Security alerts - a reference guide

Article
03/17/2024

This article lists the security alerts you might get from Microsoft Defender for Cloud and any Microsoft Defender plans you enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.

At the bottom of this page, there's a table describing the Microsoft Defender for Cloud kill chain aligned with version 9 of the MITRE ATT&CK matrix.

Learn how to respond to these alerts.

Learn how to export alerts.

Note

Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.

Alerts for Windows machines

Microsoft Defender for Servers Plan 2 provides unique detections and alerts, in addition to the ones provided by Microsoft Defender for Endpoint. The alerts provided for Windows machines are:

Further details and notes

A logon from a malicious IP has been detected. [seen multiple times]

Description: A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.

MITRE tactics: -

Severity: High

Adaptive application control policy violation was audited

VM_AdaptiveApplicationControlWindowsViolationAudited

Description: The below users ran applications that are violating the application control policy of your organization on this machine. It can possibly expose the machine to malware or application vulnerabilities.

MITRE tactics: Execution

Severity: Informational

Addition of Guest account to Local Administrators group

Description: Analysis of host data has detected the addition of the built-in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity.

MITRE tactics: -

Severity: Medium

An event log was cleared

Description: Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared.

MITRE tactics: -

Severity: Informational

Antimalware Action Failed

Description: Microsoft Antimalware has encountered an error when taking an action on malware or other potentially unwanted software.

MITRE tactics: -

Severity: Medium

Antimalware Action Taken

MITRE tactics: Defense Evasion

Severity: Medium

Antimalware temporarily disabled in your virtual machine

(VM_AmTemporarilyDisablement)

Description: Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription. Attackers might disable the antimalware on your virtual machine to prevent detection.

MITRE tactics: -

Severity: Medium

Antimalware unusual file exclusion in your virtual machine

(VM_UnusualAmFileExclusion)

Description: Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware.

MITRE tactics: Defense Evasion

Severity: Medium

Communication with suspicious domain identified by threat intelligence

Description: The analysis of host data on %{Compromised Host} detected execution of "net.exe stop" command being used to stop critical services like SharedAccess or the Windows Security app. The stopping of either of these services can be indication of a malicious behavior.

MITRE tactics: -

Severity: Medium

Description: Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.

MITRE tactics: -

Severity: High

Dynamic PS script construction

Description: Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. This could be legitimate activity, or an indication that one of your machines has been compromised.

MITRE tactics: -

Severity: Medium

Executable found running from a suspicious location

Description: Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.

MITRE tactics: -

Severity: High

Fileless attack behavior detected

(VM_FilelessAttackBehavior.Windows)

Description: The memory of the process specified contains behaviors commonly used by fileless attacks. Specific behaviors include:

Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
Active network connections. See NetworkConnections below for details.
Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.
Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.

MITRE tactics: Defense Evasion

Severity: Low

Fileless attack technique detected

(VM_FilelessAttackTechnique.Windows)

Description: The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software. Specific behaviors include:

Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
Executable image injected into the process, such as in a code injection attack.
Active network connections. See NetworkConnections below for details.
Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.
Process hollowing, which is a technique used by malware in which a legitimate process is loaded on the system to act as a container for hostile code.
Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks.

MITRE tactics: Defense Evasion, Execution

Severity: High

Fileless attack toolkit detected

(VM_FilelessAttackToolkit.Windows)

Description: The memory of the process specified contains a fileless attack toolkit: [toolkit name]. Fileless attack toolkits use techniques that minimize or eliminate traces of malware on disk, and greatly reduce the chances of detection by disk-based malware scanning solutions. Specific behaviors include:

Well-known toolkits and crypto mining software.
Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
Injected malicious executable in process memory.

Description: The system process SVCHOST was observed running a rare service group. Malware often uses SVCHOST to masquerade its malicious activity.

MITRE tactics: Defense Evasion, Execution

Severity: Informational

Sticky keys attack detected

Description: Analysis of host data indicates that an attacker might be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}.

MITRE tactics: -

Severity: Medium

Successful brute force attack

(VM_LoginBruteForceSuccess)

Description: Several sign in attempts were detected from the same source. Some successfully authenticated to the host. This resembles a burst attack, in which an attacker performs numerous authentication attempts to find valid account credentials.

MITRE tactics: Exploitation

Severity: Medium/High

Suspect integrity level indicative of RDP hijacking

Description: Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it's a known attacker technique to compromise more user accounts and move laterally across a network.

MITRE tactics: -

Severity: Medium

Suspect service installation

Description: Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it's a known attacker technique to compromise more user accounts and move laterally across a network.

MITRE tactics: -

Severity: Medium

Suspected Kerberos Golden Ticket attack parameters observed

Description: Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack.

MITRE tactics: -

Severity: Medium

Description: Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides more characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment.

MITRE tactics: -

Severity: Medium

Suspicious double extension file executed

Description: Analysis of host data indicates an execution of a process with a suspicious double extension. This extension might trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.

MITRE tactics: -

Severity: High

Suspicious download using Certutil detected [seen multiple times]

Description: Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. This behavior was seen [x] times today on the following machines: [Machine names]

MITRE tactics: -

Severity: Medium

MITRE tactics: -

Severity: Medium

Unusual user SSH key reset in your virtual machine

(VM_VMAccessUnusualSSHReset)

Description: An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. While this action might be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it.

MITRE tactics: Credential Access

Severity: Medium

VBScript HTTP object allocation detected

Description: Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files.

Suspicious installation of GPU extension in your virtual machine (Preview)

(VM_GPUDriverExtensionUnusualExecution)

Description: Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking.

MITRE tactics: Impact

Severity: Low

(VM_AmTempRealtimeProtectionDisablement)

MITRE tactics: Defense Evasion

Severity: Medium

Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine

(VM_AmRealtimeProtectionDisablementAndCodeExec)

MITRE tactics: -

Severity: High

MITRE tactics: -

Severity: Low

Description: Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining.

MITRE tactics: -

Severity: High

Disabling of auditd logging [seen multiple times]

Description: The Linux Audit system provides a way to track security-relevant information on the system. It records as much information about the events that are happening on your system as possible. Disabling auditd logging could hamper discovering violations of security policies used on the system. This behavior was seen [x] times today on the following machines: [Machine names]

MITRE tactics: -

Severity: Low

Exploitation of Xorg vulnerability [seen multiple times]

Description: Analysis of host data on %{Compromised Host} detected the user of Xorg with suspicious arguments. Attackers might use this technique in privilege escalation attempts. This behavior was seen [x] times today on the following machines: [Machine names]

MITRE tactics: -

Severity: Medium

Failed SSH brute force attack

(VM_SshBruteForceFailed)

Description: Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.

MITRE tactics: Probing

Severity: Medium

Fileless Attack Behavior Detected

(VM_FilelessAttackBehavior.Linux)

Description: The memory of the process specified below contains behaviors commonly used by fileless attacks. Specific behaviors include: {list of observed behaviors}

MITRE tactics: Execution

Severity: Low

Fileless Attack Technique Detected

(VM_FilelessAttackTechnique.Linux)

MITRE tactics: Execution

Severity: High

Fileless Attack Toolkit Detected

(VM_FilelessAttackToolkit.Linux)

Description: The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically don't have a presence on the filesystem, making detection by traditional anti-virus software difficult. Specific behaviors include: {list of observed behaviors}

MITRE tactics: Defense Evasion, Execution

Severity: High

Hidden file execution detected

Description: Analysis of host data indicates that a hidden file was executed by %{user name}. This activity could either be legitimate activity, or an indication of a compromised host.

MITRE tactics: -

Severity: Informational

New SSH key added [seen multiple times]

(VM_SshKeyAddition)

Description: A new SSH key was added to the authorized keys file. This behavior was seen [x] times today on the following machines: [Machine names]

MITRE tactics: Persistence

Severity: Low

New SSH key added

Description: A new SSH key was added to the authorized keys file.

MITRE tactics: -

Severity: Low

Possible backdoor detected [seen multiple times]

Description: Analysis of host data has detected a suspicious file being downloaded then run on %{Compromised Host} in your subscription. This activity has previously been associated with installation of a backdoor. This behavior was seen [x] times today on the following machines: [Machine names]

MITRE tactics: -

Severity: Medium

Possible exploitation of the mailserver detected

(VM_MailserverExploitation )

Description: Analysis of host data on %{Compromised Host} detected an unusual execution under the mail server account

MITRE tactics: Exploitation

Severity: Medium

Possible malicious web shell detected

(VM_KubernetesDashboard)

(AzureDNS_ProtocolAnomaly)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected anomalous protocol usage. Such traffic, while possibly benign, might indicate abuse of this common protocol to bypass network traffic filtering. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it.

MITRE tactics: Exfiltration

Severity: -

Anonymity network activity

(AzureDNS_DarkWeb)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.

MITRE tactics: Exfiltration

Severity: Low

Anonymity network activity using web proxy

(AzureDNS_DarkWebProxy)

MITRE tactics: Exfiltration

Severity: Low

Attempted communication with suspicious sinkholed domain

(AzureDNS_SinkholedDomain)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.

MITRE tactics: Exfiltration

Severity: Medium

Communication with possible phishing domain

(AzureDNS_PhishingDomain)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.

MITRE tactics: Exfiltration

Severity: Informational

Communication with suspicious algorithmically generated domain

(AzureDNS_DomainGenerationAlgorithm)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected possible usage of a domain generation algorithm. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.

MITRE tactics: Exfiltration

Severity: Informational

Communication with suspicious domain identified by threat intelligence

(AzureDNS_ThreatIntelSuspectDomain)

MITRE tactics: Initial Access

Severity: Medium

Communication with suspicious random domain name

(AzureDNS_RandomizedDomain)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected usage of a suspicious randomly generated domain name. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.

MITRE tactics: Exfiltration

Severity: Informational

Digital currency mining activity

(AzureDNS_CurrencyMining)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.

MITRE tactics: Exfiltration

Severity: Low

Network intrusion detection signature activation

(AzureDNS_SuspiciousDomain)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected a known malicious network signature. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.

MITRE tactics: Exfiltration

Severity: Medium

Possible data download via DNS tunnel

(AzureDNS_DataInfiltration)

Description: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.

MITRE tactics: Exfiltration

Severity: Low

Possible data exfiltration via DNS tunnel

(AzureDNS_DataExfiltration)

MITRE tactics: Exfiltration

Severity: Low

Possible data transfer via DNS tunnel

(AzureDNS_DataObfuscation)

MITRE tactics: Exfiltration

Severity: Low

Alerts for Azure VM extensions

These alerts focus on detecting suspicious activities of Azure virtual machine extensions and provides insights into attackers' attempts to compromise and perform malicious activities on your virtual machines.

Azure virtual machine extensions are small applications that run post-deployment on virtual machines and provide capabilities such as configuration, automation, monitoring, security, and more. While extensions are a powerful tool, they can be used by threat actors for various malicious intents, for example:

Data collection and monitoring
Code execution and configuration deployment with high privileges
Resetting credentials and creating administrative users
Encrypting disks

Severity: High

Executable decoded using certutil

(AppServices_ExecutableDecodedUsingCertutil)

Description: Analysis of host data on [Compromised entity] detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed. (Applies to: App Service on Windows)

MITRE tactics: Defense Evasion, Execution

Severity: High

Fileless Attack Behavior Detected

(AppServices_FilelessAttackBehaviorDetection)

Description: The memory of the process specified below contains behaviors commonly used by fileless attacks. Specific behaviors include: {list of observed behaviors} (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Execution

Severity: Medium

Fileless Attack Technique Detected

(AppServices_FilelessAttackTechniqueDetection)

MITRE tactics: Execution

Severity: High

Fileless Attack Toolkit Detected

(AppServices_FilelessAttackToolkitDetection)

Description: The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically do not have a presence on the filesystem, making detection by traditional anti-virus software difficult. Specific behaviors include: {list of observed behaviors} (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Defense Evasion, Execution

Severity: High

Microsoft Defender for Cloud test alert for App Service (not a threat)

(AppServices_EICAR)

Description: This is a test alert generated by Microsoft Defender for Cloud. No further action is needed. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: -

Severity: High

NMap scanning detected

(AppServices_Nmap)

Description: Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource. The suspicious activity detected is associated with NMAP. Attackers often use this tool for probing the web application to find vulnerabilities. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: PreAttack

Severity: Informational

Phishing content hosted on Azure Webapps

(AppServices_PhishingContent)

Description: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to Microsoft 365 customers. The content typically lures visitors into entering their corporate credentials or financial information into a legitimate looking website. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Collection

Severity: High

PHP file in upload folder

(AppServices_PhpInUploadFolder)

Description: Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder. This type of folder doesn't usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Execution

Severity: Medium

Possible Cryptocoinminer download detected

(AppServices_CryptoCoinMinerDownload)

Description: Analysis of host data has detected the download of a file normally associated with digital currency mining. (Applies to: App Service on Linux)

MITRE tactics: Defense Evasion, Command and Control, Exploitation

Severity: Medium

Possible data exfiltration detected

(AppServices_DataEgressArtifacts)

Description: Analysis of host/device data detected a possible data egress condition. Attackers will often egress data from machines they have compromised. (Applies to: App Service on Linux)

MITRE tactics: Collection, Exfiltration

Severity: Medium

Potential dangling DNS record for an App Service resource detected

(AppServices_PotentialDanglingDomain)

Description: A DNS record that points to a recently deleted App Service resource (also known as "dangling DNS" entry) has been detected. This might leave you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization's domain to a site performing malicious activity. In this case, a text record with the Domain Verification ID was found. Such text records prevent subdomain takeover but we still recommend removing the dangling domain. If you leave the DNS record pointing at the subdomain you're at risk if anyone in your organization deletes the TXT file or record in the future. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: -

Severity: Low

Potential reverse shell detected

(AppServices_ReverseShell)

Description: Analysis of host data detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns. (Applies to: App Service on Linux)

MITRE tactics: Exfiltration, Exploitation

Severity: Medium

Raw data download detected

(AppServices_DownloadCodeFromWebsite)

Description: Analysis of App Service processes detected an attempt to download code from raw-data websites such as Pastebin. This action was run by a PHP process. This behavior is associated with attempts to download web shells or other malicious components to the App Service. (Applies to: App Service on Windows)

MITRE tactics: Execution

Severity: Medium

Saving curl output to disk detected

(AppServices_CurlToDisk)

Description: Analysis of App Service processes detected the running of a curl command in which the output was saved to the disk. While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells. (Applies to: App Service on Windows)

MITRE tactics: -

Severity: Low

Spam folder referrer detected

(AppServices_SpamReferrer)

Description: Azure App Service activity log indicates web activity that was identified as originating from a web site associated with spam activity. This can occur if your website is compromised and used for spam activity. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: -

Severity: Low

Suspicious access to possibly vulnerable web page detected

(AppServices_ScanSensitivePage)

Description: Azure App Service activity log indicates a web page that seems to be sensitive was accessed. This suspicious activity originated from a source IP address whose access pattern resembles that of a web scanner. This activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: -

Severity: Low

Suspicious domain name reference

(AppServices_CommandlineSuspectDomain)

Description: Analysis of host data detected reference to suspicious domain name. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools. (Applies to: App Service on Linux)

MITRE tactics: Exfiltration

Severity: Low

Suspicious download using Certutil detected

(AppServices_DownloadUsingCertutil)

Description: Analysis of host data on {NAME} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. (Applies to: App Service on Windows)

MITRE tactics: Execution

Severity: Medium

Suspicious PHP execution detected

(AppServices_SuspectPhp)

Description: Machine logs indicate that a suspicious PHP process is running. The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Execution

Severity: Medium

Suspicious PowerShell cmdlets executed

(AppServices_PowerShellPowerSploitScriptExecution)

Description: Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets. (Applies to: App Service on Windows)

MITRE tactics: Execution

Severity: Medium

Suspicious process executed

(AppServices_KnownCredential AccessTools)

Description: Machine logs indicate that the suspicious process: '%{process path}' was running on the machine, often associated with attacker attempts to access credentials. (Applies to: App Service on Windows)

MITRE tactics: Credential Access

Severity: High

Suspicious process name detected

(AppServices_ProcessWithKnownSuspiciousExtension)

Description: Analysis of host data on {NAME} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. (Applies to: App Service on Windows)

MITRE tactics: Persistence, Defense Evasion

Severity: Medium

Suspicious SVCHOST process executed

(AppServices_SVCHostFromInvalidPath)

Description: The system process SVCHOST was observed running in an abnormal context. Malware often uses SVCHOST to mask its malicious activity. (Applies to: App Service on Windows)

MITRE tactics: Defense Evasion, Execution

Severity: High

Suspicious User Agent detected

(AppServices_UserAgentInjection)

Description: Azure App Service activity log indicates requests with suspicious user agent. This behavior can indicate on attempts to exploit a vulnerability in your App Service application. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Initial Access

Severity: Informational

Suspicious WordPress theme invocation detected

(AppServices_WpThemeInjection)

Description: Azure App Service activity log indicates a possible code injection activity on your App Service resource. The suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file. This type of activity was seen in the past as part of an attack campaign over WordPress. If your App Service resource isn't hosting a WordPress site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see Suppress alerts from Microsoft Defender for Cloud. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Execution

Severity: High

Vulnerability scanner detected

(AppServices_DrupalScanner)

Description: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource. The suspicious activity detected resembles that of tools targeting a content management system (CMS). If your App Service resource isn't hosting a Drupal site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see Suppress alerts from Microsoft Defender for Cloud. (Applies to: App Service on Windows)

MITRE tactics: PreAttack

Severity: Low

Vulnerability scanner detected

(AppServices_JoomlaScanner)

Description: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource. The suspicious activity detected resembles that of tools targeting Joomla applications. If your App Service resource isn't hosting a Joomla site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see Suppress alerts from Microsoft Defender for Cloud. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: PreAttack

Severity: Low

Vulnerability scanner detected

(AppServices_WpScanner)

Description: Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource. The suspicious activity detected resembles that of tools targeting WordPress applications. If your App Service resource isn't hosting a WordPress site, it isn't vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress security alerts, see Suppress alerts from Microsoft Defender for Cloud. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: PreAttack

Severity: Low

Web fingerprinting detected

(AppServices_WebFingerprinting)

Description: Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource. The suspicious activity detected is associated with a tool called Blind Elephant. The tool fingerprint web servers and tries to detect the installed applications and version. Attackers often use this tool for probing the web application to find vulnerabilities. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: PreAttack

Severity: Medium

Website is tagged as malicious in threat intelligence feed

(AppServices_SmartScreen)

Description: Your website as described below is marked as a malicious site by Windows SmartScreen. If you think this is a false positive, contact Windows SmartScreen via report feedback link provided. (Applies to: App Service on Windows and App Service on Linux)

MITRE tactics: Collection

Severity: Medium

Alerts for containers - Kubernetes clusters

¹: Preview for non-AKS clusters: This alert is generally available for AKS clusters, but it is in preview for other environments, such as Azure Arc, EKS, and GKE.

²: Limitations on GKE clusters: GKE uses a Kubernetes audit policy that doesn't support all alert types. As a result, this security alert, which is based on Kubernetes audit events, is not supported for GKE clusters.

³: This alert is supported on Windows nodes/containers.

Alerts for SQL Database and Azure Synapse Analytics

Further details and notes

A possible vulnerability to SQL Injection

(SQL.DB_VulnerabilityToSqlInjection SQL.VM_VulnerabilityToSqlInjection SQL.MI_VulnerabilityToSqlInjection SQL.DW_VulnerabilityToSqlInjection Synapse.SQLPool_VulnerabilityToSqlInjection)

Description: An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection.

MITRE tactics: PreAttack

Severity: Medium

Attempted logon by a potentially harmful application

(SQL.DB_HarmfulApplication SQL.VM_HarmfulApplication SQL.MI_HarmfulApplication SQL.DW_HarmfulApplication Synapse.SQLPool_HarmfulApplication)

Description: A potentially harmful application attempted to access your resource.

MITRE tactics: PreAttack

Severity: High

Log on from an unusual Azure Data Center

(SQL.DB_DataCenterAnomaly SQL.VM_DataCenterAnomaly SQL.DW_DataCenterAnomaly SQL.MI_DataCenterAnomaly Synapse.SQLPool_DataCenterAnomaly)

Description: There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center. In some cases, the alert detects a legitimate action (a new application or Azure service). In other cases, the alert detects a malicious action (attacker operating from breached resource in Azure).

MITRE tactics: Probing

Severity: Low

Log on from an unusual location

(SQL.DB_GeoAnomaly SQL.VM_GeoAnomaly SQL.DW_GeoAnomaly SQL.MI_GeoAnomaly Synapse.SQLPool_GeoAnomaly)

Description: There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (a former employee or external attacker).

MITRE tactics: Exploitation

Severity: Medium

(SQL.DB_PrincipalAnomaly SQL.VM_PrincipalAnomaly SQL.DW_PrincipalAnomaly SQL.MI_PrincipalAnomaly Synapse.SQLPool_PrincipalAnomaly)

Description: A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.

MITRE tactics: Exploitation

Severity: Medium

(SQL.DB_DomainAnomaly SQL.VM_DomainAnomaly SQL.DW_DomainAnomaly SQL.MI_DomainAnomaly Synapse.SQLPool_DomainAnomaly)

Description: A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Defender for Cloud will identify significant changes to the access patterns and attempt to prevent future false positives.

MITRE tactics: Exploitation

Severity: Medium

(SQL.VM_PotentialSqlInjection)

Description: Someone has initiated a new payload utilizing the layer in SQL Server that communicates with the operating system while concealing the command in the SQL query. Attackers commonly hide impactful commands which are popularly monitored like xp_cmdshell, sp_add_job and others. Obfuscation techniques abuse legitimate commands like string concatenation, casting, base changing, and others, to avoid regex detection and hurt the readability of the logs.

(SQL.PostgreSQL_HarmfulApplication SQL.MariaDB_HarmfulApplication SQL.MySQL_HarmfulApplication)

Description: A potentially harmful application attempted to access your resource.

MITRE tactics: PreAttack

Severity: High

(SQL.PostgreSQL_PrincipalAnomaly SQL.MariaDB_PrincipalAnomaly SQL.MySQL_PrincipalAnomaly)

MITRE tactics: Exploitation

Severity: Medium

(SQL.MariaDB_DomainAnomaly SQL.PostgreSQL_DomainAnomaly SQL.MySQL_DomainAnomaly)

MITRE tactics: Exploitation

Severity: Medium

Log on from an unusual Azure Data Center

(SQL.PostgreSQL_DataCenterAnomaly SQL.MariaDB_DataCenterAnomaly SQL.MySQL_DataCenterAnomaly)

(ARM_OperationFromSuspiciousProxyIP)

Description: Microsoft Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP.

MITRE tactics: Defense Evasion

Severity: Medium

MicroBurst exploitation toolkit used to enumerate resources in your subscriptions

(ARM_MicroBurst.AzDomainInfo)

Description: A PowerShell script was run in your subscription and performed suspicious pattern of executing an information gathering operations to discover resources, permissions, and network structures. Threat actors use automated scripts, like MicroBurst, to gather information for malicious activities. This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions.

MITRE tactics: -

Severity: Low

(Storage.Blob_SuspiciousApp)

Description: Indicates that a suspicious application has successfully accessed a container of a storage account with authentication. This might indicate that an attacker has obtained the credentials necessary to access the account, and is exploiting it. This could also be an indication of a penetration test carried out in your organization. Applies to: Azure Blob Storage, Azure Data Lake Storage Gen2

MITRE tactics: Initial Access

Severity: High/Medium

Access from a suspicious IP address

(Storage.Blob_SuspiciousIp Storage.Files_SuspiciousIp)

Description: Indicates that this storage account has been successfully accessed from an IP address that is considered suspicious. This alert is powered by Microsoft Threat Intelligence. Learn more about Microsoft's threat intelligence capabilities. Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2

MITRE tactics: Pre Attack

Severity: High/Medium/Low

Phishing content hosted on a storage account

(Storage.Blob_PhishingContent Storage.Files_PhishingContent)

Description: A URL used in a phishing attack points to your Azure Storage account. This URL was part of a phishing attack affecting users of Microsoft 365. Typically, content hosted on such pages is designed to trick visitors into entering their corporate credentials or financial information into a web form that looks legitimate. This alert is powered by Microsoft Threat Intelligence. Learn more about Microsoft's threat intelligence capabilities. Applies to: Azure Blob Storage, Azure Files

MITRE tactics: Collection

Severity: High

Storage account identified as source for distribution of malware

(Storage.Files_WidespreadeAm)

Description: Antimalware alerts indicate that an infected file(s) is stored in an Azure file share that is mounted to multiple VMs. If attackers gain access to a VM with a mounted Azure file share, they can use it to spread malware to other VMs that mount the same share. Applies to: Azure Files

MITRE tactics: Execution

Severity: Medium

The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access

(Storage.Blob_OpenACL)

Description: The alert indicates that someone has changed the access level of a blob container in the storage account, which might contain sensitive data, to the 'Container' level, to allow unauthenticated (anonymous) public access. The change was made through the Azure portal. Based on statistical analysis, the blob container is flagged as possibly containing sensitive data. This analysis suggests that blob containers or storage accounts with similar names are typically not exposed to public access. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2, or premium block blobs) storage accounts.

MITRE tactics: Collection

Severity: Medium

Authenticated access from a Tor exit node

(Storage.Blob_TorAnomaly Storage.Files_TorAnomaly)

Description: One or more storage container(s) / file share(s) in your storage account were successfully accessed from an IP address known to be an active exit node of Tor (an anonymizing proxy). Threat actors use Tor to make it difficult to trace the activity back to them. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2

MITRE tactics: Initial Access / Pre Attack

Severity: High/Medium

Access from an unusual location to a storage account

(Storage.Blob_GeoAnomaly Storage.Files_GeoAnomaly)

Description: Indicates that there was a change in the access pattern to an Azure Storage account. Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. An example of the latter is remote maintenance from a new application or developer. Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2

MITRE tactics: Initial Access

Severity: High/Medium/Low

Unusual unauthenticated access to a storage container

(Storage.Blob_AnonymousAccessAnomaly)

Description: This storage account was accessed without authentication, which is a change in the common access pattern. Read access to this container is usually authenticated. This might indicate that a threat actor was able to exploit public read access to storage container(s) in this storage account(s). Applies to: Azure Blob Storage

MITRE tactics: Initial Access

Severity: High/Low

Potential malware uploaded to a storage account

(Storage.Blob_MalwareHashReputation Storage.Files_MalwareHashReputation)

Description: Indicates that a blob containing potential malware has been uploaded to a blob container or a file share in a storage account. This alert is based on hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. Potential causes might include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user. Applies to: Azure Blob Storage, Azure Files (Only for transactions over REST API) Learn more about Microsoft's threat intelligence capabilities.

MITRE tactics: Lateral Movement

Severity: High

Publicly accessible storage containers successfully discovered

(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery)

Description: A successful discovery of publicly open storage container(s) in your storage account was performed in the last hour by a scanning script or tool.

This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.

The threat actor might use their own script or use known scanning tools like Microburst to scan for publicly open containers.

✔ Azure Blob Storage ✖ Azure Files ✖ Azure Data Lake Storage Gen2

MITRE tactics: Collection

Severity: High/Medium

Publicly accessible storage containers unsuccessfully scanned

(Storage.Blob_OpenContainersScanning.FailedAttempt)

Description: A series of failed attempts to scan for publicly open storage containers were performed in the last hour.

Description: The alert indicates that a malicious blob was downloaded from a storage account. Potential causes might include malware that was uploaded to the storage account and not removed or quarantined, thereby enabling a threat actor to download it, or an unintentional download of the malware by legitimate users or applications. Applies to: Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts with the new Defender for Storage plan with the Malware Scanning feature enabled.

MITRE tactics: Lateral Movement

Severity: High, if Eicar - low

Alerts for Azure Cosmos DB

Further details and notes

Access from a Tor exit node

(CosmosDB_TorAnomaly)

Description: This Azure Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity.

MITRE tactics: Initial Access

Severity: High/Medium

Access from a suspicious IP

(CosmosDB_SuspiciousIp)

Description: This Azure Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence.

MITRE tactics: Initial Access

Severity: Medium

Access from an unusual location

(CosmosDB_GeoAnomaly)

Description: This Azure Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern.

Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location

MITRE tactics: Initial Access

Severity: Low

Unusual volume of data extracted

(CosmosDB_DataExfiltrationAnomaly)

Description: An unusually large volume of data has been extracted from this Azure Cosmos DB account. This might indicate that a threat actor exfiltrated data.

MITRE tactics: Exfiltration

Severity: Medium

Extraction of Azure Cosmos DB accounts keys via a potentially malicious script

(CosmosDB_SuspiciousListKeys.MaliciousScript)

Description: A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access.

This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions.

Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement.

MITRE tactics: Collection

Severity: Medium

Suspicious extraction of Azure Cosmos DB account keys (AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal)

Description: A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this might be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within. See the details of each specific alert to understand why the source was flagged as suspicious.

MITRE tactics: Credential Access

Severity: high

SQL injection: potential data exfiltration

(CosmosDB_SqlInjection.DataExfiltration)

Description: A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.

The injected statement might have succeeded in exfiltrating data that the threat actor isn't authorized to access.

Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts can't work. However, the variation used in this attack might work and threat actors can exfiltrate data.

MITRE tactics: Exfiltration

Severity: Medium

SQL injection: fuzzing attempt

(CosmosDB_SqlInjection.FailedFuzzingAttempt)

Description: A suspicious SQL statement was used to query a container in this Azure Cosmos DB account.

Like other well-known SQL injection attacks, this attack won't succeed in compromising the Azure Cosmos DB account.

Nevertheless, it's an indication that a threat actor is trying to attack the resources in this account, and your application might be compromised.

Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they might be able to compromise your Azure Cosmos DB account and exfiltrate data.

You can prevent this threat by using parameterized queries.

Severity: Medium

Alerts for Azure DDoS Protection

Further details and notes

DDoS Attack detected for Public IP

(NETWORK_DDOS_DETECTED)

Description: DDoS Attack detected for Public IP (IP address) and being mitigated.

MITRE tactics: Probing

Severity: High

DDoS Attack mitigated for Public IP

(NETWORK_DDOS_MITIGATED)

The following lists include the Defender for Containers security alerts which were deprecated.

Manipulation of host firewall detected

(K8S.NODE_FirewallDisabled)

Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data.

MITRE tactics: DefenseEvasion, Exfiltration

Severity: Medium

Suspicious use of DNS over HTTPS

(K8S.NODE_SuspiciousDNSOverHttps)

Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites.

MITRE tactics: DefenseEvasion, Exfiltration

Severity: Medium

A possible connection to malicious location has been detected.

(K8S.NODE_ThreatIntelCommandLineSuspectDomain)

Description: Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise might have occurred.

MITRE tactics: InitialAccess

Severity: Medium

Digital currency mining activity

(K8S.NODE_CurrencyMining)

Description: Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools.

MITRE tactics: Exfiltration

Alert Display Name: Possible malicious web shell detected

Alert Display Name: Detected the disabling of critical services

Severity: Medium

Defender for Cloud's supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix and described in the table below.

Tactic	ATT&CK Version	Description
PreAttack		PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and identify an entry point.
Initial Access	V7, V9	Initial Access is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc. Threat actors will often be able to control the resource after this stage.
Persistence	V7, V9	Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. Threat actors will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or provide an alternate backdoor for them to regain access.
Privilege Escalation	V7, V9	Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective might also be considered an escalation of privilege.
Defense Evasion	V7, V9	Defense evasion consists of techniques an adversary might use to evade detection or avoid other defenses. Sometimes these actions are the same as (or variations of) techniques in other categories that have the added benefit of subverting a particular defense or mitigation.
Credential Access	V7, V9	Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.
Discovery	V7, V9	Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
LateralMovement	V7, V9	Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing more tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to more systems, access to specific information or files, access to more credentials, or to cause an effect.
Execution	V7, V9	The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.
Collection	V7, V9	Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary might look for information to exfiltrate.
Command and Control	V7, V9	The command and control tactic represents how adversaries communicate with systems under their control within a target network.
Exfiltration	V7, V9	Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary might look for information to exfiltrate.
Impact	V7, V9	Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransomware, defacement, data manipulation, and others.

Note

For alerts that are in preview: The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Security alerts - a reference guide

Alerts for Windows machines

A logon from a malicious IP has been detected. [seen multiple times]

Adaptive application control policy violation was audited

Addition of Guest account to Local Administrators group

An event log was cleared

Antimalware Action Failed

Antimalware Action Taken

Antimalware broad files exclusion in your virtual machine

Antimalware disabled and code execution in your virtual machine

Antimalware disabled in your virtual machine

Antimalware file exclusion and code execution in your virtual machine

Antimalware file exclusion and code execution in your virtual machine

Antimalware file exclusion in your virtual machine

Antimalware real-time protection was disabled in your virtual machine

Antimalware real-time protection was disabled temporarily in your virtual machine

Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine

Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)

Antimalware temporarily disabled in your virtual machine

Antimalware unusual file exclusion in your virtual machine

Communication with suspicious domain identified by threat intelligence

Detected actions indicative of disabling and deleting IIS log files

Detected anomalous mix of upper and lower case characters in command-line

Detected change to a registry key that can be abused to bypass UAC

Detected decoding of an executable using built-in certutil.exe tool

Detected enabling of the WDigest UseLogonCredential registry key

Detected encoded executable in command line data

Detected obfuscated command line

Detected possible execution of keygen executable

Detected possible execution of malware dropper

Detected possible local reconnaissance activity

Detected potentially suspicious use of Telegram tool

Detected suppression of legal notice displayed to users at logon

Detected suspicious combination of HTA and PowerShell

Detected suspicious commandline arguments

Detected suspicious commandline used to start all executables in a directory

Detected suspicious credentials in commandline

Detected suspicious document credentials

Detected suspicious execution of VBScript.Encode command

Detected suspicious execution via rundll32.exe

Detected suspicious file cleanup commands

Detected suspicious file creation

Detected suspicious named pipe communications

Detected suspicious network activity

Detected suspicious new firewall rule

Detected suspicious use of Cacls to lower the security state of the system

Detected suspicious use of FTP -s Switch

Detected suspicious use of Pcalua.exe to launch executable code

Detected the disabling of critical services

Digital currency mining related behavior detected

Dynamic PS script construction

Executable found running from a suspicious location

Fileless attack behavior detected

Fileless attack technique detected

Fileless attack toolkit detected

High risk software detected

Local Administrators group members were enumerated

Malicious firewall rule created by ZINC server implant [seen multiple times]

Malicious SQL activity

Multiple Domain Accounts Queried

Possible credential dumping detected [seen multiple times]

Potential attempt to bypass AppLocker detected

Rare SVCHOST service group executed

Sticky keys attack detected

Successful brute force attack

Suspect integrity level indicative of RDP hijacking

Suspect service installation

Suspected Kerberos Golden Ticket attack parameters observed

Suspicious Account Creation Detected

Suspicious Activity Detected

Suspicious authentication activity

Suspicious code segment detected

Suspicious double extension file executed

Suspicious download using Certutil detected [seen multiple times]

Suspicious download using Certutil detected

Suspicious PowerShell Activity Detected

Suspicious PowerShell cmdlets executed

Suspicious process executed [seen multiple times]

Suspicious process executed

Suspicious process name detected [seen multiple times]