Malop Types and Components

The Cybereason platform has various categories of MalOps to help you understand where a MalOp was detected and what type of activity occurred.

Basic Malop types

The Malops management screen displays MalOp type icons to easily determine what type of activity occurred.

Icon

MalOp type

Description

Active AH Malop

AI Hunting MalOps

MalOps that represent threats that the Cybereason Cross Machine Correlation (CMC) engine or private and global threat intelligence sources identifies.

Active EP Malop

Endpoint Protection MalOps

MalOps that were triggered by threats detected or prevented on the endpoint, including known malware, unknown malware, and ransomware.

Note

Some MalOps detected by the Cybereason platform’s Anti-Ransomware or Predictive Ransomware Protection engines are identified as AI Hunting MalOps, not Endpoint Protection MalOps.

The Cybereason platform generates Endpoint Protection MalOps for multiple types of malware, including:

  • Known: MalOps are generated from known malware detected by signature-based detection.

  • Unknown: MalOps are generated from previously unknown malware detected by artificial intelligence.

  • Fileless: MalOps are generated from malware not based on a file, such as PowerShell-based attacks.

  • App Control MalOps are generated based on the prevention of applications/processes marked for prevention in the Reputation screen (see Manage Reputations).

MalOp states

When the Cybereason platform etects a MalOp, the Cybereason platform immediately assigns a state to the MalOp. The MalOp State represents how the MalOp is currently behaving in your environment, and helps inform what response actions an analyst should take. MalOps can have the following states in the Malops management screen.

Icon

State

Description

Active AH Malop Active EP Malop

(Red)

Active

Active MalOps are red and require urgent response. A MalOp is active if the malicious behavior is currently active. This could mean that a malicious file is open, or a malicious process is running.

For malware, the Cybereason platform cannot know if the malicious item was accessed, so the alert is considered Active as long as it hasn’t been addressed.

Inactive AH Malop Inactive EP Malop

(Yellow)

Inactive

Inactive Malops are yellow and indicate further response is recommended. A MalOp is inactive if the associated processes are not active, but a risk still exists. For example, if a file is not currently executing but could be malicious, an analyst might want to at it to the blocklist.

Resolved AH Malop Resolved EP Malop

(Green)

Resolved

Resolved MalOps are green and indicate no further action is required. A MalOp is considered resolved if one of the following occurs:

  • The Cybereason platform automatically prevents, disinfects, or quarantines a malicious item.

  • An analyst manually resolves the MalOp using the Mark as remediated/resolved button in the Malops management or Malop details screen.

Excluded Malop Excluded Malop

(Grey)

Excluded

Excluded MalOps are grey and indicate that the MalOp was addressed and the ‘Malop is benign - Exclude’ option was chosen during remediation. Excluding a MalOp means the specific behaviors in the MalOps will not trigger a MalOp in the future.

If you are using the Malop inbox to manage MalOps, see the Respond to Malops section in the version 19.2 documentation. We recommend transitioning to the Malops management screen to better view and respond to all threats in your environment.

MalOp components

MalOps contain the complete story of a cyber attack, including affected machines, users, files, and more. These associated items help the analyst not only understand what happened, but where and to whom the malicious activity occurred.

Analysts can see a timeline of all associated activity for the MalOp. The timeline includes all activity that the Cybereason platform has associated with the MalOp, such as processes and files.

The MalOp contains a list of suspicions that led to the MalOp generation, and evidences that led to the creation of the suspicion.

In addition, the Cybereason platform adds the following information about a MalOp:

  • Triggering item: The process that caused the Cybereason platform to create a MalOp.

  • Detection type: Category of activity that the Cybereason platform recognized as the malicious behavior.

  • Root cause: The underlying reason why an activity is considered malicious.

Within the MalOp, you can learn more about the associated machines, users, files, processes, and so forth. You can view collected details about these items and investigate specific items in the Investigation screen.

In the Malops management screen, you can view all these details:

Malop Example

Note

A single MalOp may have multiple root causes. The root cause listed in the Malops management screen is the primary root cause, or the one that requires the most attention.

MalOp certainty levels

To help you better understand malicious behavior, the Cybereason platform further classifies MalOps by certainty levels. Certainty levels indicate the degree to which the Cybereason platform is confident the behavior is a threat. Cybereason identifies the following certainty levels, each of which contain different detection types.

The following tables list the Cybereason MalOp detection types and root causes organized by certainty level. The Investigation column recommends properties to focus on when you investigate a MalOp that has a certain detection type and root cause. For more details about investigating these properties, see Analyze MalOps and Determine Threat Level.

Verified MalOps

Verified MalOps are verified by the Cybereason Security Research team, meaning they demonstrate malicious activity and are likely a threat to your system.

Detection type

Root cause

Malop triggered when…

Investigate

Blocklist

Application Control blocked application on blocklist

Application Control blocks the execution of a process that was added to the blocklist

Process

Blocklist

Blocklist file hash

The image file of this process appears on the blocklist

Image file of the process

Blocklist

Blocklist module

Process loads a module that appears on the blocklist

Loaded module and process

Blocklist

Connection to blocklist IP address

Process connects to an IP address that appears on the blocklist

Process, domain and connections

Command and Control (CNC)

Accessing address used by malware

Process connects to an address that was identified as being used by malware

Network and process

Command and Control (CNC)

Connection to malicious address

Process connects to an address known to be malicious

Network and process

Command and Control (CNC)

Connection to a malicious domain

Process creates a DNS query or a direct connection to a domain classified as malicious by Cybereason Threat Intelligence

Network and process

Command and Control (CNC)

Download from malicious domain

Process downloads a payload from a domain classified as malicious

Process and connections

Command and Control (CNC)

Malicious use of a Domain Generation Algorithm

Process uses a Domain Generation Algorithm to communicate with its Command & Control server

Network and process

Command and Control (CNC)

Malicious rclone.exe process masqueradied as another process to perform copy operations

The rclone.exe process was renamed to another process and then performed copy operations

Process

Command and Control (CNC)

Malicious use of PowerShell

PowerShell process was identified trying to download malicious payload, or executed an obfuscated command

Network, process, and process hierarchy

Command and Control (CNC)

Malicious use of NetSupport tool

Process used the NetSupport remote access tool for malicious activity

Process

Command and Control (CNC)

Malicious execution of PsExec process was launched by the ScreenConnect process

Attacker used the ScreenConnect process to launch a malicious PsExec process

Process

Command and Control (CNC)

Malicious file in temporary folder run by ScreenConnect

Attacker used the ScreenConnect process to run malicious files in a temporary folder

Process, Files

Command and Control (CNC)

ScreenConnect ran malicious unsigned file

Attacker used the ScreenConnect process to run malicious unsigned files

Process, Files

Command and Control (CNC)

Download from malicious domain

Process used Download and Execute

Process and connections

Credential theft

Attempted credential theft

Process attempts to access OS resources that store user’s credentials

Process and file

Credential theft

Malicious access to the NTDS.dit file

Process attempts to access the NTDS.dts file where the operating system stores user credentials

Process and file

Credential theft

Malicious access to ntds.dit or SAM resources

Process uses the esenutil utility to access credential information

Process

Elevated access

Malicious Privilege Escalation

An app or user has tried to elevate their privileges on the device

Process hierarchy and file

Extension manipulation

Malicious by Obscured Extension

File is determined to be malicious because it obscures the real file extension by using multiple file extensions

Process and file

Known malware

BlackCat Ransomware

The BlackCat ransomware program ran on a machine

All components for all known malware

Known malware

Cybereason Threat Intelligence identified a malicious executable

Process’s image file hash was identified as malicious by Cybereason Threat Intelligence

All components for all known malware

Known malware

Cybereason Threat Intelligence identified a loaded module as a malicious tool

Process instance loads a module identified as a malicious tool by Cybereason Threat Intelligence

All components for all known malware

Known malware

Cybereason Threat Intelligence identified a loaded module as malicious

Process instance loads a module identified as malware by Cybereason Threat Intelligence

All components for all known malware

Known malware

Cybereason Threat Intelligence identified a malicious tool

Process is identified as a malicious tool by its behavior or file characteristics

All components for all known malware

Known malware

IcedID MainBot malware execution

A process loaded the IcedID MainBot malware tool

Process

Known malware

Known malware detected by Cybereason Anti-Malware

Cybereason Anti-Malware detects the presence of known malware

All components for all known malware

CVE_2020_06_01 Attempted exploitation

CVE-2020-0601 - attempted exploitation

A process attempts to exploit the vulnerability noted in CVE_2020_06_01

Process

Malicious process

Attempt to stop or disable the Cybereason service

Any process performed operations to stop or disable the Cybereason Sensor services

Process

Malicious process

File-less malware

Process executes malicious payload that exists exclusively in memory.

Process and process hierarchy

Malicious process

Java-based Malware

Process exhibits Java-based RAT (Remote Access Trojan) behaviors

Process hierarchy

Malicious process

Malicious use of an OS process

Process exhibits unusual behavior related to regsvr, rundll32, etc.

Process hierarchy and file

Malicious process

Malicious By Floating Code

Cybereason NGAV detects the presence of a floating module classified as malicious

Process and module

Malicious process

Process was initiated by a malicious packed binary

Process runs from a DLL file that was packed using a special packer process

Process

Malicious process

Process opened a malicious file

Process opens a file that has been identified as malicious by Cybereason Threat Intelligence

Process hierarchy and file

Malicious process

Process ran malicious command

A PowerShell process runs a known malicious command

Process

Malicious process

Process has loaded Cobalt Strike Beacon

A process loads the Cobalt Strike Beacon tool on a machine.

Process

Malicious process

Process has loaded PowerShell Empire

A process loads the PowerShell Empire agent on a machine

Process

Malicious process

Process has loaded a Meterpreter agent

A process loads the Meterpreter agent on a machine

Process

Malicious process

Process has loaded Mimikatz

A process loads the Mimikatz framework on a machine

Process

Malicious process

Process has loaded a PeddleCheap agent

A process loads the PeddleCheap agent on a machine

Process

Malicious process

Process has loaded a malicious tool

A process loads a malicious tool on a machine

Process

Malicious process

Remote Access Trojan

Process exhibits RAT (Remote Access Trojan) behavior

Process and process hierarchy

Malicious process

Shellcode Execution

Process contains injected shellcode

Module and process

Malicious process

Sliver Shell tool execution

Process runs the Sliver Shell tool

Process

Malicious process

Web shell execution

Cybereason detects anomalous behavior of web server process execution

Process hierarchy

Malicious process

Malicious InstallUtil process execution

Process uses the InstallUtil utility program to make external connections

Process

Malicious process

Msmpeng.exe process mismatch

Msmpeng.exe process was renamed

Process

Malicious process

Malicious execution of MSBuild process by MS Office process

An MS Office process ran the MSBuild utility

Process

Malicious process

Malicious .NET process compilation

An process opened a .NET compiler that performed malicious activities

Process

Malicious process

Malicious MSBuild process execution with outgoing connections

MSBuild process was run and made connections with external addresses

Process

Persistence

Malicious fake module

Process loads a malicious fake module (one with the correct name, but different metadata)

Modules

Persistence

Masquerading as a Windows accessibility feature

Process contains an identified method of bypassing Windows accessibility features and executing shell processes

Process hierarchy

Process injection

Malicious Code Injection

Remote process identified injecting code into different process. For example, floating code or DLL

All components for injecting and host processes. If injected dll, investigate file for dll

Ransomware

Cybereason Threat Intelligence identified an executable as ransomware

Cybereason Threat Intelligence identified a loaded module as ransomware

All components

Ransomware

Process’s image file hash is identified as a ransomware by Cybereason Threat Intelligence

Cybereason Threat Intelligence identified an executable as Ransomware

All components

Ransomware

Ransomware behavior

Process exhibits ransomware behavior, such as encrypting files and attempting to delete backups

All components

Mobile

Abnormal Process Activity Malop

A mobile device app is performing abnormal activity

Device

Mobile

Android Device possible tampering

Android device shows evidence of having device security restrictions removed

Device

Mobile

App tampering

Attacker has removed security restrictions from an app

Device

Mobile

Device configurations that may put corporate and personal data at risk

Some device configurations may expose corporate and personal data

Device

Mobile

Device jailbroken/rooted

Device configurations have changed to enable root or administrative access to the device

Device

Mobile

Elevation of Privileges

Detection of an app or user escalating their privilege levels on the device

Device

Mobile

Malicious application

The device has a malicious app

Device

Mobile

A malware that aggressively displays ads, negatively affecting user productivity and device performance

Malware on the device is running ads aggressively

Device

Mobile

A malware that attempts to obtain escalated system privileges

Malware on the device is trying to escalate app privileges

Device

Mobile

A malware that blocks access to a device until a ransom is paid

Malware is trying to lock and encrypt the device in a ransomware attack

Device

Mobile

MITM attack

A network attack is using the Man-in-the-Middle technique to intercept device traffic

Device

Mobile

MITM attack via ARP

A network attack is using the Man-in-the-Middle technique via ARP to intercept device traffic

Device

Mobile

MITM - Fake SSL Certificate

A network attack is using the Man-in-the-Middle technique with a fake SSL certificate to intercept device traffic

Device

Mobile

MITM attack through SSL Strip

A network attack is using the Man-in-the-Middle technique by downgrading SSL communication from HTTPS to HTTP to intercept device traffic

Device

Mobile

MITM attack via ICMP redirect

A network attack is using using the Man-in-the-Middle technique by ICMP redirect to intercept device traffic

Device

Mobile

Persistent modifications to devices file systems

Attacker has modified the device file system to allow the attacker persistent access

Device

Mobile

Rogue Access Point

Device has connected to a potentially malicious WiFi hotspot

Device

Mobile

Sideloaded apps

The device installed an app from an unusual and potentially untrusted source

Device

Mobile

A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form

Device visits a site with a web form to trick a user into submitting personal information

Device

Mobile

Suspicious iOS App

A suspicious app is running on an iOS device

Device

Mobile

System Tampering

Security precautions have been removed

Device

Mobile

Third party application stores

The device has installed a third-party application store

Device

Mobile

Untrusted profile

The device has at least one unknown and untrusted profile

Device

Research MalOps

Research MalOps are based on experimental rules that examine new threat detection logic and which Cybereason evaluates over time. Detections for these types of MalOps are turned off by default because they have the potential to cause false positives and have a certainty level that is dramatically lower than MalOps classified as Verified. If you think you are not catching all the potentially malicious activity you want, or you have a strict environment, contact customer support to turn on this feature and see MalOps classified as Research.

Detection type

Root cause

MalOp triggered when…

Investigate

Data transmission volume

High volume of transmitted data by injected process

Injected process transmits high volume of data

Network and process

Malicious process

Malicious creation of a child process by Microsoft Office process

Microsoft Office process created a child process that performed malicious activities

Process

Malicious process

The process attempted to exploit a known CVE

Process attempts to exploit a known vulnerability

Process

Malicious process

Covert process execution

Process attempts to hide its activities

Process

Malicious process

Zerologon CVE 2020-1472 exploit attempt

Process attempts to use the ZeroLogon vulnerability

Process

Phishing

Malicious execution of shell process

Process is a shell process that was executed in a non-standard way and might be used for malicious operations

Process hierarchy

Phishing

Malicious document detected

Use of a malicious document is detected

Process hierarchy and file

Reconnaissance

Process is performing suspicious scanning activities

Process performs network scanning actions while running injected code

Processes and network

Reconnaissance

Suspicious scanning activity by an elevated process

Process performs network scans while running with high privileges or escalating a child process to run with high privileges

Processes and network

Credential Theft

Abnormal process invocation using DCOM

Process uses DCOM to start another process

Process

Credential Theft

Active Directory Abuse

Process uses an MS-RPC request to retrieve or update Active Directory information on a machine

Process

Credential Theft

The process performed a malicious read/write memory access to a sensitive process

Process attempts to access memory resources for LSASS.exe process

Process and file

Persistence

Async Rat malware detected

Process performs suspicious actions using MSHTA and opens PowerShell downloaders

Process, Connections

Persistence

User login/logout hook detected

Process created a hook on a macOS machine to enable the process to persist when a user logs in or logs out

Process

Elevated access

Attempt to disable macOS Gatekeeper

Process attempts to disable the macOS Gatekeeper functionality to elevate the process privileges

Process

Low Priority MalOps

The Low Priority MalOps classification is used for MalOps that detect potentially unwanted programs (PUPs). Low priority MalOps demonstrate less malicious activity than other MalOps in your organization. Additionally, certain organizations do not classify PUPs as malicious. To view Low Priority MalOps, check the Include PUPs box on the top right of the Malop Inbox.

Detection type

Root cause

MalOp triggered when…

Investigate

Potentially Unwanted Program (PUP)

Cybereason Threat Intelligence identified an Unwanted Executable

Process image file hash is identified as a Potentially Unwanted Program by Cybereason Threat Intelligence

Image file of the process

Potentially Unwanted Program (PUP)

Cybereason Threat Intelligence identified an Unwanted Module

Process loads a module identified as a Potentially Unwanted Program by Cybereason Threat Intelligence

Loaded module