You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/alerts-reference.md
+3-4Lines changed: 3 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,7 +37,6 @@ Below the alerts tables is a table describing the Azure Security Center kill cha
37
37
|**A logon from a malicious IP has been detected. [seen multiple times]**|A successful remote authentication for the account 'IUSR_10001' and process 'Advapi' occurred, however the logon IP address [IP address] has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.|-|High|
38
38
|**Addition of Guest account to Local Administrators group**|Analysis of host data has detected the addition of the built in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity.|-|Medium|
39
39
|**An event log was cleared**|Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared.|-|Informational|
40
-
|**Code injection discovered**|Code injection is the insertion of executable modules into running processes or threads. This technique is used by malware to access data, while successfully hiding itself to prevent being found and removed.<br>This alert indicates that an injected module is present in the crash dump. To differentiate between malicious and non-malicious injected modules, Security Center checks whether the injected module conforms to a profile of suspicious behavior.|-|Medium|
41
40
|**Detected Petya ransomware indicators**|Analysis of host data on %{Compromised Host} detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the commandline associated in this alert and escalate this alert to your security team.|-|High|
42
41
|**Detected actions indicative of disabling and deleting IIS log files**|Analysis of host data detected actions that show IIS log files being disabled and/or deleted.|-|Medium|
43
42
|**Detected anomalous mix of upper and lower case characters in command-line**|Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.|-|Medium|
@@ -70,20 +69,20 @@ Below the alerts tables is a table describing the Azure Security Center kill cha
70
69
|**Digital currency mining related behavior detected**|Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.|-|High|
71
70
|**Dynamic PS script construction**|Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. This could be legitimate activity, or an indication that one of your machines has been compromised.|-|Medium|
72
71
|**Executable found running from a suspicious location**|Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.|-|High|
73
-
|**Fileless attack technique detected**|The memory of the process specified contains a fileless attack toolkit: [toolkit name]. Fileless attack toolkits typically don't have a presence on the file system, making detection by traditional antivirus software difficult.|DefenseEvasion / Execution|High|
72
+
|**Fileless attack technique detected**|The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software. Specific behaviors include:<br>1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.<br>2) Executable image injected into the process, such as in a code injection attack.<br>3) Active network connections. See NetworkConnections below for details.<br>4) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.<br>5) Process hollowing, which is a technique used by malware in which a legitimate process is loaded on the system to act as a container for hostile code.<br>6) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.|DefenseEvasion / Execution|High|
73
+
|**Fileless attack behavior detected**|The memory of the process specified contains behaviors commonly used by fileless attacks. Specific behaviors include:<br>1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.<br>2) Active network connections. See NetworkConnections below for details.<br>3) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.<br>4) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.|DefenseEvasion|Low|
74
+
|**Fileless attack toolkit detected**|The memory of the process specified contains a fileless attack toolkit: [toolkit name]]. Fileless attack toolkits use techniques that minimize or eliminate traces of malware on disk, and greatly reduce the chances of detection by disk-based malware scanning solutions. Specific behaviors include:<br>1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.<br>2) Executable image injected into the process, such as in a code injection attack.<br>3) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.<br>4) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.|DefenseEvasion|High|
74
75
|**High risk software detected**|Analysis of host data from %{Compromised Host} detected the usage of software that has been associated with the installation of malware in the past. A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. Upon using these tools, the malware can be silently installed in the background.|-|Medium|
75
76
|**Local Administrators group members were enumerated**|Machine logs indicate a successful enumeration on group %{Enumerated Group Domain Name}\%{Enumerated Group Name}. Specifically, %{Enumerating User Domain Name}\%{Enumerating User Name} remotely enumerated the members of the %{Enumerated Group Domain Name}\%{Enumerated Group Name} group. This activity could either be legitimate activity, or an indication that a machine in your organization has been compromised and used to reconnaissance %{vmname}.|-|Informational|
76
77
|**Malicious SQL activity**|Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is considered malicious.|-|High|
77
78
|**Malicious firewall rule created by ZINC server implant [seen multiple times]**|A firewall rule was created using techniques that match a known actor, ZINC. The rule was possibly used to open a port on %{Compromised Host} to allow for Command & Control communications. This behavior was seen [x] times today on the following machines: [Machine names]|-|High|
78
-
|**Masquerading Windows Module Detected**|Crash dump analysis detected the presence of a 3rd party module impersonating a Windows module within a crash dump from the process identified in this alert. This occurrence may indicate a system compromise.|-|Medium|
79
79
|**Multiple Domain Accounts Queried**|Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. This kind of activity could be legitimate, but can also be an indication of compromise.|-|Medium|
80
80
|**Possible credential dumping detected [seen multiple times]**|Analysis of host data has detected use of native windows tool( e.g. sqldumper.exe) being used in a way that allows to extract credentials from memory. Often times attackers use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|
81
81
|**Potential attempt to bypass AppLocker detected**|Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.|-|High|
82
82
|**PsExec execution detected**|Analysis of host data indicates that the process %{Process Name} was executed by PsExec utility. PsExec can be used for running processes remotely. This technique might be used for malicious purposes.|-|Informational|
83
83
|**Ransomware indicators detected [seen multiple times]**|Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access. This behavior was seen [x] times today on the following machines: [Machine names]|-|High|
84
84
|**Ransomware indicators detected**|Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.|-|High|
85
85
|**Rare SVCHOST service group executed**|The system process SVCHOST was observed running a rare service group. Malware often use SVCHOST to masquerade its malicious activity.|-|Informational|
86
-
|**Shellcode discovered**|Shellcode is the payload that is run after malware exploits a software vulnerability.<br>This alert indicates that crash dump analysis has detected executable code that exhibits behavior commonly performed by malicious payloads. Although non-malicious software can also perform this behavior, it isn't typical of normal software development practices.|-|Medium|
87
86
|**Sticky keys attack detected**|Analysis of host data indicates that an attacker may be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}.|-|Medium|
88
87
|**Successful brute force attack**|Multiple failed authentication attempts originating from the same source were detected across multiple hosts in Azure subscriptions . This resembles a password spray attack, in which an attacker performs numerous authentication attempts spread across multiple hosts. Some of the authentication attempts successfully signed in to a host in this subscription.|-|High|
89
88
|**Suspect integrity level indicative of RDP hijacking**|Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it is a known attacker technique to compromise additional user accounts and move laterally across a network.|-|Medium|
Copy file name to clipboardExpand all lines: articles/security-center/security-center-alerts-overview.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,7 +49,7 @@ Security Center employs advanced security analytics, which go far beyond signatu
49
49
50
50
***Integrated threat intelligence**: Microsoft has an immense amount of global threat intelligence. Telemetry flows in from multiple sources, such as Azure, Office 365, Microsoft CRM online, Microsoft Dynamics AX, outlook.com, MSN.com, the Microsoft Digital Crimes Unit (DCU), and Microsoft Security Response Center (MSRC). Researchers also receive threat intelligence information that is shared among major cloud service providers and feeds from other third parties. Azure Security Center can use this information to alert you to threats from known bad actors.
51
51
52
-
***Behavioral analytics**: Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. However, these patterns are not simple signatures. They are determined through complex machine learning algorithms that are applied to massive datasets. They are also determined through careful analysis of malicious behaviors by expert analysts. Azure Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual machine logs, virtual network device logs, fabric logs, crash dumps, and other sources.
52
+
***Behavioral analytics**: Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. However, these patterns are not simple signatures. They are determined through complex machine learning algorithms that are applied to massive datasets. They are also determined through careful analysis of malicious behaviors by expert analysts. Azure Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual machine logs, virtual network device logs, fabric logs, and other sources.
53
53
54
54
***Anomaly detection**: Azure Security Center also uses anomaly detection to identify threats. In contrast to behavioral analytics (which depends on known patterns derived from large data sets), anomaly detection is more "personalized" and focuses on baselines that are specific to your deployments. Machine learning is applied to determine normal activity for your deployments and then rules are generated to define outlier conditions that could represent a security event.
Copy file name to clipboardExpand all lines: articles/security-center/threat-protection.md
-8Lines changed: 0 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,14 +49,6 @@ Azure Security Center integrates with Azure services to monitor and protect your
49
49
50
50
When Microsoft Defender ATP detects a threat, it triggers an alert. The alert is shown on the Security Center dashboard. From the dashboard, you can pivot to the Microsoft Defender ATP console, and perform a detailed investigation to uncover the scope of the attack. For more information about Microsoft Defender ATP, see [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints).
51
51
52
-
***Crash dump analysis** <aname="windows-dump"></a> - When software crashes, a crash dump captures a portion of memory at the time of the crash.
53
-
54
-
A crash might have been caused by malware or contain malware. To avoid being detected by security products, various forms of malware use a fileless attack, which avoids writing to disk or encrypting software components written to disk. This type of attack is difficult to detect by using traditional disk-based approaches.
55
-
56
-
However, by using memory analysis, you can detect this kind of attack. By analyzing the memory in the crash dump, Security Center can detect the techniques the attack is using. For example, the attack might be attempting to exploit vulnerabilities in the software, access confidential data, and surreptitiously persist within a compromised machine. Security Center does this work with minimal performance impact to hosts.
57
-
58
-
For details of the crash dump analysis alerts, see the [Reference table of alerts](alerts-reference.md#alerts-windows).
59
-
60
52
***Fileless attack detection** <aname="windows-fileless"></a> - Fileless attacks targeting your endpoints are common. To avoid detection, fileless attacks inject malicious payloads into memory. Attacker payloads persist within the memory of compromised processes, and perform a wide range of malicious activities.
61
53
62
54
With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. This solution periodically scans your machine at runtime, and extracts insights directly from the memory of security-critical processes.
0 commit comments