Cyberleaf Alert Codes

Alert TypeDetails
Access - Access App Tracker - Lookup GenMaintains a list of Authentication app values and the first and last time they have been seen.
Access - Authentication Tracker - Lookup GenMaintains a list of users that have authenticated to each system and the first, second to last, and last time they have been seen
Access - First Time Account AccessIdentifies user and service they are connecting to
Abnormally High Number of Endpoint Changes By UserDetects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications.
Account DeletedDetects user and computer account deletion
Anomalous New ProcessAlerts when an anomalous number hosts are detected with a new process.
Anomalous New ServiceAlerts when an anomalous number hosts are detected with a new service.
Audit - Active Risk Factors Usage - Telemetry GenSends anonymous usage statistics pertaining to the usage of risk_factors
Audit - Active Users - Telemetry GenSends anonymous usage statistics pertaining to the unique number of active users.
AWS IAM AccessDenied Discovery EventsThe following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated.
Allow Network Discovery In Firewall - Rule
Brute Force Access Behavior DetectedDetects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)
Brute Force Access Behavior Detected Over One DayDetects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)
Concurrent App AccessesDuplicate resources or apps in use
Concurrent Login Attempts Detected
Endpoint - Local Processes Tracker - Lookup GenMaintains a list of all processes on each system and the first and last time they were seen
Endpoint - Malware Tracker - Lookup GenMaintains a list of all detections (regardless of status) for each system and the first and last time they were seen
Endpoint - Services Tracker - Lookup GenMaintains a list of all services (and the most recent startmode) for each system and the first and last time they were seen
Endpoint - Update Signature Reference - Lookup GenMaintains a list of all updates by vendor and the first and last time they were seen
Endpoint - User Account Tracker - Lookup GenMaintains a list of all local user accounts on each system and the first and last time they were seen
ESCU - Abnormally High Number Of Cloud Instances Destroyed - RuleThis search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability density model previously created and alerts on any outliers.
ESCU - Abnormally High Number Of Cloud Instances Launched - RuleThis search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability density model previously created and alerts on any outliers.
ESCU - Allow File And Printing Sharing In Firewall - RuleThis search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files
ESCU - Allow Inbound Traffic By Firewall Rule Registry - RuleThis analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.
ESCU - Allow Network Discovery In Firewall - RuleThis search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in a couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files.
ESCU - Attacker Tools On Endpoint - RuleThis search looks for execution of commonly used attacker tools on an endpoint.
ESCU - Attempted Credential Dump From Registry via Reg exe - RuleMonitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.
ESCU - AWS Create Policy Version to allow all resources - RuleThis search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account
ESCU - AWS CreateAccessKey - RuleThis search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)
ESCU - AWS CreateLoginProfile - RuleThis search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by an AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip
ESCU - AWS Cross Account Activity From Previously Unseen Account - RuleThis search looks for AssumeRole events where an IAM role in a different account is requested for the first time.
ESCU - aws detect permanent key creation - RuleThis search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.
ESCU - aws detect role creation - RuleThis search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.
ESCU - AWS Detect Users creating keys with encrypt policy without MFA - RuleThis search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.
ESCU - Prohibited Network Traffic Allowed - RuleThis search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table "lookup_interesting_ports", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.
ESCU - Remote Desktop Network Traffic - RuleThis search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.
ESCU - Suspicious Event Log Service Behavior - RuleThe following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.
Excessive Failed LoginsDetects excessive number of failed login attempts (this is likely a brute force attack)
Unapproved Port Activity Detected
Remote Desktop Process Running On SystemThis search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the common_rdp_source category in the Assets and Identity framework.
Protocols passing authentication in cleartextThe following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances.
Detect Outbound SMB TrafficThis search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor.
Detect New Local Admin accountThis search looks for newly created accounts that have been elevated to local administrators.
Email servers sending high volume traffic to hostsThis search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.
Malicious PowerShell Process - Execution Policy BypassThis search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.
Detect New Open S3 bucketsThis search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.
Detect Exchange Web ShellThe following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell.
CMD Echo PipeThis analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via jump (Cobalt Strike PTH) or getsystem, using named-pipe impersonation. A suspicious event will look like cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53.
Scheduled Task Deleted Or Created via CMDThe following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware".
Disabling CMD Applicationthis search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan, or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.
Detect Large Outbound ICMP PacketsThis search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.

Related Posts

November 10, 2022

How to Create a Cybersecurity Culture

October 31, 2022

The Cost of a Data Breach in 2022 & What It Means for Your Cybersecurity ROI