Detections Reference Guide
This guide lists the detection types that Cisco XDR can generate from native telemetry.
Each detection includes:
-
the detection name
-
a brief description, and why this may indicate malicious behavior
-
required activity source
-
severity of the detection defined by Cisco Threat Research
-
associated Mitre Att&ck Tactics
-
associated Mitre Att&ck Techniques
-
the number of days of data collection required before the detection can trigger
|
Name |
Description |
Activity Source |
Severity |
MITRE Tactics |
MITRE Techniques |
Baseline Time |
|---|---|---|---|---|---|---|
|
Cloud Instance Metadata Service Request |
A request to one of the public cloud Instance Metadata Service endpoints that provides credentials was made from an endpoint. |
Low |
Credential Access |
Cloud Instance Metadata API |
0 days |
|
|
macOS Browser Spawned Script With External Network Connection |
A web browser on a MacOS device has initiated a script execution or command line interpreter process that made a network connection with a public IP address. |
Low |
Execution |
Command and Scripting Interpreter |
0 days |
|
|
macOS Device Connected to TOR Exit Node |
A macOS device made a network connection to a destination IP address identified as a TOR exit node. |
Medium |
Command and Control Defense Evasion |
Multi-hop Proxy |
0 days |
|
|
macOS File Download Observed on Process Arguments |
A URL pattern indicating a file download was observed on a process command line. This behavior occurred on a macOS device. |
Low |
Command and Control |
Ingress Tool Transfer |
0 days |
|
|
macOS Network Connection made by NetCat |
NetCat was executed on a macOS device and made an internet connection. |
Low |
Command and Control |
Non-Application Layer Protocol |
0 days |
|
|
macOS Network Discovery Utility Executed |
A network discovery tool was utilized on a macOS device and initiated a network connection. |
Low |
Discovery |
Account Discovery |
0 days |
|
|
macOS Process curl Transferred Data Outbound |
An outbound transfer of at least 1 Megabyte (MB) of data was made using the curl utility on macOS, with an unusual command line argument and outbound data exceeding inbound data. |
Medium |
Exfiltration |
Exfiltration Over Alternative Protocol Exfiltration Over Web Service |
0 days |
|
|
macOS Terminal Command Included Base64 Encoded String |
A base64 encoded command was executed on a macOS device and that process made a network connection. |
Low |
Defense Evasion |
Command Obfuscation Unix Shell Python |
0 days |
|
|
macOS Utility AnyDesk Executed |
AnyDesk was utilized on a macOS device by a non-system user with process arguments indicating setup or silent execution. |
Low |
Command and Control |
Remote Desktop Software |
0 days |
|
|
macOS Utility NSCurl Download Activity |
NScurl was utilized to download data on a macOS device. Binaries downloaded using nscurl do not have the quarantine flag set. |
Low |
Command and Control Defense Evasion |
Ingress Tool Transfer Gatekeeper Bypass |
0 days |
|
|
Windows Active Directory Hidden User Added |
A hidden user account with a name ending in a '$', which are sometimes used as system service accounts, was added to an Active Directory Domain. This occurred on a Windows device. |
Low |
Persistence |
Domain Account Hidden Users |
0 days |
|
|
Windows Application AdFind Executed |
The utility ADFind was executed on a Windows device and made a network connection. |
Low |
Discovery |
Domain Account Domain Trust Discovery |
0 days |
|
|
Windows Application GoodSync Utilized for Outbound File Transfer |
The file synchronization application GoodSync was utilized to transfer data outbound on a Windows device. |
Low |
Exfiltration |
Automated Exfiltration Exfiltration Over Web Service |
0 days |
|
|
Windows Application Infatica Control Channel Network Connection |
A known Infatica agent connected to a control server from a Windows device. This was not traffic generated due to a remote user. |
Low |
– |
Proxy |
0 days |
|
|
Windows Application Infatica Internal Network Connection |
A known Infatica process running on a Windows device connected to a private IP address. |
Medium |
– |
Proxy |
0 days |
|
|
Windows Application other than Telegram Connected to Telegram |
An attempt was made to communicate with the Telegram chat service or the Telegraph blog service using a tool other than the Telegram desktop application or a web browser. |
Low |
Command and Control |
One-Way Communication |
0 days |
|
|
Windows Application PuTTY Secure Copy Client Transferred Data |
The PuTTY Secure Copy Client (pscp.exe) initiated a network connection to a public IP address on a Windows device. |
Low |
Exfiltration |
Exfiltration Over Alternative Protocol |
0 days |
|
|
Windows Application Rclone Transferred Data Outbound |
The data sync tool Rclone on Windows (rclone.exe) sent over 200,000,000 bytes of data outbound to a public IP address. |
Medium |
Exfiltration |
Automated Exfiltration |
0 days |
|
|
Windows Browser Spawned Script With External Network Connection |
A web browser on a Windows device has initiated a script execution or command line interpreter process that made a network connection with a public IP address. |
Low |
Execution |
Command and Scripting Interpreter |
0 days |
|
|
Windows Command Line Interpreter Connected on Port 445 |
A Windows device connected on the standard defined port for Server Message Block (SMB). The parent process was a command line or script interpreter, the process was not executed by a system user and more data was sent than received. |
Low |
Credential Access |
Command and Scripting Interpreter |
0 days |
|
|
Windows Command Prompt Renamed |
A utility not named cmd.exe but with command line arguments specific to the Windows Command Processor was executed on Windows and made a network connection. |
Low |
Defense Evasion Execution |
Rename Legitimate Utilities Windows Command Shell |
0 days |
|
|
Windows Command-Line Arguments Associated with AdFind |
An executable with command-line arguments specific to AdFind was executed on a Windows device and made a network connection. |
Medium |
Discovery |
Domain Account Domain Trust Discovery |
0 days |
|
|
Windows Device Communicated on LDAP Port |
A utility on a Windows device sent a small amount of data on one of the standard defined ports for Lightweight Directory Access Protocol (LDAP). This process had not connected via LDAP in the last week, and was not a known system process or running from a common program files directory. |
Low |
Credential Access |
Password Guessing |
0 days |
|
|
Windows Device Connected to Temporary Sharing Site |
Windows Device Connected to Temporary Sharing Site |
Low |
Command and Control Exfiltration |
Dead Drop Resolver Exfiltration to Cloud Storage |
0 days |
|
|
Windows Device Connected to TOR Exit Node |
A Windows device made a network connection to a destination IP address identified as a TOR exit node. |
Medium |
Command and Control Defense Evasion |
Multi-hop Proxy |
0 days |
|
|
Windows Device Connected via WinRM |
A connection was made by a non-system user on a Windows device to TCP ports 5985 or 5986, the standard ports for Windows Remote Management (WinRM). This connection was not made by a Windows utility that typically makes connections on port 5985 or 5986. |
Low |
– |
Windows Remote Management |
0 days |
|
|
Windows Device Requested an Active Directory Certificate |
A request was made for an Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) certificate from a Windows device. |
Medium |
Execution |
Steal or Forge Kerberos Tickets Steal or Forge Authentication Certificates |
0 days |
|
|
Windows Device Transferred Data to Azure Storage |
A network connection was made from a Windows device by one of the first-party Microsoft Azure utilities (Storage Explorer or AzCopy). More than 1MB of data was transferred, with more data moving outbound than inbound. |
Low |
Execution |
Exfiltration to Cloud Storage |
0 days |
|
|
Windows Device Used to Transfer Data to Amazon S3 |
The Amazon Web Services (AWS) Command Line Interface (CLI) was utilized to transfer more than 1 MegaByte (MB) of data outbound to Amazon Simple Storage Service (S3). This occurred on a Windows device. |
Low |
Exfiltration |
Transfer Data to Cloud Account |
0 days |
|
|
Windows Download of Executable Files using WebDAV |
An executable file was downloaded from an external source utilizing the WebDAV protocol on a Windows device. |
Medium |
Command and Control |
Ingress Tool Transfer |
0 days |
|
|
Windows Email Attachment Tool Transfer |
A desktop email client spawned a Microsoft Office application that made a network connection. The connection was not to a common Microsoft domain name and more data was transferred inbound than outbound. |
Low |
Command and Control |
Ingress Tool Transfer |
0 days |
|
|
Windows Endpoint Amazon Web Services Credential Access |
AWS credentials were accessed by a process that made a network connection. |
High |
Credential Access |
Credentials In Files |
0 days |
|
|
Windows File Download Observed on Process Arguments |
A URL pattern indicating a file download was observed on a process command line. This behavior occurred on a Windows device. |
Low |
Command and Control |
Ingress Tool Transfer |
0 days |
|
|
Windows Interactive Shell Spawned Via NinjaRMM |
The Remote Monitoring and Management (RMM) tool NinjaRMM can be abused by adversaries to launch an interactive shell. It enables them to execute commands and gain unauthorized remote control over target systems. |
Medium |
Command and Control Execution |
Command and Scripting Interpreter Remote Desktop Software |
0 days |
|
|
Windows Kerberos Relay Attempt Using KrbRelayUp |
A process on a Windows device made a connection to one of the standard ports for Kerberos connections, with command line arguments indicative of the KrbRelayUp utility. |
Medium |
Credential Access |
Steal or Forge Kerberos Tickets Steal or Forge Authentication Certificates |
0 days |
|
|
Windows Long Lasting Network Connection from a System Binary |
A system binary on a Windows device initiated a network connection that was open for 1 hour or more. |
Low |
Command and Control |
Application Layer Protocol Non-Application Layer Protocol |
0 days |
|
|
Windows Management Instrumentation Command-line Initiated Connection |
The utility Windows Management Instrumentation Command-line (WMIC.exe) was executed on a Windows device and made a network connection to another device. |
Low |
Execution Lateral Movement |
Direct Cloud VM Connections Windows Management Instrumentation |
0 days |
|
|
Windows Management Instrumentation Spawned a Process |
A process that made a network connection was spawned by wmiprvse.exe, indicating it was initiated via WMI. |
Low |
Execution Lateral Movement |
Direct Cloud VM Connections Windows Management Instrumentation |
0 days |
|
|
Windows MSI Package Used to Install NinjaRMM |
The Remote Monitoring and Management (RMM) tool NinjaRMM was installed via the utility msiexec.exe. This occurred on a Windows device. |
Medium |
Command and Control Defense Evasion |
Msiexec Remote Desktop Software |
0 days |
|
|
Windows Network Connection Initiated by Group3r |
A network connection was made by the tool Group3r on a Windows device. |
Medium |
Discovery |
Remote System Discovery Domain Account |
0 days |
|
|
Windows Network Connection Initiated by Inveigh |
A network connection was made by the tool Inveigh.exe on a Windows device. |
High |
Command and Control Execution |
Proxy Adversary-in-the-Middle |
0 days |
|
|
Windows Network Connection Initiated by Rubeus |
A network connection was made by the tool Rubeus on a Windows device. |
Medium |
Credential Access |
Golden Ticket Silver Ticket Kerberoasting |
0 days |
|
|
Windows Network Connection Initiated by Seatbelt |
Windows Network Connection Initiated by Seatbelt |
Medium |
Discovery |
Remote System Discovery Domain Account Network Share Discovery |
0 days |
|
|
Windows Network Connection Initiated by SharpShares |
A network connection was made by the tool SharpShares on a Windows device. |
Medium |
Discovery |
Remote System Discovery Domain Account Network Share Discovery |
0 days |
|
|
Windows Network Connection Initiated by SharpSniper |
A network connection was made by SharpSniper on a Windows device to find the IP address of domain users. |
Medium |
Discovery |
Remote System Discovery Log Enumeration |
0 days |
|
|
Windows Network Connection Initiated by SharpSpray |
A network connection was made by the tool SharpSpray on a Windows device. It was executed either as a compiled binary or PowerShell module. |
Medium |
Discovery |
Domain Account Password Spraying |
0 days |
|
|
Windows Network Connection Initiated by SharpView |
A network connection was made by the tool SharpView on a Windows device executed as a compiled binary. |
Medium |
Discovery |
Remote System Discovery Domain Account Network Share Discovery |
0 days |
|
|
Windows Network Discovery Utility Executed |
A network discovery tool was utilized on a Windows device and initiated a network connection. |
Low |
Discovery |
Account Discovery |
0 days |
|
|
Windows Network Traffic Observed from Service Host Child Process |
Service Host (svchost.exe) was run in a non-standard location and spawned a child process that initiated a network connection on a Windows device. |
Low |
Defense Evasion Execution |
Parent PID Spoofing Service Execution |
0 days |
|
|
Windows Network Traffic via Active Directory Web Services Port |
Network traffic on the standard defined port for Active Directory Web Services (ADWS), 9389, or initiated by the ADWS system utility was identified. |
Low |
Discovery |
Domain Account |
0 days |
|
|
Windows PowerShell Arguments Contained Base64 Encoded String |
A base64 encoded string was provided as a command line argument to PowerShell, and a network connection was made. This occurred on a Windows device. |
Low |
Defense Evasion |
Command Obfuscation |
0 days |
|
|
Windows PowerShell Commands Executed in Non-PowerShell Parent Process |
A parent process not named powershell.exe or pwsh.exe spawned a child process that made a network connection and the parent process had command line arguments typically associated with PowerShell. |
Medium |
Defense Evasion Execution |
Rename Legitimate Utilities |
0 days |
|
|
Windows PowerShell Commands Executed in Non-PowerShell Process |
A process not named powershell.exe or pwsh.exe had command line arguments typically associated with PowerShell. |
Medium |
Defense Evasion Execution |
Rename Legitimate Utilities |
0 days |
|
|
Windows PowerShell Environment Variable Utilized |
An environment variable was utilized in the command line arguments of a PowerShell process that made a network connection. This occurred on a Windows device. |
Low |
Defense Evasion Persistence |
Path Interception by PATH Environment Variable |
0 days |
|
|
Windows PowerShell RDP Connection |
The system utility PowerShell made a connection over the standard defined port for Remote Desktop Protocol (RDP) on a Windows device. |
Low |
Lateral Movement |
Remote Desktop Protocol |
0 days |
|
|
Windows PowerShell Used To Download and Execute File |
Detects PowerShell being run without an execution policy while having both any number of automated/hidden command line arguments and commands downloading or importing a new module. |
Low |
Execution |
PowerShell |
0 days |
|
|
Windows PowerShell WinRM Connection |
The system utility PowerShell was seen making connections over the standard defined port for Windows Remote Management (WinRM). This occurred on a Windows device. |
Low |
Lateral Movement |
Windows Remote Management |
0 days |
|
|
Windows Process Connected to Discord |
A process other than the official Discord desktop application, a web browser, or a recognized gaming platform interacted with a domain name known to be owned by Discord. This behavior occurred on a Windows device. |
Low |
Command and Control |
One-Way Communication |
0 days |
|
|
Windows Process curl Transferred Data Outbound |
The built in utility curl.exe was utilized to transfer more than 1MB of data outbound from a Windows device. The parent process was not one known to be related to crash or error reports, the destination hostname was not a known legitimate site and the destination IP address was not private. |
Low |
Exfiltration |
Exfiltration Over Alternative Protocol Exfiltration to Cloud Storage |
0 days |
|
|
Windows Process Executed in Non-Executable Directory |
A process was executed on an endpoint from a directory that doesn't typically contain executables and made a network connection with outbound data transfer. |
Low |
Defense Evasion Execution |
Masquerading |
0 days |
|
|
Windows Process Executing a DLL File Connected to a Raw IP Address |
A process on a Windows device made a network connection to a raw public IP address, and had a .dll file in it's process arguments. |
Low |
Exfiltration |
Ingress Tool Transfer |
0 days |
|
|
Windows Process S3Browser Transferred Data Outbound |
The third party utility S3Browser was utilized to transfer more than 1MB of data outbound from a Windows device. |
Low |
Exfiltration |
Command and Scripting Interpreter Exfiltration to Cloud Storage |
0 days |
|
|
Windows Quick Assist Executed via Uniform Resource Indicator |
Microsoft Quick Assist, a Remote Management Tool that is built in on Windows, was executed via a Uniform Resource Indicator (URI) from another application. |
Low |
Execution |
Remote Desktop Software |
0 days |
|
|
Windows Security Tool Uninstalled using Silent Command Line Arguments |
A security tool was uninstalled using silent or quiet command line arguments. |
Low |
Defense Evasion |
Disable or Modify Tools |
0 days |
|
|
Windows Service RunAs Spawned a Process with a Different User |
The built in utility RunAs spawned a child process that initiated a network connection and had a different process account then the RunAs process. This happened on a Windows device. |
Low |
Execution |
Access Token Manipulation |
0 days |
|
|
Windows Shared Library Executed Outside Standard Locations |
A shared library file was executed by a built in system utility from a location other than the folders where shared library files should be stored. This occurred on a Windows device, and the utility initiated a network connection. |
Low |
Execution |
Rundll32 |
0 days |
|
|
Windows Shell Executed via SAP NetWeaver Web Paths |
A system command line interpreter or shell application was spawned by a parent process with an SAP NetWeaver file path in it's process arguments. |
Low |
Command and Control Defense Evasion |
Msiexec Remote Desktop Software |
0 days |
|
|
Windows SSH Remote Port Forwarding |
A Secure Shell (SSH) connection established remote port forwarding with an external remote host. This occurred on a Windows device. |
Medium |
Command and Control Lateral Movement |
SSH Protocol Tunneling |
0 days |
|
|
Windows Sysinternals Utility Active Directory Explorer Network Connection |
A network connection was made by Active Directory Explorer, a Microsoft Sysinternals utility, on a Windows Device. |
Low |
Execution |
Domain Account |
0 days |
|
|
Windows Sysinternals Utility PsExec Network Connection |
A network connection was made by PsExec, a Microsoft Sysinternals utility, on a Windows device. |
Low |
Execution |
SMB/Windows Admin Shares |
0 days |
|
|
Windows System Text Editor Initiated a Network Connection |
A process named notepad.exe ran an executable file and made a network connection on a Windows device. |
Low |
Defense Evasion Execution |
Rename Legitimate Utilities Windows Command Shell |
0 days |
|
|
Windows System Utility Transferred Data Inbound |
A built in Windows system utility transferred more data in bound than out bound, with command line arguments indicative of a network connection or file download. |
Medium |
Command and Control |
Ingress Tool Transfer |
0 days |
|
|
Windows Technique DC Sync Executed |
Suspicious behaviors were detected on a Windows device that are known to be part of the DC Sync behavior. |
High |
Credential Access |
DCSync |
0 days |
|
|
Windows Third Party Tool Metasploit Executed |
Metasploit was executed on an Windows device and made a network connection. |
Medium |
Credential Access |
User Execution |
0 days |
|
|
Windows Unusual Client Communicated with Slack API |
An application that does not typically connect to the Slack Application Programming Interface (API) did so on a Windows device. |
Low |
Command and Control |
One-Way Communication |
0 days |
|
|
Windows Unusual Client Communicated with Webex API |
A process connected to the WebEx Application Programming Interface (API) that does not typically communicate with WebEx. |
Low |
Command and Control |
One-Way Communication |
0 days |
|
|
Windows Utility AnyDesk Executed |
AnyDesk was utilized on a Windows device by a non-system user with process arguments indicating setup or silent execution. |
Low |
Command and Control |
Remote Desktop Software |
0 days |
|
|
Windows Utility Certify Executed |
The Active Directory Certificate Services (AD CS) tool Certify.exe was executed on a Windows device and made a network connection. |
Medium |
Credential Access Discovery |
Domain Account Steal or Forge Authentication Certificates |
0 days |
|
|
Windows Utility Impacket Command Line Parameters Executed |
A process was executed and made an internet connection on a Windows device with process arguments known to be associated with Pass The Hass attempts using Impacket. |
Medium |
Lateral Movement |
Credentials in Registry |
0 days |
|
|
Windows Utility Microsoft Management Console Remotely Spawned |
The Microsoft Management Console (MMC) was spawned using Distributed COM (DCOM). This occurred on a Windows device. |
Low |
Lateral Movement |
Distributed Component Object Model |
0 days |
|
|
Windows Utility MSHTA Executed Interactively |
The built in Windows application MSHTA.exe was executed interactively and utilized to make a network connection. |
Medium |
Command and Control Defense Evasion |
Ingress Tool Transfer Mshta |
0 days |
|
|
Windows Utility Msiexec Ran Quiet Install from Remote Host |
The utility msiexec.exe performed a quiet install from a remote source. An installation flag and a quiet or reduced UI flag were both specified in the command line arguments. |
Low |
Defense Evasion |
Msiexec |
0 days |
|
|
Windows Utility NetCat Initiated a Network Connection |
NetCat was executed on a Windows device and made an internet connection. |
Low |
Command and Control |
Nan-Application Layer Protocol |
0 days |
|
|
Windows Utility Not Named RClone Executed with RClone Arguments |
A process not named RClone or RSync was executed with command-line arguments known to be associated with RClone on a Windows device. This process made a network connection, transferred more data outbound than inbound, and transferred more than 1MB of data. |
Low |
Exfiltration |
Right-to-Left Override Exfiltration to Cloud Storage |
0 days |
|
|
Windows Utility PowerShell Hidden Connection to Public IP |
A connection was made by PowerShell on a Windows device to a public IP address using the hidden flag. No destination hostname was specified. |
Low |
Execution |
PowerShell |
0 days |
|
|
Windows VBS Script Connected to Public IP Address |
A connection was made by a Visual Basic Script (VBS) file on a Windows device to a public IP address. No destination hostname was provided. |
Low |
Execution |
Visual Basic |
0 days |