You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
||<aname="alerts-crashdump"></a><h3>Crash dump analysis (Windows)</h3> [Further details and notes](security-center-alerts-iaas.md#windows-)||
32
+
||<aname="alerts-windows"></a><h3>Windows machines</h3> [Further details and notes](security-center-alerts-iaas.md#windows-)||
33
33
|**Code injection discovered**|Code injection is the insertion of executable modules into running processes or threads. This technique is used by malware to access data, while successfully hiding itself to prevent being found and removed.<br>This alert indicates that an injected module is present in the crash dump. To differentiate between malicious and non-malicious injected modules, Security Center checks whether the injected module conforms to a profile of suspicious behavior.|-|
34
34
|**Suspicious code segment detected**|Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides additional characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.|-|
35
35
|**Shellcode discovered**|Shellcode is the payload that is run after malware exploits a software vulnerability.<br>This alert indicates that crash dump analysis has detected executable code that exhibits behavior commonly performed by malicious payloads. Although non-malicious software can also perform this behavior, it isn't typical of normal software development practices.|-|
36
-
||<aname="alerts-filelessattackdetect"></a><h3>Fileless attack detection (Windows)</h3> [Further details and notes](security-center-alerts-iaas.md#windows-)||
37
36
|**Fileless attack technique detected**|The memory of the process specified contains a fileless attack toolkit: Meterpreter. Fileless attack toolkits typically don't have a presence on the file system, making detection by traditional antivirus software difficult.|DefenseEvasion / Execution|
38
-
||<aname="alerts-linux"></a><h3>Linux machines alerts</h3> [Further details and notes](security-center-alerts-iaas.md#linux-)||
37
+
||<aname="alerts-linux"></a><h3>Linux machines</h3> [Further details and notes](security-center-alerts-iaas.md#linux-)||
39
38
|**Process seen accessing the SSH authorized keys file in an unusual way**|An SSH authorized keys file has been accessed in a method similar to known malware campaigns. This access can indicate that an attacker is attempting to gain persistent access to a machine.|-|
40
39
|**Detected Persistence Attempt**|Host data analysis has detected that a startup script for single-user mode has been installed.<br>Because it's rare that any legitimate process would be required to run in that mode, this might indicate that an attacker has added a malicious process to every run-level to guarantee persistence. |Persistence|
41
40
|**Manipulation of scheduled tasks detected**|Host data analysis has detected possible manipulation of scheduled tasks. Attackers often add scheduled tasks to machines they've compromised to gain persistence.|Persistence|
42
41
|**Suspicious file timestamp modification**|Host data analysis detected a suspicious timestamp modification. Attackers often copy timestamps from existing, legitimate files to new tools to avoid detection of these newly dropped files.|Persistence / DefenseEvasion|
43
42
|**A new user was added to the sudoers group**|Host data analysis detected that a user was added to the sudoers group, which enables its members to run commands with high privileges.|PrivilegeEscalation|
44
-
|**Likely exploit of DynoRoot vulnerability in dhcp client**|Host data analysis detected the execution of an unusual command, with a parent process of dhclient script.|-|
45
-
|**Suspicious kernel module detected**|Host data analysis detected a shared object file being loaded as a kernel module. This might be legitimate activity, or an indication that one of your machines has been compromised.|Persistence / DefenseEvasion|
46
43
|**Process associated with digital currency mining detected**|Host data analysis detected the execution of a process that is normally associated with digital currency mining.|Exploitation / Execution|
47
44
|**Potential port forwarding to external IP address**|Host data analysis detected the initiation of port forwarding to an external IP address.|Exfiltration / CommandAndControl|
48
45
||<aname="alerts-azureappserv"></a><h3>Azure App Service</h3> [Further details and notes](security-center-alerts-compute.md#azure-app-service-)||
49
46
|**Suspicious WordPress theme invocation detected**|The App Service activity log indicates a possible code injection activity on your App Service resource.<br>This suspicious activity resembles activity that manipulates a WordPress theme to support server-side execution of code, followed by a direct web request to invoke the manipulated theme file. This type of activity can be part of an attack campaign over WordPress.|-|
50
-
|**Connection to web page from anomalous IP address detected**|The App Service activity log indicates a connection to a sensitive web page from a source address that never connected to it before. This connection might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a legitimate user using a new IP address.|-|
51
47
|**An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence**|App Service FTP logs analysis has detected a connection from a source address that was found in the threat intelligence feed. During this connection, a user accessed the pages listed.|-|
52
48
|**Web fingerprinting detected**|The App Service activity log indicates a possible web fingerprinting activity on your App Service resource.<br>This suspicious activity is associated with a tool called Blind Elephant. The tool fingerprints web servers and tries to detect the installed applications and their versions. Attackers often use this tool for probing the web applications to find vulnerabilities. |-|
53
49
|**Suspicious access to possibly vulnerable web page detected**|The App Service activity log indicates that a web page that seems to be sensitive was accessed.<br>This suspicious activity originated from a source address whose access pattern resembles that of a web scanner. This kind of activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages. |-|
54
-
|**PHP file in upload folder**|The App Service activity log indicates something has accessed a suspicious PHP page located in the upload folder.<br>This type of folder doesn't usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities. |LateralMovement|
55
50
|**An attempt to run Linux commands on a Windows App Service**|Analysis of App Service processes detected an attempt to run a Linux command on a Windows App Service. This action was running by the web application. This behavior is often seen during campaigns that exploit a vulnerability in a common web application.|-|
56
51
|**Suspicious PHP execution detected**|Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells.|Execution|
57
52
|**Process execution from temporary folder**|App Service processes analysis has detected an execution of a process from the app's temporary folder. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities.|-|
58
53
|**Attempt to run high privilege command detected**|Analysis of App Service processes has detected an attempt to run a command that requires high privileges. The command ran in the web application context. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities.|-|
59
-
||<aname="alerts-akscluster"></a><h3>AKS cluster level alerts</h3> [Further details and notes](security-center-alerts-compute.md#azure-containers-)||
54
+
||<aname="alerts-akscluster"></a><h3>AKS cluster level</h3> [Further details and notes](security-center-alerts-compute.md#azure-containers-)||
60
55
|**PREVIEW - Role binding to the cluster-admin role detected**|Kubernetes audit log analysis detected a new binding to the cluster-admin role resulting in administrator privileges. Unnecessarily providing administrator privileges might result in privilege escalation issues in the cluster.|Persistence|
61
56
|**PREVIEW - Exposed Kubernetes dashboard detected**|Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboards allow unauthenticated access to the cluster management and pose a security threat.|Persistence|
62
57
|**PREVIEW - New high privileges role detected**|Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user/group elevated privileges in the cluster. Unnecessarily providing elevated privileges might result in privilege escalation issues in the cluster.|Persistence|
63
58
|**PREVIEW - New container in the kube-system namespace detected**|Kubernetes audit log analysis detected a new container in the kube-system namespace that isn’t among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace to hide malicious components.|Persistence|
64
59
|**PREVIEW - Digital currency mining container detected**|Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.|Execution|
65
60
|**PREVIEW - Privileged container detected**|Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node’s resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node.|PrivilegeEscalation|
66
61
|**PREVIEW - Container with a sensitive volume mount detected**|Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type that mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount to gain access to the node.|PrivilegeEscalation|
67
-
||<aname="alerts-containerhost"></a><h3>Container host level alerts</h3> [Further details and notes](security-center-alerts-compute.md#azure-containers-)||
62
+
||<aname="alerts-containerhost"></a><h3>Container host level</h3> [Further details and notes](security-center-alerts-compute.md#azure-containers-)||
68
63
|**Privileged Container Detected**|Machine logs indicate that a privileged Docker container is running. A privileged container has full access to the host's resources. If compromised, an attacker can use the privileged container to gain access to the host machine.|PrivilegeEscalation / Execution|
69
64
|**Privileged command run in container**|Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine.|PrivilegeEscalation|
70
65
|**Exposed Docker daemon detected**|Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration doesn't use encryption or authentication when a TCP socket is enabled. Anyone with access to the relevant port can then get full access to the Docker daemon.|Exploitation / Execution|
@@ -98,6 +93,7 @@ Below the alerts table is a table describing the Azure Security Center kill chai
98
93
|**Access from an unusual location to a Cosmos DB account**|Indicates that there was a change in the access pattern to an Azure Cosmos DB account. Someone has accessed this account from an unfamiliar IP address, compared to recent activity. Either an attacker has accessed the account, or a legitimate user has accessed it from a new and unusual geographical location. An example of the latter is remote maintenance from a new application or developer.|Exploitation|
99
94
|**Unusual amount of data extracted from a Cosmos DB account**|Indicates that there was a change in the data extraction pattern from an Azure Cosmos DB account. Someone has extracted an unusual amount of data compared to recent activity. An attacker might have extracted a large amount of data from an Azure Cosmos DB database (for example, data exfiltration or leakage, or an unauthorized transfer of data). Or, a legitimate user or application might have extracted an unusual amount of data from a container (for example, for maintenance backup activity).|Exfiltration|
100
95
||<aname="alerts-azurenetlayer"></a><h3>Azure network layer</h3> [Further details and notes](security-center-alerts-service-layer.md#azure-network-layer)||
96
+
|**Traffic detected from IP addresses recommended for blocking**|Azure Security Center detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources.|Probing|
101
97
|**Suspicious outgoing RDP network activity**|Sampled network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication, originating from a resource in your deployment. This activity is considered abnormal for this environment. It might indicate that your resource has been compromised, and is now being used to brute force attack an external RDP endpoint. This type of activity might cause your IP to be flagged as malicious by external entities.|-|
102
98
|**Suspicious outgoing RDP network activity to multiple destinations**|Sampled network traffic analysis detected anomalous outgoing RDP communication, originating from a resource in your deployment to multiple destinations. This activity is considered abnormal for this environment. It might indicate that your resource has been compromised, and is now being used to brute force attack external RDP endpoints. This type of activity might cause your IP to be flagged as malicious by external entities.|-|
103
99
|**Suspicious outgoing SSH network activity**|Sampled network traffic analysis detected anomalous outgoing Secure Shell (SSH) communication, originating from a resource in your deployment. This activity is considered abnormal for this environment. It might indicate that your resource has been compromised, and is now being used to brute force attack an external SSH endpoint. This type of activity might cause your IP to be flagged as malicious by external entities.|-|
@@ -139,7 +135,7 @@ Understanding the intention of an attack can help you investigate and report the
139
135
140
136
The series of steps that describe the progression of a cyberattack from reconnaissance to data exfiltration is often referred to as a "kill chain".
Security Center's supported kill chain intents are based on the [MITRE ATT&CK™ framework](https://attack.mitre.org/matrices/enterprise/eh) and described in the table below.
Copy file name to clipboardExpand all lines: articles/security-center/security-center-alerts-iaas.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,15 +36,15 @@ Azure Security Center integrates with Azure services to monitor and protect your
36
36
37
37
However, by using memory analysis, you can detect this kind of attack. By analyzing the memory in the crash dump, Security Center can detect the techniques the attack is using. For example, the attack might be attempting to exploit vulnerabilities in the software, access confidential data, and surreptitiously persist within a compromised machine. Security Center does this work with minimal performance impact to hosts.
38
38
39
-
For a list of the crash dump analysis alerts, see the [Reference table of alerts](alerts-reference.md#alerts-crashdump).
39
+
For details of the crash dump analysis alerts, see the [Reference table of alerts](alerts-reference.md#alerts-windows).
40
40
41
41
***Fileless attack detection** <aname="windows-fileless"></a> - Fileless attacks targeting your endpoints are common. To avoid detection, fileless attacks inject malicious payloads into memory. Attacker payloads persist within the memory of compromised processes, and perform a wide range of malicious activities.
42
42
43
43
With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. This solution periodically scans your machine at runtime, and extracts insights directly from the memory of security-critical processes.
44
44
45
45
It finds evidence of exploitation, code injection, and execution of malicious payloads. Fileless attack detection generates detailed security alerts to accelerate alert triage, correlation, and downstream response time. This approach complements event-based EDR solutions, providing greater detection coverage.
46
46
47
-
For a list of the fileless attack detection alerts, see the [Reference table of alerts](alerts-reference.md#alerts-filelessattackdetect).
47
+
For details of the fileless attack detection alerts, see the [Reference table of alerts](alerts-reference.md#alerts-windows).
48
48
49
49
> [!NOTE]
50
50
> You can simulate Windows alerts by downloading [Azure Security Center Playbook: Security Alerts](https://gallery.technet.microsoft.com/Azure-Security-Center-f621a046).
0 commit comments