You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/alerts-reference.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,7 +64,7 @@ Types of alerts included in this table:
64
64
|**Detected suspicious combination of HTA and PowerShell**|mshta.exe (Microsoft HTML Application Host) which is a signed Microsoft binary is being used by the attackers to launch malicious PowerShell commands. Attackers often resort to having a HTA file with inline VBScript. When a victim browses to the HTA file and chooses to run it, the PowerShell commands and scripts that it contains are executed. Analysis of host data on %{Compromised Host} detected mshta.exe launching PowerShell commands.|-|
65
65
|**Detected suspicious commandline arguments**|Analysis of host data on %{Compromised Host} detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN.|-|
66
66
|**Detected suspicious commandline used to start all executables in a directory**|Analysis of host data has detected a suspicious process running on %{Compromised Host}. The commandline indicates an attempt to start all executables (*.exe) that may reside in a directory. This could be an indication of a compromised host.|-|
67
-
|**Detected suspicious credentials in commandline**|Analysis of host data on %{Compromised Host} detected a supicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host.|-|
67
+
|**Detected suspicious credentials in commandline**|Analysis of host data on %{Compromised Host} detected a suspicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host.|-|
68
68
|**Detected suspicious document credentials**|Analysis of host data on %{Compromised Host} detected a suspicious, common precomputed password hash used by malware being used to execute a file. Activity group HYDROGEN has been known to use this password to execute malware on a victim host.|-|
69
69
|**Detected suspicious execution of VBScript.Encode command**|Analysis of host data on %{Compromised Host} detected the execution of VBScript.Encode command. This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. This could be legitimate activity, or an indication of a compromised host.|-|
70
70
|**Detected suspicious execution via rundll32.exe**|Analysis of host data on %{Compromised Host} detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host.|-|
@@ -338,4 +338,4 @@ To learn more about alerts, see the following:
338
338
339
339
*[Security alerts in Azure Security Center](security-center-alerts-overview.md)
340
340
*[Manage and respond to security alerts in Azure Security Center](security-center-managing-and-responding-alerts.md)
341
-
*[Export security alerts and recommendations (Preview)](continuous-export.md)
341
+
*[Export security alerts and recommendations (Preview)](continuous-export.md)
0 commit comments