Malop Types and Components
The Cybereason platform has various categories of MalOps to help you understand where a MalOp was detected and what type of activity occurred.
In this topic:
Basic Malop types
The Malops management screen displays MalOp type icons to easily determine what type of activity occurred.
Icon |
MalOp type |
Description |
|---|---|---|
|
AI Hunting MalOps |
MalOps that represent threats that the Cybereason Cross Machine Correlation (CMC) engine or private and global threat intelligence sources identifies. |
|
Endpoint Protection MalOps |
MalOps that were triggered by threats detected or prevented on the endpoint, including known malware, unknown malware, and ransomware. The Cybereason platform generates Endpoint Protection MalOps for multiple types of malware, including:
|
MalOp states
When the Cybereason platform etects a MalOp, the Cybereason platform immediately assigns a state to the MalOp. The MalOp State represents how the MalOp is currently behaving in your environment, and helps inform what response actions an analyst should take. MalOps can have the following states in the Malops management screen.
Icon |
State |
Description |
|---|---|---|
(Red) |
Active |
Active MalOps are red and require urgent response. A MalOp is active if the malicious behavior is currently active. This could mean that a malicious file is open, or a malicious process is running. For malware, the Cybereason platform cannot know if the malicious item was accessed, so the alert is considered Active as long as it hasn’t been addressed. |
(Yellow) |
Inactive |
Inactive Malops are yellow and indicate further response is recommended. A MalOp is inactive if the associated processes are not active, but a risk still exists. For example, if a file is not currently executing but could be malicious, an analyst might want to at it to the blocklist. |
(Green) |
Resolved |
Resolved MalOps are green and indicate no further action is required. A MalOp is considered resolved if one of the following occurs:
|
(Grey) |
Excluded |
Excluded MalOps are grey and indicate that the MalOp was addressed and the ‘Malop is benign - Exclude’ option was chosen during remediation. Excluding a MalOp means the specific behaviors in the MalOps will not trigger a MalOp in the future. |
If you are using the Malop inbox to manage MalOps, see the Respond to Malops section in the version 19.2 documentation. We recommend transitioning to the Malops management screen to better view and respond to all threats in your environment.
MalOp components
MalOps contain the complete story of a cyber attack, including affected machines, users, files, and more. These associated items help the analyst not only understand what happened, but where and to whom the malicious activity occurred.
Analysts can see a timeline of all associated activity for the MalOp. The timeline includes all activity that the Cybereason platform has associated with the MalOp, such as processes and files.
The MalOp contains a list of suspicions that led to the MalOp generation, and evidences that led to the creation of the suspicion.
In addition, the Cybereason platform adds the following information about a MalOp:
Triggering item: The process that caused the Cybereason platform to create a MalOp.
Detection type: Category of activity that the Cybereason platform recognized as the malicious behavior.
Root cause: The underlying reason why an activity is considered malicious.
Within the MalOp, you can learn more about the associated machines, users, files, processes, and so forth. You can view collected details about these items and investigate specific items in the Investigation screen.
In the Malops management screen, you can view all these details:
Note
A single MalOp may have multiple root causes. The root cause listed in the Malops management screen is the primary root cause, or the one that requires the most attention.
MalOp certainty levels
To help you better understand malicious behavior, the Cybereason platform further classifies MalOps by certainty levels. Certainty levels indicate the degree to which the Cybereason platform is confident the behavior is a threat. Cybereason identifies the following certainty levels, each of which contain different detection types.
The following tables list the Cybereason MalOp detection types and root causes organized by certainty level. The Investigation column recommends properties to focus on when you investigate a MalOp that has a certain detection type and root cause. For more details about investigating these properties, see Analyze MalOps and Determine Threat Level.
Verified MalOps
Verified MalOps are verified by the Cybereason Security Research team, meaning they demonstrate malicious activity and are likely a threat to your system.
Detection type |
Root cause |
Malop triggered when… |
Investigate |
|---|---|---|---|
Application Control blocked application on blocklist |
Application Control blocks the execution of a process that was added to the blocklist |
Process |
|
Blocklist file hash |
The image file of this process appears on the blocklist |
Image file of the process |
|
Blocklist module |
Process loads a module that appears on the blocklist |
Loaded module and process |
|
Connection to blocklist IP address |
Process connects to an IP address that appears on the blocklist |
Process, domain and connections |
|
Accessing address used by malware |
Process connects to an address that was identified as being used by malware |
Network and process |
|
Connection to malicious address |
Process connects to an address known to be malicious |
Network and process |
|
Connection to a malicious domain |
Process creates a DNS query or a direct connection to a domain classified as malicious by Cybereason Threat Intelligence |
Network and process |
|
Download from malicious domain |
Process downloads a payload from a domain classified as malicious |
Process and connections |
|
Malicious use of a Domain Generation Algorithm |
Process uses a Domain Generation Algorithm to communicate with its Command & Control server |
Network and process |
|
Malicious rclone.exe process masqueradied as another process to perform copy operations |
The rclone.exe process was renamed to another process and then performed copy operations |
Process |
|
Malicious use of PowerShell |
PowerShell process was identified trying to download malicious payload, or executed an obfuscated command |
Network, process, and process hierarchy |
|
Malicious use of NetSupport tool |
Process used the NetSupport remote access tool for malicious activity |
Process |
|
Malicious execution of PsExec process was launched by the ScreenConnect process |
Attacker used the ScreenConnect process to launch a malicious PsExec process |
Process |
|
Malicious file in temporary folder run by ScreenConnect |
Attacker used the ScreenConnect process to run malicious files in a temporary folder |
Process, Files |
|
ScreenConnect ran malicious unsigned file |
Attacker used the ScreenConnect process to run malicious unsigned files |
Process, Files |
|
Download from malicious domain |
Process used Download and Execute |
Process and connections |
|
Attempted credential theft |
Process attempts to access OS resources that store user’s credentials |
Process and file |
|
Malicious access to the NTDS.dit file |
Process attempts to access the NTDS.dts file where the operating system stores user credentials |
Process and file |
|
Malicious access to ntds.dit or SAM resources |
Process uses the esenutil utility to access credential information |
Process |
|
Malicious Privilege Escalation |
An app or user has tried to elevate their privileges on the device |
Process hierarchy and file |
|
Malicious by Obscured Extension |
File is determined to be malicious because it obscures the real file extension by using multiple file extensions |
Process and file |
|
BlackCat Ransomware |
The BlackCat ransomware program ran on a machine |
All components for all known malware |
|
Cybereason Threat Intelligence identified a malicious executable |
Process’s image file hash was identified as malicious by Cybereason Threat Intelligence |
All components for all known malware |
|
Cybereason Threat Intelligence identified a loaded module as a malicious tool |
Process instance loads a module identified as a malicious tool by Cybereason Threat Intelligence |
All components for all known malware |
|
Cybereason Threat Intelligence identified a loaded module as malicious |
Process instance loads a module identified as malware by Cybereason Threat Intelligence |
All components for all known malware |
|
Cybereason Threat Intelligence identified a malicious tool |
Process is identified as a malicious tool by its behavior or file characteristics |
All components for all known malware |
|
IcedID MainBot malware execution |
A process loaded the IcedID MainBot malware tool |
Process |
|
Known malware detected by Cybereason Anti-Malware |
Cybereason Anti-Malware detects the presence of known malware |
All components for all known malware |
|
CVE-2020-0601 - attempted exploitation |
A process attempts to exploit the vulnerability noted in CVE_2020_06_01 |
Process |
|
Attempt to stop or disable the Cybereason service |
Any process performed operations to stop or disable the Cybereason Sensor services |
Process |
|
File-less malware |
Process executes malicious payload that exists exclusively in memory. |
Process and process hierarchy |
|
Java-based Malware |
Process exhibits Java-based RAT (Remote Access Trojan) behaviors |
Process hierarchy |
|
Malicious use of an OS process |
Process exhibits unusual behavior related to regsvr, rundll32, etc. |
Process hierarchy and file |
|
Malicious By Floating Code |
Cybereason NGAV detects the presence of a floating module classified as malicious |
Process and module |
|
Process was initiated by a malicious packed binary |
Process runs from a DLL file that was packed using a special packer process |
Process |
|
Process opened a malicious file |
Process opens a file that has been identified as malicious by Cybereason Threat Intelligence |
Process hierarchy and file |
|
Process ran malicious command |
A PowerShell process runs a known malicious command |
Process |
|
Process has loaded Cobalt Strike Beacon |
A process loads the Cobalt Strike Beacon tool on a machine. |
Process |
|
Process has loaded PowerShell Empire |
A process loads the PowerShell Empire agent on a machine |
Process |
|
Process has loaded a Meterpreter agent |
A process loads the Meterpreter agent on a machine |
Process |
|
Process has loaded Mimikatz |
A process loads the Mimikatz framework on a machine |
Process |
|
Process has loaded a PeddleCheap agent |
A process loads the PeddleCheap agent on a machine |
Process |
|
Process has loaded a malicious tool |
A process loads a malicious tool on a machine |
Process |
|
Remote Access Trojan |
Process exhibits RAT (Remote Access Trojan) behavior |
Process and process hierarchy |
|
Shellcode Execution |
Process contains injected shellcode |
Module and process |
|
Sliver Shell tool execution |
Process runs the Sliver Shell tool |
Process |
|
Web shell execution |
Cybereason detects anomalous behavior of web server process execution |
Process hierarchy |
|
Malicious InstallUtil process execution |
Process uses the InstallUtil utility program to make external connections |
Process |
|
Msmpeng.exe process mismatch |
Msmpeng.exe process was renamed |
Process |
|
Malicious execution of MSBuild process by MS Office process |
An MS Office process ran the MSBuild utility |
Process |
|
Malicious .NET process compilation |
An process opened a .NET compiler that performed malicious activities |
Process |
|
Malicious MSBuild process execution with outgoing connections |
MSBuild process was run and made connections with external addresses |
Process |
|
Malicious fake module |
Process loads a malicious fake module (one with the correct name, but different metadata) |
Modules |
|
Masquerading as a Windows accessibility feature |
Process contains an identified method of bypassing Windows accessibility features and executing shell processes |
Process hierarchy |
|
Malicious Code Injection |
Remote process identified injecting code into different process. For example, floating code or DLL |
All components for injecting and host processes. If injected dll, investigate file for dll |
|
Cybereason Threat Intelligence identified an executable as ransomware |
Cybereason Threat Intelligence identified a loaded module as ransomware |
All components |
|
Process’s image file hash is identified as a ransomware by Cybereason Threat Intelligence |
Cybereason Threat Intelligence identified an executable as Ransomware |
All components |
|
Ransomware behavior |
Process exhibits ransomware behavior, such as encrypting files and attempting to delete backups |
All components |
|
Abnormal Process Activity Malop |
A mobile device app is performing abnormal activity |
Device |
|
Android Device possible tampering |
Android device shows evidence of having device security restrictions removed |
Device |
|
App tampering |
Attacker has removed security restrictions from an app |
Device |
|
Device configurations that may put corporate and personal data at risk |
Some device configurations may expose corporate and personal data |
Device |
|
Device jailbroken/rooted |
Device configurations have changed to enable root or administrative access to the device |
Device |
|
Elevation of Privileges |
Detection of an app or user escalating their privilege levels on the device |
Device |
|
Malicious application |
The device has a malicious app |
Device |
|
A malware that aggressively displays ads, negatively affecting user productivity and device performance |
Malware on the device is running ads aggressively |
Device |
|
A malware that attempts to obtain escalated system privileges |
Malware on the device is trying to escalate app privileges |
Device |
|
A malware that blocks access to a device until a ransom is paid |
Malware is trying to lock and encrypt the device in a ransomware attack |
Device |
|
MITM attack |
A network attack is using the Man-in-the-Middle technique to intercept device traffic |
Device |
|
MITM attack via ARP |
A network attack is using the Man-in-the-Middle technique via ARP to intercept device traffic |
Device |
|
MITM - Fake SSL Certificate |
A network attack is using the Man-in-the-Middle technique with a fake SSL certificate to intercept device traffic |
Device |
|
MITM attack through SSL Strip |
A network attack is using the Man-in-the-Middle technique by downgrading SSL communication from HTTPS to HTTP to intercept device traffic |
Device |
|
MITM attack via ICMP redirect |
A network attack is using using the Man-in-the-Middle technique by ICMP redirect to intercept device traffic |
Device |
|
Persistent modifications to devices file systems |
Attacker has modified the device file system to allow the attacker persistent access |
Device |
|
Rogue Access Point |
Device has connected to a potentially malicious WiFi hotspot |
Device |
|
Sideloaded apps |
The device installed an app from an unusual and potentially untrusted source |
Device |
|
A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
Device visits a site with a web form to trick a user into submitting personal information |
Device |
|
Suspicious iOS App |
A suspicious app is running on an iOS device |
Device |
|
System Tampering |
Security precautions have been removed |
Device |
|
Third party application stores |
The device has installed a third-party application store |
Device |
|
Untrusted profile |
The device has at least one unknown and untrusted profile |
Device |
Research MalOps
Research MalOps are based on experimental rules that examine new threat detection logic and which Cybereason evaluates over time. Detections for these types of MalOps are turned off by default because they have the potential to cause false positives and have a certainty level that is dramatically lower than MalOps classified as Verified. If you think you are not catching all the potentially malicious activity you want, or you have a strict environment, contact customer support to turn on this feature and see MalOps classified as Research.
Detection type |
Root cause |
MalOp triggered when… |
Investigate |
|---|---|---|---|
High volume of transmitted data by injected process |
Injected process transmits high volume of data |
Network and process |
|
Malicious creation of a child process by Microsoft Office process |
Microsoft Office process created a child process that performed malicious activities |
Process |
|
The process attempted to exploit a known CVE |
Process attempts to exploit a known vulnerability |
Process |
|
Covert process execution |
Process attempts to hide its activities |
Process |
|
Zerologon CVE 2020-1472 exploit attempt |
Process attempts to use the ZeroLogon vulnerability |
Process |
|
Malicious execution of shell process |
Process is a shell process that was executed in a non-standard way and might be used for malicious operations |
Process hierarchy |
|
Malicious document detected |
Use of a malicious document is detected |
Process hierarchy and file |
|
Process is performing suspicious scanning activities |
Process performs network scanning actions while running injected code |
Processes and network |
|
Suspicious scanning activity by an elevated process |
Process performs network scans while running with high privileges or escalating a child process to run with high privileges |
Processes and network |
|
Abnormal process invocation using DCOM |
Process uses DCOM to start another process |
Process |
|
Active Directory Abuse |
Process uses an MS-RPC request to retrieve or update Active Directory information on a machine |
Process |
|
The process performed a malicious read/write memory access to a sensitive process |
Process attempts to access memory resources for LSASS.exe process |
Process and file |
|
Async Rat malware detected |
Process performs suspicious actions using MSHTA and opens PowerShell downloaders |
Process, Connections |
|
User login/logout hook detected |
Process created a hook on a macOS machine to enable the process to persist when a user logs in or logs out |
Process |
|
Attempt to disable macOS Gatekeeper |
Process attempts to disable the macOS Gatekeeper functionality to elevate the process privileges |
Process |
Low Priority MalOps
The Low Priority MalOps classification is used for MalOps that detect potentially unwanted programs (PUPs). Low priority MalOps demonstrate less malicious activity than other MalOps in your organization. Additionally, certain organizations do not classify PUPs as malicious. To view Low Priority MalOps, check the Include PUPs box on the top right of the Malop Inbox.
Detection type |
Root cause |
MalOp triggered when… |
Investigate |
|---|---|---|---|
Cybereason Threat Intelligence identified an Unwanted Executable |
Process image file hash is identified as a Potentially Unwanted Program by Cybereason Threat Intelligence |
Image file of the process |
|
Cybereason Threat Intelligence identified an Unwanted Module |
Process loads a module identified as a Potentially Unwanted Program by Cybereason Threat Intelligence |
Loaded module |