Threats

Coinminer

Delivers and executes cryptocurrency miners without the user's knowledge or consent. Coinminers can negatively impact system performance and employee productivity. As coinminers have increased in popularity, they may be used to deliver malicious payloads. Examples of common coinminer threats include XMRig and Smominru.

Credential Theft

Executes malicious code or binaries designed to capture user credentials, tokens, or other methods of authentication. This includes local and domain credentials as well as usernames and passwords to sites and resources (internal or external). Examples of common tools include Mimikatz, PowerSploit, PWDump, and NTDSUtil.

Dropper/Downloader

Introduces malicious payloads to the target computer. The payload is either included within the original file (dropper) or is retrieved from a remote resource (downloader).

Lateral Movement

Produces activity consistent with signs of lateral movement in the environment, such as accessing and controlling remote systems on the network. Adversaries may install their own remote access tools to traverse through the network or use legitimate credentials with native network and system tools, such as SMB shares, RDP, etc.

Post-Exploitation Tool

Executes malicious code or commands in a pseudo-standard fashion, and often uses playbooks and automation. Examples of common post-exploitation tools include Metasploit, Cobalt Strike, Armitage, and PowerSploit.

Ransomware

Prevents access to and use of computers and files by using encryption, threats of infection, or other forms of extortion in order to get the victim to pay a fee. The victim is informed, typically via popup message or ransom note, that once the victim complies, the encryption will be removed, files returned, and any immediate threat of extortion disabled.

Web shell

Includes activity related to a malicious, shell-like interface that allows a web server to be accessed and managed remotely by allowing arbitrary commands to be executed. A web shell can be uploaded to a web server to enable remote access to the server and its file system. Examples of common web shells include C99 and China Chopper.

Adversary Emulation

Uses adversary emulation tools to test telemetry and detection coverage in enterprise environments.

Account

Includes the creation or modification of an individual or service account, or of a security group. Also includes activity to modify or elevate permissions. Examples include the creation of new user accounts with non-standard naming conventions or slight deviations from existing account or group names using intentional misspellings.

Dual-use

Includes activity consistent with utilities that are used for both internal testing and malicious activity. The use of these applications may indicate a security risk if they aren't executed by approved users. Examples include Active Directory configuration, account management, network discovery, and security audits.

Network

Includes abnormal patterns of network activity, connections to services or hosts in non-standard ways, and activity related to suspicious IP addresses or hosts. Examples include connections to unusual outside geographic destinations, dynamic DNS domains, and "paste" or other content-sharing sites.

Process

Includes activity from a process exhibiting suspicious behaviors that are not directly attributable to malware or known threat profiles. The binary or process may be legitimate, but exhibits abnormal behavior. Examples include unusual process parent chain executions, or unexpected process command arguments.

Reconnaissance

Includes activity from a process exhibiting behaviors indicative of host, user, or network reconnaissance, and includes port scans, account queries, and network packet captures. The binary or process may be legitimate, but exhibits abnormal behavior.

Remote Access

Includes the presence or use of remote access tools, including console and terminal-based utilities, under unusual circumstances.

Security Product Tampering

Includes activity related to the tampering of security products. Examples include  service manipulation via an interactive session, a process being forcibly stopped, and data being removed from the data store.

Adware

Performs actions such as changing browser settings and home pages, redirecting search results, and displaying advertisements. These applications use deceptive installation techniques that include masquerading as or bundling legitimate software.

Peer-to-Peer (P2P)

Shares digital content or computing resources in a decentralized manner. P2P software increases the risk of exposure to malware or illegal material, consumes network and computing resources, and may perform unauthorized sharing of controlled data.

Riskware

Circumvents security policy or controls, including but not limited to: license or policy bypass, host-based proxies, and anonymization services. Riskware may have legitimate uses, but does introduce unique risk due to the functionality that this class of software provides.