is set to identify "well known" windows applications by path (e.g. explorer, winlogin, lsass, etc) which are executed from the wrong directory. Application that is potentially impersonating a well-known application.
FILE_TRANSFER (Severity: High) Sensor Network Threat A network filter driver is set to identify successfully established, connected or rejected IPV4 or IPv6 connections on FTP. Application is attempting to transfer a file over the network.
FILE_UPLOAD (Severity: Medium) Analytics Network Threat Userland hooks, network filter driver and file system filter driver are set to identify processes that perform memory scraping followed by a network connection. Application is potentially uploading stolen data over the network.
FILELESS (Severity: Critical) Analytics Emerging Threats A driver callback is identified that includes command line arguments to execute a script from command line or registry A script interpreter is acting on a script that is not present on disk.
FIXED_PORT_LISTEN (Severity: Low) Sensor Network Threat An IPv4 or IPv6 network filter driver has been set to listen for connections on a fixed port Application is listening on a fixed port.
HAS_BUFFER_OVERFLOW (Severity: Low) Sensor Emerging Threats Userland hooks are set to identify API calls from writeable memory This process has exhibited a buffer overflow.
HAS_COMPROMISED_CODE (Severity: High) Sensor Process Manipulation A COMPROMISED_PROCESS has called one of a large variety of high risk functions. A compromised process had called one of multiple functions
HAS_INJECTED_CODE (Severity: None) Analytics Process Manipulation The analytics keeps track if a process has been compromised and then injects code into another process. The process is running injected code.
HAS_MALWARE_CODE (Severity: High) Sensor Process Manipulation A MALWARE_APP has performed a process injection using one of a variety of high risk techniques. Process has been injected into by known malware.
HAS_PACKED_CODE (Severity: Low) Sensor Process Manipulation Userland hooks have identified an API call from writeable memory. Application contains dynamic code (i.e. writable memory & not buffer overflow).
HAS_PUP_CODE (Severity: High) Sensor Process Manipulation A PUP_APP has performed a process injection using one of a variety of techniques. Process has been injected into by a PUP.
HAS_SCRIPT_DLL (Severity: Low) Sensor Generic Suspect A driver routine is set to identify processes that load an in-memory script interpreter. Process loads an in-memory script interpreter.
HAS_SUSPECT_CODE (Severity: High) Sensor Process Manipulation A SUSPECT_APP has performed a process injection using one of a variety of techniques. Process has been injected into by suspect malware.
HIDDEN_PROCESS (Severity: High) Sensor Generic Suspect Events attributed to a process which is not visible to periodic user level process calls. Sensor has detected a hidden process.
HOLLOW_PROCESS (Severity: None) Sensor Process Manipulation Multiple user level hooks are set to identify a specific sequence of calls that indicate a process is being replaced with another. A technique used to hide the presence of a process, typically performed by creating a suspended process, replacing it with a malicious one.
IMPERSONATE_SYSTEM (Severity: None) Analytics Process Manipulation Is set when the username that is associated with a process changes during the course of execution to NT AUTHORITY\SYSTEM. Tracks the username that is associated with a process and watches for change of associated username to system/root.
IMPERSONATE_USER (Severity: None) Analytics Process Manipulation Is set when the username that is associated with a process changes during the course of execution to something other than NT AUTHORITY\SYSTEM. Tracks the username that is associated with a process and watches for change of associated username from system/root to that of another user.
INDIRECT_COMMAND_EXECUTION (Severity: Low) Sensor Malware & Application Abuse Various system utilities may have been used to execute commands, possibly without invoking cmd. System utility used to indirectly execute another command.
INJECT_CODE (Severity: Medium) Sensor Process Manipulation Multiple kernel, OS and User level techniques are set to identify applications attempting to inject code into another process space Application is attempting to inject code into another process.
INJECT_INPUT (Severity: Medium) Sensor Generic Suspect Userland hooks are set to identify an attempt to inject input into process Application is attempting to inject input into process.
INSTALL (Severity: Low) Sensor Generic Suspect A filesystem filter driver is set to identify the creation of new binaries or scripts based on target file extension by installer executable Install process is running.
INTERNATIONAL_SITE (Severity: Low) Analytics Network Threat Geographic IP is set to identify the source or destination of IPv4 and IPv6 connections. Application attempt to communicate with a peer IP address located in another country (excluding into US)
IRC (Severity: Medium) Sensor Network Threat An IPv4 or IPv6 network filter driver is set to identify connections using common IRC ports Application attempt to communicate over Internet Relay Chat port.
KERNEL_ACCESS (Severity: None) Sensor Malware & Application Abuse A process attempts to modify the system's master boot record (MBR). An application attempts to directly access the system's hard drive to write data into the MBR portion of the disk. Malware uses this tactic to alter system behavior on startup.
KNOWN_APT (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: APT Application is Advanced Persistent Threat.
KNOWN_BACKDOOR (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: backdoor Application is a known backdoor into the system.
KNOWN_DOWNLOADER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: downloader Application is a known malicious downloader.
KNOWN_DROPPER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: dropper Application is a known dropper of executables
KNOWN_KEYLOGGER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: keylogger Application known to monitor keyboard input.
KNOWN_PASSWORD_STEALER (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: password stealer Application known to steal passwords.
KNOWN_RANSOMWARE (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: ransomware Application is known Ransomware.
KNOWN_ROGUE (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: rogue Application is known as a rogue application.
KNOWN_ROOTKIT (Severity: None) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: rootkit Application is a known root kit.
KNOWN_WORM (Severity: Critical) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: KNOWN_MALWARE, category: worm Application is a known worm.
LEVERAGES_SYSTEM_UTILITY (Severity: High) Analytics Emerging Threats Various system utilities may have been used to perform malicious activity. A system utility was used for potentially malicious purposes.
LOW_REPUTATION_SITE (Severity: Medium) Analytics Network Threat A network filter driver is set to identify connections to a peer IP address or Domain that has a low site reputation score Application made a network connection to a peer with low reputation.
MALWARE_APP (Severity: Critical) Analytics Malware & Application Abuse A hash lookup or local scanner has identified a running executable that has reputation: MALWARE Application is a known Malware application.
MALWARE_DROP (Severity: High) Sensor Malware & Application Abuse A CODE_DROP has been detected where the dropped application has the reputation: KNOWN_MALWARE : SUSPECT_MALWARE Application dropped a malware application.
MALWARE_SERVICE_DISABLED (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. Malware service detected and disabled by a policy.
MALWARE_SERVICE_FOUND (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. Malware service detected by a policy.
MODIFY_KERNEL (Severity: Critical) Sensor Process Manipulation A userland hook has identified a process that modified kernel space Application modified system kernel.via NullPage Allocation
MODIFY_MEMORY_PROTECTION (Severity: Medium) Sensor Process Manipulation A userland hook is set to detect a process modifying the memory permissions of a secondary process Application modify memory protection settings for the process.
MODIFY_OWN_PROCESS (Severity: Medium) Sensor Process Manipulation A userland hook is set to detect a process that opens a handle to itself. Application attempted to open its own process with permissions to modify itself.
MODIFY_PROCESS_EXECUTION (Severity: None) Sensor Process Manipulation A userland hook is set to identify attempts to modify the execution context in another process thread. Application attempted to modify the execution context in another process thread (either EAX or EIP)
MODIFY_PROCESS (Severity: Medium) Sensor Process Manipulation A userland hook is set to identify applications attempting to open another process Application attempted to open another process with permissions to modify the target.
MODIFY_SENSOR (Severity: Critical) Sensor Emerging Threats A userland hook is set to identify an attempt to modify or disable the Carbon Black Cloud Sensor Tamper Protection - Application attempted to modify Carbon Black Cloud Sensor.
MODIFY_SERVICE (Severity: High) Sensor Process Manipulation A userland hook is set to identify applications that attempt to control, create or delete a windows service Application attempted to control, create or delete a windows service.
MONITOR_MICROPHONE (Severity: Medium) Sensor Data at Risk A userland hook is set to identify applications attempting to monitor the microphone Application attempted to monitor the microphone.
MONITOR_USER_INPUT (Severity: Medium) Sensor Data at Risk A userland hook is set to identify applications attempting to monitor user input Application attempted to monitor user input (keyboard or mouse).
MONITOR_WEBCAM (Severity: Medium) Sensor Data at Risk A userland hook is set to identify applications attempting to monitor the onboard camera Application attempted to monitor web camera.
NETWORK_ACCESS (Severity: Low) Sensor Network Threat An IPv4 or IPv6 network filter driver has successfully initiated or accepted a network connection Application successfully initiated or accepted a network connection
NON_STANDARD_PORT (Severity: None) Sensor Network Threat Network filter driver verifies ports for common protocols. Identifies non-trusted applications from making non-http requests. The process of passing network traffic on an alternative port to which it was assigned by the IANA Internet Assigned Numbers Authority (IANA); for example, passing FTP on port 8081 when it is normally configured to listen on port 21.
OS_DENY (Severity: None) Sensor Operating System Action Analytics receives this info from the sensor and sets this value accordingly. The attempted action was denied by the operating system.
PACKED_CALL (Severity: Medium) Sensor Emerging Threats A userland hook is set to identify API calls from writeable memory Application attempted a system call from dynamic code (i.e. writable memory & not buffer overflow)
PACKED_CODE (Severity: None) Analytics Process Manipulation Depending on the arguments to script interpreters and applications, this is set when the arguments are related to encoding, obfuscating, file-less execution, etc. The process contains unpacked code.
PERSIST (Severity: None) Sensor Generic Suspect A file system driver is set to identify registry modifications that enable persistence upon reboot or application removal also known as auto-start extensibility points (ASEP) Persistent application.
PHISHING (Severity: None) Sensor Generic Suspect A driver callback is identified where an email application launches a web browser. Email client launching a browser.
PHONE_HOME (Severity: Medium) Sensor Network Threat An IPv4 or IPv6 network filter driver is set to identify client connections to a host that had performed a port scan against a Sensor Application attempt to connect back to a scanning host.
POLICY_DENY (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. The attempted action was denied due to policy.
POLICY_TERMINATE (Severity: Not applicable) Sensor Policy Action The analytics receives this info from the sensor and sets this value accordingly. The process was terminated due to policy.
PORTSCAN (Severity: None) Sensor Network Threat N consecutive scans on different ports from the same host are detected. A port scan is conducted.
PRIVILEGE_ESCALATE (Severity: None) Analytics Process Manipulation Is set when the username that is associated with a process changes during the course of execution to "NT AUTHORITY\SYSTEM" or the process has gained the admin privilege. Checks to see whether the actual SYSTEM privilege is associated with the process (not just the username context).
PROCESS_IMAGE_REPLACED (Severity: None) Sensor Process Manipulation Userland hooks watch for specific APIs being invoked that involve overwriting of the main executable section of a process, and other related manipulations such as suspending and unmapping sections. Application has had its primary executable code replaced with other code.
PUP_APP (Severity: High) Analytics Malware & Application Abuse A hash lookup or local scanner has identified a running executable that has reputation: PUP Application is a Potentially Unwanted Program.
RAM_SCRAPING (Severity: Medium) Sensor & Analytics Data at Risk User land hook is set to detect an application's attempt to read process memory. When a process tries to scrape the memory utilized by another process.
READ_PROCESS_MEMORY (Severity: Medium) Sensor Data at Risk A userland hook is set to detect applications attempting to read process memory. Application is attempting to read process memory.
READ_SECURITY_DATA (Severity: High) Sensor Data at Risk A userland hook is set to detect an application attempting to read privileged security information. Application is attempting to read privileged security information (for example, lsass.exe).
REVERSE_SHELL (Severity: High) Sensor & Analytics Emerging Threats A userland hook is set to identify a process that reads from or writes to console via a network connection Command shell (e.g. cmd.exe) interactively receiving commands from a network parent
RUN_ANOTHER_APP (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute another application. Application attempted to execute another application.
RUN_BLACKLIST_APP (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is COMPANY_BLACKLIST Application attempted to execute a blacklisted application.
RUN_BROWSER (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP & child_proc is a common browser executable Application attempted to execute a browser.
RUN_CMD_SHELL (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is a windows shell Application attempted to execute a command shell.
RUN_MALWARE_APP (Severity: Critical) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is MALWARE_APP Application attempted to execute a malware application.
RUN_NET_UTILITY (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child target process is a common network utility such as "netsh.exe" Application attempted to execute a network utility application.
RUN_PUP_APP (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is PUP_APP Application attempted to execute a PUP application.
RUN_SUSPECT_APP (Severity: High) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is SUSPECT_APP. Application attempted to execute a application with a suspect reputation.
RUN_SYSTEM_APP (Severity: Low) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP &and child process is a system app (application or dll located in the "windows", "windows\system32", "windows\sysWOW64", "\windows\WinSxS\**" directories ). Application attempted to execute a systems application.
RUN_SYSTEM_UTILITY (Severity: Medium) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child_proc is a system utility such as regedit. Application attempted to run a system utility (for example, regedit)
RUN_UNKNOWN_APP (Severity: None) Sensor Malware & Application Abuse A userland hook is set to identify applications that attempt to execute RUN_ANOTHER_APP and child process is UNKNOWN_APP. Application tried to execute an application with unknown reputation.
SCREEN_SHOT (Severity: None) Sensor Data at Risk Win32 API SendInput() is used to synthesize a PrintScreen key press or Win32 API CreateCompatibleBitmap() is called. A screenshot is taken on the machine.
SECURITY_CONFIG_DOWNGRADE (Severity: High) Analytics Emerging Threats Windows Firewall or other system security configurations have been changed or downgraded, lowering its security posture. A Windows security configuration has been downgraded.
SET_APP_CONFIG (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify apps that modify the registry (Microsoft Office Security keys) or set system application configuration parameters Application set system application configuration parameters.
SET_APP_LAUNCH (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry to effect when or how another application may be launched (Autoruns key, Run, RunOnce, Load, Shell and Open Commands) Application attempted to modify keys to effect when/how another application may be launched
SET_BROWSER_CONFIG (Severity: Low) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry (Install ActiveX controls, Internet Settings, System Certificates, Internet Explorer keys, browser helper objects, COM InProcServer) Application attempted to modify the browser settings.
SET_LOGIN_OPS (Severity: Medium) Analytics Emerging Threats Set by monitoring registry modifications to keys related to Win log on process. Application attempted to modify process associated with Win log on or user name.
SET_REBOOT_OPS (Severity: Low) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry ( BootExecute, Session Manager File Operations) Application attempted to set reboot configuration operations.
SET_REMOTE_ACCESS (Severity: Medium) Sensor Emerging Threats A userland hook is set to identify apps that attempt to modify registry (SecurePipeServers winreg settings, lanman parameters, etc) Application attempted to set remote access configuration.
SET_SYSTEM_AUDIT (Severity: High) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry (TaskManager keys, DisableRegistryTools) Application attempted to set the system audit parameters.
SET_SYSTEM_CONFIG (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify applications that attempt to modify registry such as Uninstall keys or wallpaper, as well as attempt to modify system configuration data files Application attempted to set system config parameters.
SET_SYSTEM_FILE (Severity: None) Sensor Malware & Application Abuse A process attempts to modify the system's master boot record (MBR). An application attempts to directly access the system's hard drive to write data into the MBR portion of the disk. Malware uses this tactic to alter system behavior on startup.
SET_SYSTEM_SECURITY (Severity: Medium) Sensor Generic Suspect A userland hook is set to identify apps that attempt to modify registry (Autoruns key, UserInit, Run, RunOnce, Load, BootExecute, AppInit_DLLs, Shell and Open Commands, Uninstall Keys, COM InProcServer, Install ActiveX controls etc.) Application attempts to set or change system security operations.
SUSPECT_APP (Severity: High) Sensor & Analytics Malware & Application Abuse A hash lookup or local scanner has identified a running executable that has reputation: SUSPECT. App is also (not signed) Application is suspected malicious by AV.
SUSPENDED_PROCESS (Severity: Medium) Sensor Process Manipulation A userland hook is set to identify a process that was created in the suspended state A process created in a suspended state is being modified (pre-execution).
SUSPICIOUS_BEHAVIOR (Severity: Medium) Analytics Generic Suspect A userland hook is set to identify applications executing code from dynamic memory (e.g. from a Buffer Overflow or unpacked code) and are making calls to applications which typically do not communicate on the network (e.g. "calc.exe") making network connections, etc. Application unusual behavior warrants attention.
SUSPICIOUS_DOMAIN (Severity: High) Sensor & Analytics Network Threat Network filter driver is set to identify when INTERNATIONAL_SITE is an ISO 3166-1 Country Code (e.g. CU, IR, SD, SY, IQ, LY, KP, YE, etc) Application is connecting to a suspicious network domain.(based upon ISO 3166-1 country codes).
SUSPICIOUS_SITE (Severity: Medium) Sensor & Analytics Network Threat An IPv4 or IPv6 network filter driver is set to identify accepted connections from a suspicious INTERNATIONAL_SITE (e.g. domains in RU, CN) Application accepts an inbound network connection from a suspicious international site.
UNKNOWN_APP (Severity: None) Sensor & Analytics Malware & Application Abuse A hash lookup has identified a running executable that has reputation: not_listed (i.e. unknown). App is also (not signed) Application is unknown reputation.