Supported Operating Systems for MalOps
Different MalOps are supported on different versions of supported operating systems. The tables below detail the supported OS for each MalOp.
In this topic:
Blocklist MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Application Control blocked application on blocklist |
✓ |
||
Blocklist File hash |
✓ |
✓ |
✓ |
Blocklist module |
✓ |
✓ |
✓ |
Connection to blocklist IP address |
✓ |
✓ |
✓ |
Command and Control MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Accessing address used by malware |
✓ |
✓ |
✓ |
Connection to malicious address |
✓ |
✓ |
✓ |
Connection to a malicious domain |
✓ |
✓ |
✓ |
Download from malicious domain |
✓ |
||
Malicious use of Domain Generation Algorithm |
✓ |
✓ |
✓ |
Malicious rclone.exe process masqueradied as another process to perform copy operations |
✓ |
||
Malicious use of PowerShell |
✓ |
||
Malicious use of NetSupport tool |
✓ |
||
Malicious execution of PsExec process was launched by the ScreenConnect process |
✓ |
||
Malicious file in temporary folder run by ScreenConnect |
✓ |
||
ScreenConnect ran malicious unsigned file |
✓ |
||
Process used Download and Execute |
✓ |
Credential Theft MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Attempted credential theft |
✓ |
||
Malicious access to the NTDS.dit file |
✓ |
||
Malicious access to ntds.dit or SAM resources |
✓ |
Elevated Access MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Malicious privilege escalation |
✓ |
Extension Manipulation MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Malicious by Obscured Extension |
✓ |
✓ |
Known Malware MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
BlackCat Ransomware |
✓ |
✓ |
|
Cybereason Threat Intelligence identified a malicious executable |
✓ |
✓ |
✓ |
Cybereason Threat Intelligence identified a loaded module as a malicious tool |
✓ |
✓ |
✓ |
Cybereason Threat Intelligence identified a loaded module as malicious |
✓ |
✓ |
✓ |
Cybereason Threat Intelligence identified a malicious tool |
✓ |
✓ |
✓ |
IcedID MainBot malware execution |
✓ |
||
Known malware detected by Cybereason Anti-Malware |
✓ |
✓ |
✓ |
Malicious Process MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Attempt to stop or disable the Cybereason service |
✓ |
||
Fileless malware |
✓ |
||
Java-based Malware |
✓ |
||
Malicious use of an OS process |
✓ |
||
Malicious exploit attempt |
✓ |
||
Malicious InstallUtil process execution |
✓ |
||
MSMPeng.exe process mismatch |
✓ |
||
Malicious execution of MSBuild process by MS Office process |
✓ |
||
Malicious .NET process compilation |
✓ |
||
Malicious MSBuild process execution with outgoing connections |
✓ |
||
Process was initiated by a malicious packed binary |
✓ |
||
Process opened a malicious file |
✓ |
||
Process has loaded Cobalt Strike Beacon |
✓ |
||
Process has loaded PowerShell Empire |
✓ |
||
Process has loaded a Meterpreter agent |
✓ |
||
Process has loaded Mimikatz |
✓ |
||
Process has loaded a PeddleCheap agent |
✓ |
||
Process has loaded a malicious tool |
✓ |
||
Remote Access Trojan |
✓ |
✓ |
✓ |
Shellcode execution |
✓ |
||
Sliver Shell tool execution |
✓ |
||
Web shell execution |
✓ |
✓ |
✓ |
Persistence MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Malicious fake module |
✓ |
||
Masquerading as a Windows accessibility feature |
✓ |
Persistence MalOps (Research)
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Async Rat malware detected |
✓ |
||
User login/logout hook detected |
✓ |
Process Injection MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Malicious Code Injection |
✓ |
Ransomware MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Cybereason Threat Intelligence identified a loaded module as ransomware |
✓ |
✓ |
✓ |
Cybereason Threat Intelligence identified an executable as Ransomware |
✓ |
✓ |
✓ |
Ransomware behavior |
✓ |
Data Transmission MalOps (Research)
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Cybereason Threat Intelligence identified a loaded module as ransomware |
✓ |
✓ |
✓ |
Cybereason Threat Intelligence identified an executable as Ransomware |
✓ |
✓ |
✓ |
Ransomware behavior |
✓ |
Note
This MalOp is not enabled by default. Contact Technical Support to enable the MalOps for your environment.
Malicious Process MalOps (Research)
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Malicious creation of a child process by Microsoft Office process |
✓ |
||
Process attempted to exploit a known CVE |
✓ (Windows 10 and higher) |
||
Covert process execution |
✓ |
||
Zerologon CVE 2020-1472 Exploit Attempt |
✓ |
Credential Theft MalOps (Research)
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Abnormal process invocation using DCOM |
✓ |
||
Active Directory Abuse |
✓ |
||
Process performed a malicious read/write memory access to a sensitive process |
✓ |
Elevated Access MalOps (Research)
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Attempt to disable macOS Gatekeeper |
✓ |
Phishing MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Malicious execution of a shell process |
✓ |
Reconnaissance MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Process is performing suspicious scanning activities |
✓ |
||
Suspicious scanning activity by an elevated process |
✓ |
Potentially Unwanted Program (PUP) MalOps
MalOp Name |
Windows |
Mac OS |
Linux |
|---|---|---|---|
Cybereason Threat Intelligence identified an Unwanted Executable |
✓ |
✓ |
✓ |
Cybereason Threat Intelligence identified an Unwanted Module |
✓ |
✓ |
✓ |