cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cognitive Intelligence - List of Activities with Descriptions

232
Views
0
Helpful
0
Comments

List of Activity types that - when observed in telemetry - lead to creation of Incident in Cognitive Intelligence. 

 

Activities related to Confirmed Threat Categories (both on StealthWatch and ProxyLogs)

Note that each category covers up to dozens of different Confirmed Threat types

Activity Extended Description in Incident Detail Page Risks
Exfiltration Botnet infection with exfiltration capability and larger uploads observed Critical

Information stealer

Botnet infection with exfiltration capability Critical, High, Mid, Low

Ransomware

Infection with disk encrypting ransomware Critical, High, Mid

Banking trojan

Botnet infection with exfiltration capability that targets banking credentials High

Click fraud

Botnet infection with click fraud capability High, Mid

Trojan

Malicious software executed by user High, Low

Exploit kit

Execution of browser-based exploit kit High

Cryptocurrency miner

Software that uses your computing resources to mine cryptocurrencies High, Low

Malware dropper

Infection that can download additional malware such as droppers High, Mid, Low

Malware distribution

Web site that distributes malware High, Low

Spam botnet

Botnet infection that is capable of sending spam e-mail High

Ad injector

Web browser plugin that injects advertisements to visited pages Mid, Low

PUA

Potentially unwanted application Mid, Low

Malicious advertising

Advertisements that contain malicious code or lead to malicious pages Low

Money scam

Fraudulent web site tricking user into spending money Low

Scareware

Fraudulent web site tricking user into installing fake antivirus or product updates Low

Anonymization software

Free or paid software for enabling anonymous communication Low
Spam tracking Visit of tracking back-link from spam e-mail Low

 

Activities related to specific Confirmed Threats (both on StealthWatch and ProxyLogs)

Activity Extended Description in Incident Detail Page Confirmed Threat ID Risk
WannaCry ransomware Encrypting ransomware exploiting the ETERNALBLUE SMB vulnerability CWNC01 Critical

DNS changer

Trojan capable of stealing user and system information CDCH01 High

InstallCapital malware installer

Family of malicious malware that profits from spyware and adware distribution CADW26 High

Adups Android firmware

Mobile firmware which transmits sensitive, personal information without disclosure or the user's consent CAEX01 Mid

Rig exploit kit malware delivery

Web site distributing malware associated with Rig exploit kit CMCD06 Low

HotSpot Shield VPN

Software for enabling anonymous communication CMPV01 Low

In-browser cryptocurrency miner

Javascript scriptlets that use your computing resources to mine cryptocurrencies CCMM03 Low

ArcadeYum / GameVance

Applications displaying malicious advertising that tricks user into installing other malware CAYM01 Mid

 

Activities related to StealthWatch-specific Detections (Unconfirmed)

Activity Extended Description in Incident Detail Page Risk

Unknown botnet

Unknown communication to many external nodes, likely caused by botnet High

Unknown threat - C&C channel

Unknown communication - likely command and control (C&C) channel High

SMB infecting malware

Discovery of external SMB servers, e.g. as used by Wannacry malware High

Malware download

File download with name and other characteristics typical for malware High

Disproportionately high DNS usage

Likely caused by C&C search (DGA) or Exfiltration (DNS tunneling) Mid

Phishing

HTTP request with characteristics typical of phishing Mid

Unknown threat - ICMP burst

Surge of ICMP packets, sent to many external nodes Low

Torrent

Distributed protocol used for file sharing Low

Vulnerability scanning tool

Communication characteristic for vulnerability scanning tools such as Qualys or Nessus Low
TOR Free software for enabling anonymous communication Low

 

Activities related to ProxyLog-specific Detections (Unconfirmed)

Activity Extended Description in Incident Detail Page Risk

Cryptowall C&C

Command and control scheme used by Cryptowall ransomware and other malware Critical

Remote Access Trojan

Malicious software for remote control of a system Critical

Ramnit malware

Ramnit malware with remote access capability High

Sality malware

File infecting modular malware High

Miuref malware

Modular malware with exfiltration capability High

Exploit kit

Execution of browser-based exploit kit High

Unknown threat

Unknown high severity malware identified by machine learning classifier High
Malware download Malicious file download High
Unknown threat Unknown high severity threat identified by machine learning classifier High

Brute-forcing botnet

Botnet infection with observed brute-forcing of web password Mid
Unknown threat - generated domain name Random domains used by advertisements or malware C&C channel Mid
Unknown threat - data in URL Data encoded in URL used by advertisements or malware C&C channel Mid
Cryptocurrency miner Software that uses your computing resources to mine cryptocurrencies Mid
Click fraud Botnet infection with click fraud capability Mid
E-mail infection Malware infection through an e-mail Mid
Unknown threat - sinkholed domain Communication with domain sinkholed by Anubis Networks Mid
Unknown threat Unknown threat identified by machine learning classifier Mid
Unknown threat Hostnames flagged by sandbox Mid
Unknown threat - bad reputation Bad reputation hostnames and IP addresses Mid
Unknown encrypted threat Unknown malware using HTTPS identified by machine learning classifier Mid
Phishing HTTP request with characterictics typical for phishing Mid
Service login brute-forcing High number of consecutive login attempts to external or internal service Mid
Service data leak Data leak from external or internal service Mid
Adware Software displaying unwanted advertisements Low
Supercookie tracking Visit to sites known to collect supercookie/evercookie tracking data Low
Vulnerability scanning tool Communication characteristic of vulnerability-scanning tools such as Qualys or Nessus Low
Hola VPN Software for enabling anonymous communication Low
Ultrasurf Software for enabling anonymous communication Low
TOR Free software for enabling anonymous communication Low
Spam tracking Visit of tracking back-link from spam e-mail Low