This topic describes all the alerts that Security Center can generate. The alerts are classified based on operating systems, detection items, and attack methods.

On the Alerts page of the Security Center console, you can view all types of alerts. For more information, see Alert types. Based on the threat intelligence of Alibaba Cloud and the latest disclosed vulnerabilities, Security Center analyzes the threats on your server by using intrusion prevention system (IPS) and generates different types of alerts. This topic describes the alerts that Security Center can generate and types of the alerts.

Alerts for Linux operating systems

Alert type Alert name Description
Persistence Tampering of the kernel configuration file The threat detection model detected that the configuration file of the kernel module on your server was tampered with. In most cases, the modifications is detected when a rootkit program modifies the configuration file to achieve self-starting.
Persistence Malicious startup item script The threat detection model detected files of some suspicious self-starting items on your server. The files may be scheduled tasks or self-starting scripts that are implanted by malware or attackers to achieve persistence.
Persistence Backdoor process The threat detection model detected a suspicious backdoor process on your server. The backdoor process may be a persistent behavior that is left by attackers who attempt to maintain permissions.
Persistence Abnormal code in memory The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected.
Persistence Abnormal process The threat detection model detected that abnormal processes exist in the running programs on your server. The processes may be malicious processes or processes that loaded malicious code.
Persistence Abnormal self-starting item The threat detection model detected abnormal self-starting items on your server. The self-starting items may be added by attackers or malware to achieve persistence.
Persistence Hidden kernel module The threat detection model detected hidden kernel modules on your server. The kernel modules may be rootkit backdoors that are implanted by attackers or malware, which are used to maintain system permissions and hide other malicious behavior.
Persistence Suspicious scheduled task in Linux The threat detection model detected a suspicious scheduled task on your server. The task may be persistent behavior that is left by attackers in your server.
Persistence SSH public key backdoor The threat detection model detected an abnormal SSH public key for logon on your server. The SSH public key was added to the attacked server by a worm or attacker to maintain permissions.
Malicious scripts Execution of malicious script code The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server.
Malicious scripts Detection of a malicious script file The threat detection model detected a malicious script file on your server. The file may be implanted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file.
Malicious Process Tainted basic software The threat detection model detected tainted basic software on your server. In most cases, tainted basic software is a system program into which malicious code is injected. Although the tainted basic software offers basic features, it covertly conducts malicious behavior.
Malicious Process Malicious program The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage.
Malicious Process Access to a malicious IP address The threat detection model detected that a process on your server is attempting to connect to a malicious IP address. This IP address may be the IP address of a command and control (C&C) server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is implanted by attackers.
Malicious Process Infectious virus The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and detected as virus hosts.
Malicious Process Attacker tool The threat detection model detected attacker tools on your server. Attacker tools are tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, programs that are used to uninstall security software, or backdoor programs that are implanted in the system after the attackers intrude into your server.
Malicious Process Backdoor program The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is implanted in the system and exploited by attackers to continuously intrude into the server.
Malicious Process Suspicious program The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code, or has the characteristics of programs that are highly suspicious and need to be classified by users based on the details of the programs.
Malicious Process Ransomware The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server for ransom.
Malicious Process Exploit The threat detection model detected that an exploit was running on your server. An exploit is used to attack or attempt to attack known vulnerabilities in the operating system and applications. Attackers use an exploit to implement privilege escalation, escapes, and arbitrary code execution.
Malicious Process Trojan The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is implanted in disguise in the system, it downloads and releases other malicious programs.
Malicious Process Worm The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks.
Malicious Process Mining program The threat detection model detected that a mining program is running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings other malicious programs.
Malicious Process Self-mutating trojan The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes the hash of itself or copies a large number of its file to different paths and runs in the background. This way, it avoids being cleaned by the system.
Malicious Process DDoS trojan The threat detection model detected that a distributed denial of service (DDoS) trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from the compromised server to launch DDoS attacks against a specific server.
Malicious Process Rootkit The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is implanted in the underlying system. A rootkit is used to hide traces of itself or other malicious programs.
Malicious Process Rootkit kernel module The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is implanted in the underlying system. A rootkit is used to hide traces of itself or other malicious programs.
Suspicious Process Tampering of file time The threat detection model detected that a process on your server attempted to modify the file time. The process may be triggered by attackers who imitate the actual file time to forge the actual creation, access, or modification time of abnormal files to evade detection.
Suspicious Process Call of risk tools The threat detection model detected a suspicious call of risk tools on your server. The risk tools can be used as proxies, tunnels, and scanning tools that are exploited by attackers to intrude into the server.
Suspicious Process Reverse shell The threat detection model detected that your server has run a reverse shell command. This way, attackers establish a reverse network connection between your server and the server of attackers. Based on the reverse network connection, arbitrary commands can be run on your server.
Suspicious Process Connection to a malicious download source The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server.
Suspicious Process Access to sensitive files The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process suspiciously read or modified important system files.
Suspicious Process Suspicious command run by a process The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited Remote Code Execution (RCE) vulnerability of the service to run the command.
Suspicious Process Suspicious command run by a high-risk application The threat detection model detected that a high-risk application on your server ran a suspicious command. A high-risk application can be a web service, database service, script, scheduled task, and self-starting item. Such an applications may has been compromised and has been used by attackers to run malicious commands.
Suspicious Process Suspicious encoded command The threat detection model detected that the command line data of a process on your server is highly suspicious. This may be associated with trojans, viruses, or attackers.
Suspicious Process Suspicious port listening The threat detection model detected suspicious port listening on your server. After attackers intrude into a server, attackers use software, such as netcat (nc), for port listening. This way, attackers establish a hidden communication channel to steal information from the server.
Suspicious Process Suspicious path The threat detection model detected a suspicious file name extension on your server. The file is executable and the format of the file does not match the format represented by the extension. A potential cause is that attackers have changed the file name extension of an executable file during the intrusion process to evade detection.
Suspicious Process Execution of suspicious files The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers.
Suspicious Process Suspicious behavior The threat detection model automatically analyzed the historical behavior of a process on your server and detected a suspicious command.
Suspicious Process Potential data breach by using HTTP tunnels The threat detection model detected that the command execution result was sent to an external server by using the HTTP channel on your server. A potential cause is that attackers have exploited RCE vulnerabilities to send the command execution result to their servers.
Suspicious Process Suspicious SSH tunneling The threat detection model detected that your server was attempting to establish a suspicious SSH tunnel.
Suspicious Process Suspicious webshell injection The threat detection model detected that a suspicious process was attempting to inject a webshell file into your server.
Suspicious Process Suspicious privilege escalation The threat detection model detected that some processes on your server were exploiting system vulnerabilities and application vulnerabilities to obtain higher system permissions. A potential cause is that attackers have implemented privilege escalation during the intrusion process.
Suspicious Process Suspicious rootkit behavior The threat detection model detected that a rootkit backdoor on your server was running suspicious commands. A potential cause is that attackers have implanted a rootkit backdoor and have sent malicious instructions to the backdoor to achieve remote control.
Suspicious Process Suspicious call of database export tools The threat detection model analyzed the historical behavior of a process on your server and detected suspicious calls of database export tools. A potential cause is that attackers have stolen data from your server after the server has been compromised.
Suspicious Process Sequence of abnormal behavior The threat detection model detected multiple abnormal behavior sequences on your server. The combination is usually caused by the spreading of a family of worms. Your services may also have been infected by worms.
Suspicious Process Suspicious command run by Apache CouchDB The threat detection model detected that Apache CouchDB on your server ran a suspicious command.
Suspicious Process Suspicious command run by FTP applications The threat detection model detected that FTP applications on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and use FTP to run batch files.
Suspicious Process Suspicious command run by Java applications The threat detection model detected that the Java process on your server performed high-risk behavior, such as malicious program download and backdoor adding. A potential cause is that you have used vulnerable web frameworks or middleware.
Suspicious Process Linux crontab file tampering The threat detection model detected that a process on your server was attempting to modify files for scheduled tasks on a Linux server. A potential cause is that malicious programs or rootkit programs were attempting to write persistent backdoor code into your server.
Suspicious Process Suspicious command run by scheduled tasks in Linux The threat detection model detected that a scheduled task on your server ran a suspicious command. A potential cause is that attackers have written malicious commands in the scheduled tasks to maintain permissions after the server has been compromised.
Suspicious Process Suspicious command sequence in Linux The threat detection model detected that detected that a sequence of suspicious commands were run by a process on your server. These commands are very similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected.
Suspicious Process Execution of suspicious commands in Linux The threat detection model detected that the command line data of a process on your server is highly suspicious. This may be associated with trojans, viruses, or attackers.
Suspicious Process Suspicious file writing by using the MySQL EXPORT function The threat detection model detected that the MySQL application on your server was attempting to write files to sensitive directories. A potential cause is that attackers have executed malicious SQL statements based on weak passwords or web applications.
Suspicious Process Suspicious command run by MySQL The threat detection model detected that the MySQL service on your server ran a suspicious command. Potential causes include weak passwords in the MySQL service and web services into which the SQL statements have been injected.
Suspicious Process Suspicious command run by Oracle The threat detection model detected that the Oracle database on your server ran a suspicious command. A potential cause is that attackers have run remote commands after the password of the Oracle database is leaked.
Suspicious Process Suspicious UDF library file writing by using the Postgres EXPORT function The threat detection model detected that the Postgres application on your server was attempting to write a suspicious .so file to a disk. A potential cause is that attackers have executed malicious SQL statements in the Postgres application after attackers have cracked the weak password of the Postgres application and have logged on to the Postgres application. Attackers may have used the .so file to obtain control permissions on your server.
Suspicious Process Suspicious command run by PostgreSQL applications The threat detection model detected that Postgre applications on your server ran a suspicious command. Potential causes include weak passwords in Postgre applications and web services into which malicious SQL statements have been injected.
Suspicious Process Suspicious command run by Python applications The threat detection model detected that Python applications on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised.
Suspicious Process Crontab file modified by Redis The threat detection model detected that the Redis application on your server wrote a suspicious file in a disk. A potential cause is that attackers have used a blank password or have cracked the weak password of the Redis application to execute malicious SQL statements and obtain system permissions.
Suspicious Process Suspicious command run by Tomcat The threat detection model detected that your Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in Java applications of Tomcat containers to run malicious commands.
Sensitive File Tampering System file tampering The threat detection model detected that a process on your server was attempting to modify or replace system files. A potential cause is that attackers were attempting to replace system files to evade detection and hide backdoors. We recommend that you check whether the system files for which the alerts are generated are actual system files.
Sensitive File Tampering System file moving The threat detection model detected that an upstream process was attempting to move system files on your server. A potential cause is that attackers have moved the system files that have been monitored by security software during the intrusion process to evade detection.
Sensitive File Tampering Tampering of configuration files used to preload Linux shared library files The threat detection model detected that the configuration files used to preload Linux shared library files were being tampered with.
Other Abnormal disconnection of the Security Center agent The threat detection model detected that the main process AliYunDun of the Security Center agent on your server exceptionally stopped and the agent was disconnected from Alibaba Cloud. The disconnection may be caused by network instability and last for a short period. Another potential cause is that the Security Center agent has been uninstalled from your server after the server has been compromised. In this case, you must log on to your server and check whether the Security Center agent is running. If the agent is not running, start the agent.
Webshell Webshell file The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is implanted and used by attackers to maintain permissions after attackers intrude into a website.
Unusual Logon Logon by using a malicious IP address The threat detection model detected that a malicious IP address was used to log on to your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance.
Unusual Logon FTP logon by using a malicious IP address The threat detection model detected that a malicious IP address was used to log on to the FTP application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the FTP application.
Unusual Logon MySQL logon by using a malicious IP address The threat detection model detected that a malicious IP address was used to log on to the MySQL application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the MySQL application.
Unusual Logon Server logon by using a backdoor account The threat detection model detected that an attacker implanted a backdoor account into your server and logged on to your server by using the backdoor account. If you did not perform this operation, we recommend that you immediately delete the backdoor account.
Unusual Logon Server logon by using an account with a weak password The threat detection model detected that an account with a weak password was used to log on to your server. This logon may be performed by yourself or attackers. In most cases, attackers crack weak passwords to intrude into a server. We recommend that you immediately configure a strong password.
Unusual Logon Suspicious external logon scanning The threat detection model detected that your server frequently initiated brute-force attacks on protocols, such as SSH, RDP, and SMB. A potential cause is that your server has been attacked and has been used by attackers to attack other servers.
Unusual Logon Logon from an usual location The threat detection model detected that your server was logged on from two locations that are far from each other within a short period of time. One of the locations is your usual logon location. The logons from different locations indicate that the logon request is initiated from an unusual location rather than the usual location. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the server.
Unusual Logon Logon by using an unusual account The threat detection model detected that you added an unusual account to the administrator group and the account was used to log on to your server. If you did not perform this operation, we recommend that you immediately delete the user account.
Unusual Logon ECS instance compromised due to brute-force attacks initiated by multiple invalid users The threat detection model detected that multiple invalid users logged on to your server by using the same IP address. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance.
Unusual Logon ECS instance compromised due to brute-force attacks on RDP The threat detection model detected that your server was under brute-force attacks on RDP. Attackers cracked the RDP service password and logged on to the server after several times of attempts.
Unusual Logon Suspicious command sequence executed after ECS logons over SSH The threat detection model detected that some malicious commands were run on your server after an IP address was used to log on to the server. A potential cause is that the password used to log on to your server is weak or is leaked.
Unusual Logon Logon to an ECS instance within an unusual time range The time when the server is logged on is not within the logon time range that you specify. We recommend that you check whether the logon is valid.
Unusual Logon Logon to an ECS instance by using an unusual account The account that is used to log on to the server does not match the condition of a legitimate account. We recommend that you check whether the logon is valid.
Unusual Logon Logon to an ECS instance by using an unusual IP address The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid.
Unusual Logon Logon to an ECS instance from an unusual location The location from which the server is logged on is not within the logon locations that you specify. We recommend that you check whether the logon is valid.
Unusual Network Connection Port forwarding The threat detection model detected a process on your server was attempting to establish port forwarding. A potential cause is that attackers have used your compromised server to attack other servers that are deployed on the same internal network.
Unusual Network Connection Access to a malicious domain name The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, and mining pool address. In this case, attackers may have intruded into your server and exploited the server.
Unusual Network Connection Suspicious outbound connection The threat detection model detected that your server was attempting to access a website. The website may be related to a mining pool address, a C&C backdoor, and the domain name of a botnet organization.
Unusual Network Connection Reverse shell connection by using Meterpreter The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter.
Unusual Network Connection Communication with mining pools The threat detection model detected that your server communicated with IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining.
Unusual Network Connection Internal network scan The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised.
Unusual Network Connection Suspicious lateral movement attack on an internal network The threat detection model detected an abnormal internal network connection on your server. A potential cause is that attackers have launched lateral movement attacks on an internal network after the server has been compromised.
Unusual Network Connection Abnormal traffic The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert.
Unusual Network Connection Proactive connection to malicious download sources The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server.
Unusual Network Connection Suspicious command run by Redis The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server.
Suspicious Account System logon by using a suspicious account The threat detection model detected that a user was attempting to log on to the system by using an unauthorized account, a system built-in account, or an attacker account. The logon may be performed by an attacker.

Alerts for Windows operating systems

Alert type Alert name Description
Persistence Suspicious self-starting item The threat detection model detected some suspicious self-starting items on your server. The items may have been added by malware or attackers to achieve persistence.
Persistence Suspicious backdoor The threat detection model detected a Windows Management Instrumentation (WMI) or bitsadmin backdoor on your server. Such a backdoor may have been left by attackers to maintain system permissions after your server has been compromised.
Persistence Abnormal code in memory The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected.
Persistence Abnormal process The threat detection model detected that abnormal processes exist in the running programs on your server. The processes may be malicious processes or processes that loaded malicious code.
Persistence Abnormal registry configuration The threat detection model detected a suspicious registry configuration on your server. In most cases, some key registry configurations may be modified by malware to achieve persistence or conduct sabotage behavior.
Persistence Abnormal self-starting item The threat detection model detected abnormal self-starting items on your server. The self-starting items may be added by attackers or malware to achieve persistence.
Persistence Cobalt Strike RAT The threat detection model detected malicious code of Cobalt Strike RAT in the memory of a process on your server. The process may be a malicious process or process into which malicious code has been injected.
Malicious scripts Execution of malicious script code The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server.
Malicious scripts Detection of a malicious script file The threat detection model detected a malicious script file on your server. The file may be implanted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file.
Malicious Process Malicious program The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage.
Malicious Process Access to a malicious IP address The threat detection model detected that a process on your server is attempting to connect to a malicious IP address. This IP address may be the IP address of a command and control (C&C) server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is implanted by attackers.
Malicious Process Infectious virus The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and detected as virus hosts.
Malicious Process Attacker tool The threat detection model detected attacker tools on your server. Attacker tools are tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, programs that are used to uninstall security software, or backdoor programs that are implanted in the system after the attackers intrude into your server.
Malicious Process Backdoor program The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is implanted in the system and exploited by attackers to continuously intrude into the server.
Malicious Process Suspicious program The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code, or has the characteristics of programs that are highly suspicious and need to be classified by users based on the details of the programs.
Malicious Process Ransomware The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server for ransom.
Malicious Process Exploit The threat detection model detected that an exploit was running on your server. An exploit is used to attack or attempt to attack known vulnerabilities in the operating system and applications. Attackers use an exploit to implement privilege escalation, escapes, and arbitrary code execution.
Malicious Process Trojan The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is implanted in disguise in the system, it downloads and releases other malicious programs.
Malicious Process Worm The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks.
Malicious Process Mining program The threat detection model detected that a mining program is running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings other malicious programs.
Malicious Process Self-mutating trojan The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes the hash of itself or copies a large number of its file to different paths and runs in the background. This way, it avoids being cleaned by the system.
Malicious Process DDoS trojan The threat detection model detected that a distributed denial of service (DDoS) trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from the compromised server to launch DDoS attacks against a specific server.
Malicious Process Hashdump running The threat detection model detected that malware, such as Windows Credentials Editor (WCE) and minikazi, was running on your server. Such malware can steal the hash value of the system account, which causes password leaks.
Suspicious Process Creation of suspicious scheduled tasks in Windows The threat detection model detected that a suspicious scheduled task was created on your server. A potential cause is that malware or attackers have created such tasks to maintain permissions during the intrusion process.
Suspicious Process Call of risk tools The threat detection model detected a suspicious call of risk tools on your server. The risk tools can be used as proxies, tunnels, and scanning tools that are exploited by attackers to intrude into the server.
Suspicious Process Suspicious process running by using WMIC The threat detection model detected that your server was attempting to use WMIC to create and run programs. A potential cause is that attackers have created such tasks to maintain system permissions after the server has been compromised.
Suspicious Process Connection to a malicious download source The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server.
Suspicious Process Suspicious command run by a high-risk application The threat detection model detected that a high-risk application on your server ran a suspicious command. A high-risk application can be a web service, database service, script, scheduled task, and self-starting item. Such an applications may has been compromised and has been used by attackers to run malicious commands.
Suspicious Process Creation of suspicious files in high-risk applications The threat detection model detected that sensitive services, such as web services, created suspicious files or scripts that can be executed on your server. A potential cause is that attackers have exploited vulnerabilities to inject viruses or trojans into your server.
Suspicious Process Suspicious script operation The threat detection model detected some commands that are related to scripts running on your server were highly suspicious. The detected threat may be caused by malware or attackers.
Suspicious Process Suspicious process path The threat detection model detected that a process on your server was started from an unusual path in which the normal software is not installed. The process may have been added by viruses, trojans, and attackers during the intrusion process.
Suspicious Process Process with a suspicious file name The threat detection model detected that the file of a process on your server had a suspicious file name extension or the file name imitated the name of the system file. The process may have been added by viruses, trojans, and attackers during the intrusion process.
Suspicious Process Suspicious port listening The threat detection model detected suspicious port listening on your server. After attackers intrude into a server, attackers use software, such as netcat (nc), for port listening. This way, attackers establish a hidden communication channel to steal information from the server.
Suspicious Process Suspicious command The threat detection model detected that the information collection command on your server was suspicious or the calls among running processes were suspicious. This may be associated with trojans, viruses, or attackers.
Suspicious Process Execution of suspicious files The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers.
Suspicious Process Suspicious modification of registry configurations The threat detection model detected that a process was attempting to modify the registry configurations on your server. A potential cause is that attackers have written backdoor code into your server or have modified the sensitive configurations after attackers have obtained system permissions.
Suspicious Process Suspicious commands The threat detection model detected that detected that a sequence of suspicious commands were run by a process on your server. These commands are very similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected.
Suspicious Process ProcDump for data dumps The threat detection model detected that the ProcDump process was saving sensitive data that is stored in the process memory to the disks on your server. This saving operation may cause data breaches.
Suspicious Process Suspicious process startup by using BITSAdmin The threat detection model detected that the BITSAdmin tool was being used to start a suspicious process on your server. A potential cause is that attackers have used the BITSAdmin tool to implant malicious programs into your server and run malicious commands.
Suspicious Process Malicious code loading by using Windows system files The threat detection model detected that a malicious command was running on your server. A potential cause is that attackers have used Windows system files to execute malicious code and evade the detection of security software.
Suspicious Process Suspicious modification of self-starting items The threat detection model detected that a process was attempting to modify a self-starting item on your server. The modification may be performed by attackers or trojans to maintain system permissions.
Suspicious Process Modification of read-only and hidden attributes of files by using attrib.exe The threat detection model detected that a process was attempting to use attrib.exe to modify the read-only and hidden attributes of the files on your server.
Suspicious Process Self-starting item adding in the system registry The threat detection model detected that a program was adding self-starting items to the registry on your server. The program may be malware, promotion software into which backdoors have been injected, or a persistent task that has been implanted by attackers after the server has been compromised. The program may also has been used by normal software to achieve self-start. We recommend that you check whether the program is a trusted program.
Suspicious Process Suspicious file download from a remote server to a disk by using FTP The threat detection model detected that a process was attempting to download suspicious files from a remote server by using FTP on your server.
Suspicious Process Suspicious file copy to a disk by using RDP The threat detection model detected that an attacker was attempting to copy suspicious files to your server by using RDP. A potential cause is that attackers have stolen or cracked the RDP password that is used to log on to your server.
Suspicious Process Abnormal deletion of system backup files The threat detection model detected that a process was attempting to delete the system backup files on your server. A potential cause is that ransomware has deleted the backup files of your system to prevent file restoration and extort ransom.
Suspicious Process Abnormal deletion of system logs The threat detection model detected that a process was attempting to delete the system logs. A potential cause is that malware or attackers have deleted the system logs to evade detection.
Suspicious Process Suspicious attacker tool The threat detection model detected that some commands that are running on your server are very similar to the tools that are usually used by attackers. The commands may be run by attackers during the intrusion process.
Suspicious Process Suspicious privilege escalation in Windows The threat detection model detected that commands that were running on your server were very suspicious. A potential cause is that attackers have exploited the Windows system vulnerabilities or application vulnerabilities to escalate privileges.
Suspicious Process Abnormal registry operation The threat detection model detected that some commands that were running on your server operated the Windows registry in a highly suspicious manner. A potential cause is that malware or attackers have modified some registry configurations after the server has been compromised.
Suspicious Process Suspicious call of database export tools The threat detection model analyzed the historical behavior of a process on your server and detected suspicious calls of database export tools. A potential cause is that attackers have stolen data from your server after the server has been compromised.
Suspicious Process Suspicious calls of system tools The threat detection model detected that a process on your server was calling system tools in a suspicious manner. A potential cause is that trojans or attackers have called the tools to perform some malicious operations, such as malicious file download, malicious code execution, encryption, and decryption, to evade the detection of common security software.
Suspicious Process Abnormal modification of system security configurations The threat detection model detected that a process on your server was modifying security configurations of the system. A potential cause is that malware or attackers have modified the configurations of the firewall and antivirus software to evade detection.
Suspicious Process Execution of malicious commands The threat detection model detected that the command line data of a process on your server is highly suspicious. This may be associated with trojans, viruses, or attackers.
Suspicious Process Malicious commands run by Cobalt Strike The threat detection model detected that a Cobalt Strike agent was installed on your server and the Cobalt Strike agent was running malicious commands.
Suspicious Process Suspicious command run by FTP applications The threat detection model detected that FTP applications on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and use FTP to run batch files.
Suspicious Process Suspicious command run by Java applications The threat detection model detected that the Java process on your server performed high-risk behavior, such as malicious program download and backdoor adding. A potential cause is that you have used vulnerable web frameworks or middleware.
Suspicious Process Suspicious process run by LSASS The threat detection model detected that the lsass.exe process ran a command suspicious on your server. The lsass.exe process is a security authorization process in the Windows operating system. The process authenticates users and generates tokens. Many system vulnerabilities are exploited by attackers to initiate buffer overflow attacks against this process so that the attackers can obtain the complete control permissions of the target process.
Suspicious Process Suspicious command run by MySQL The threat detection model detected that the MySQL service on your server ran a suspicious command. Potential causes include weak passwords in the MySQL service and web services into which the SQL statements have been injected.
Suspicious Process Suspicious command run by PostgreSQL applications The threat detection model detected that Postgre applications on your server ran a suspicious command. Potential causes include weak passwords in Postgre applications and web services into which malicious SQL statements have been injected.
Suspicious Process Suspicious command run by Python applications The threat detection model detected that Python applications on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised.
Suspicious Process Suspicious command run by regsvr32 The threat detection model detected that regsvr32.exe was running suspicious commands on your server. A potential cause is that attackers have injected malicious code into the OCX files to evade detection and have used regsvr32.exe to execute the code in the memory of your server.
Suspicious Process Suspicious command run by rundll32 The threat detection model detected that rundll32.exe was running suspicious commands on your server. A potential cause is that attackers have injected the malicious code into the DLL files to evade detection and have used rundll32.exe to execute the code in the memory of your server.
Suspicious Process Suspicious file writing in disks The threat detection model detected that the Redis application on your server was attempting to write a suspicious file to a disk. A potential cause is that attackers have cracked the weak password of the Redis application to execute malicious SQL statements in the SQL Server application.
Suspicious Process Suspicious command run by SQL Server applications The threat detection model detected that the SQL Server application on your server ran suspicious commands. A potential cause is that attackers have cracked the weak password of the SQL Server application and have used the command execution component of the SQL Server application to run malicious commands.
Suspicious Process Suspicious command run by Tomcat The threat detection model detected that your Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in Java applications of Tomcat containers to run malicious commands.
Suspicious Process Modification of Windows Defender configurations The threat detection model detected that your server was modifying the registry to disable some features of Windows Defender. The modification operation may have been performed by attackers who have attempted to evade detection and prevention after the server has been compromised.
Suspicious Process Modification of the RDP configuration in Windows The threat detection model detected that the RDP configuration of your server was being modified. A potential cause is that attackers have modified the RDP configuration to maintain permissions after the server has been compromised.
Suspicious Process Creation of scheduled tasks in Windows The threat detection model detected that suspicious scheduled tasks were being created on your server. A potential cause is that attackers have implanted backdoors into your server to maintain permissions after the server has been compromised.
Suspicious Process Creation of suspicious service startup items in Windows The threat detection model detected that an upstream process was attempting to create suspicious service startup items on your server. A potential cause is that attackers have implanted malicious programs into your server. If a malicious program is running, service startup items will be created to maintain permissions.
Suspicious Process Logon credential breaches in Windows The threat detection model detected that some programs on your server modified the WDigest item in the registry. A potential cause is that attackers have changed the value of UseLogonCredential to allow logon credentials to be stored in plaintext. This way, attackers can steal the logon credentials from the memory of the server.
Suspicious Process Execution of HTML scripts by using mshta on Windows The threat detection model detected that a process on your server was attempting to call mshta to execute scripts embedded in HTML pages. This way, attackers can implant malicious programs into the server.
Suspicious Process Suspicious port forwarding in Windows The threat detection model detected that a command was running for port forwarding on an internal network. A potential cause is that attackers were launching lateral movement attacks on the internal network.
Suspicious Process Modification of firewall configurations in Windows The threat detection model detected that a process was attempting to modify the configurations of Windows Firewall.
Suspicious Process Self-starting item adding in Windows The threat detection model detected that abnormal self-starting items were added to your server. A potential cause is that attackers have added malicious programs to the start-up items to maintain permissions after the server has been compromised.
Suspicious Process Abnormal operation on a Windows account The threat detection model detected that the Windows account was used to perform operations on your server and the command that was running was suspicious. A potential cause is that malware or attackers have used the Windows account to perform operations on the server.
Other Abnormal disconnection of the Security Center agent The threat detection model detected that the main process AliYunDun of the Security Center agent on your server exceptionally stopped and the agent was disconnected from Alibaba Cloud. The disconnection may be caused by network instability and last for a short period. Another potential cause is that the Security Center agent has been uninstalled from your server after the server has been compromised. In this case, you must log on to your server and check whether the Security Center agent is running. If the agent is not running, start the agent.
Webshell Webshell file The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is implanted and used by attackers to maintain permissions after attackers intrude into a website.
Unusual Logon Logon by using a malicious IP address The threat detection model detected that a malicious IP address was used to log on to your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance.
Unusual Logon FTP logon by using a malicious IP address The threat detection model detected that a malicious IP address was used to log on to the FTP application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the FTP application.
Unusual Logon MySQL logon by using a malicious IP address The threat detection model detected that a malicious IP address was used to log on to the MySQL application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the MySQL application.
Unusual Logon SQL Server logon by using a malicious IP address The threat detection model detected that a malicious IP address was used to log on to the SQL Server application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the SQL Server application.
Unusual Logon Server logon by using a backdoor account The threat detection model detected that an attacker implanted a backdoor account into your server and logged on to your server by using the backdoor account. If you did not perform this operation, we recommend that you immediately delete the backdoor account.
Unusual Logon Server logon by using an account with a weak password The threat detection model detected that an account with a weak password was used to log on to your server. This logon may be performed by yourself or attackers. In most cases, attackers crack weak passwords to intrude into a server. We recommend that you immediately configure a strong password.
Unusual Logon Suspicious external logon scanning The threat detection model detected that your server frequently initiated brute-force attacks on protocols, such as SSH, RDP, and SMB. A potential cause is that your server has been attacked and has been used by attackers to attack other servers.
Unusual Logon Logon from an usual location The threat detection model detected that your server was logged on from two locations that are far from each other within a short period of time. One of the locations is your usual logon location. The logons from different locations indicate that the logon request is initiated from an unusual location rather than the usual location. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the server.
Unusual Logon Logon by using an unusual account The threat detection model detected that you added an unusual account to the administrator group and the account was used to log on to your server. If you did not perform this operation, we recommend that you immediately delete the user account.
Unusual Logon ECS instance compromised due to brute-force attacks initiated by multiple invalid users The threat detection model detected that multiple invalid users logged on to your server by using the same IP address. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance.
Unusual Logon ECS instance compromised due to brute-force attacks on SSH The threat detection model detected that your server was under brute-force attacks on SSH. Attackers cracked the SSH service password and logged on to the server after several times of attempts.
Unusual Logon Suspicious command sequence executed after ECS logons over SSH The threat detection model detected that some malicious commands were run on your server after an IP address was used to log on to the server. A potential cause is that the password used to log on to your server is weak or is leaked.
Unusual Logon Logon to an ECS instance within an unusual time range The time when the server is logged on is not within the logon time range that you specify. We recommend that you check whether the logon is valid.
Unusual Logon Logon to an ECS instance by using an unusual account The account that is used to log on to the server does not match the condition of a legitimate account. We recommend that you check whether the logon is valid.
Unusual Logon Logon to an ECS instance by using an unusual IP address The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid.
Unusual Logon Logon to an ECS instance from an unusual location The location from which the server is logged on is not within the logon locations that you specify. We recommend that you check whether the logon is valid.
Unusual Network Connection Port forwarding The threat detection model detected a process on your server was attempting to establish port forwarding. A potential cause is that attackers have used your compromised server to attack other servers that are deployed on the same internal network.
Unusual Network Connection Access to a malicious domain name The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, and mining pool address. In this case, attackers may have intruded into your server and exploited the server.
Unusual Network Connection Reverse shell connection by using Meterpreter The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter.
Unusual Network Connection Communication with mining pools The threat detection model detected that your server communicated with IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining.
Unusual Network Connection Internal network scan The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised.
Unusual Network Connection Suspicious sensitive port scanning The threat detection model detected that a process on your server sent too many network requests to sensitive ports in a short period of time. The behavior may be a port scanning behavior.
Unusual Network Connection Abnormal traffic The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert.
Unusual Network Connection Proactive connection to malicious download sources The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server.
Unusual Network Connection Abnormal network connections in Windows The threat detection model detected that the connection of a process on your server was unusual. This may be associated with trojans, viruses, or attackers.
Suspicious Account System logon by using a suspicious account The threat detection model detected that a user was attempting to log on to the system by using an unauthorized account, a system built-in account, or an attacker account. The logon may be performed by an attacker.

Alerts for containers

Alert type Alert name Description
Malicious Process Malicious program The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage.
Malicious Process Access to a malicious IP address The threat detection model detected that a process on your server is attempting to connect to a malicious IP address. This IP address may be the IP address of a command and control (C&C) server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is implanted by attackers.
Malicious Process Infectious virus The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and detected as virus hosts.
Malicious Process Attacker tool The threat detection model detected attacker tools on your server. Attacker tools are tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, programs that are used to uninstall security software, or backdoor programs that are implanted in the system after the attackers intrude into your server.
Malicious Process Backdoor program The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is implanted in the system and exploited by attackers to continuously intrude into the server.
Malicious Process Suspicious program The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code, or has the characteristics of programs that are highly suspicious and need to be classified by users based on the details of the programs.
Malicious Process Ransomware The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server for ransom.
Malicious Process Trojan The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is implanted in disguise in the system, it downloads and releases other malicious programs.
Malicious Process Worm The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks.
Malicious Process Mining program The threat detection model detected that a mining program is running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings other malicious programs.
Malicious Process Self-mutating trojan The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes the hash of itself or copies a large number of its file to different paths and runs in the background. This way, it avoids being cleaned by the system.
Malicious Process DDoS trojan The threat detection model detected that a distributed denial of service (DDoS) trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from the compromised server to launch DDoS attacks against a specific server.
Suspicious Process Tampering of file time The threat detection model detected that a process on your server attempted to modify the file time. The process may be triggered by attackers who imitate the actual file time to forge the actual creation, access, or modification time of abnormal files to evade detection.
Suspicious Process Remote API debugging in Docker that may pose security risks The threat detection model detected that the Docker remote debugging interface was open to 0.0.0.0 on your server. The Docker remote debugging interface exposed on the Internet will be quickly invaded by worms. Make sure that the API is exposed only on a trusted network.
Suspicious Process Connection to a malicious download source The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server.
Suspicious Process Suspicious command run by a process The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited Remote Code Execution (RCE) vulnerability of the service to run the command.
Suspicious Process Suspicious encoded command The threat detection model detected that the command line data of a process on your server is highly suspicious. This may be associated with trojans, viruses, or attackers.
Suspicious Process Suspicious starting of a privileged container The threat detection model detected that a suspicious privileged container was started on your server, which affected container security. If the container is compromised, containers and assets on the server will be affected. Make sure that the privileged container uses trusted image sources and the service that is running in the container is protected against intrusion.
Suspicious Process Execution of suspicious files The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers.
Suspicious Process Suspicious behavior The threat detection model automatically analyzed the historical behavior of a process on your server and detected a suspicious command.
Suspicious Process Container network scanning behavior The threat detection model detected that a container on your server was proactively performing a suspicious network scan. The scan may be performed by attackers to compromise your server and move from the compromised server to other servers.
Suspicious Process High-risk container-related operation The threat detection model detected that high-risk container-related operations were being performed on your server. The high-risk operations include container startup by using high-risk permissions and mapping of sensitive directories, files, and ports to containers.
Suspicious Process Execution of suspicious commands inside a container The threat detection model detected that abnormal commands were being executed inside your container, which indicates potential intrusion.
Suspicious Process Collection of credentials inside containers The threat detection model detected access to sensitive information and files within a container. The information and files include configuration files of Docker/Swarm/Kubernets, database connection configurations, logon credentials, AccessKey pairs, certificates, and private key files. We recommend that you check whether the container has been compromised and data has been leaked.
Suspicious Process Privilege escalation in containers or container escapes The threat detection model detected suspicious scripts or instructions that were used to escalate privileges or vulnerabilities in your containers. A potential cause is that your containers have been compromised.
Suspicious Process Collection of container information The threat detection model detected that suspicious commands were run inside the containers on your server. Such commands are usually used by attackers to collect information inside a container after the container is compromised. If the operation is not a trusted operation, we recommend that you immediately reset the container. Trusted operations include operations triggered by security software and O&M behavior performed by an administrator.
Suspicious Process Running of malicious container images The threat detection model detected that a malicious container image was running on your server. This image may contain backdoors, mining programs, viruses, or known severe vulnerabilities. We recommend that you perform troubleshooting and use trusted image resources.
Suspicious Process Abnormal operation on files of Docker The threat detection model detected that the Docker process on your server was modifying the core service configuration or sensitive files of the system. A potential cause is that attackers have exploited the vulnerabilities in the Docker services to hijack some Docker services and have used the services to initiate container escape attacks, such as CVE-2019-5736 Docker runC and CVE-2019-14271 Docker CP. We recommend that you check whether the Docker container of the current version has such vulnerabilities.
Suspicious Process Suspicious command run by FTP applications The threat detection model detected that FTP applications on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and use FTP to run batch files.
Suspicious Process Suspicious command run by Java applications The threat detection model detected that the Java process on your server performed high-risk behavior, such as malicious program download and backdoor adding. A potential cause is that you have used vulnerable web frameworks or middleware.
Suspicious Process Abnormal behavior of Kubernetes service accounts The threat detection model detected an abnormal instruction inside your container. The instruction attempted to connect to the Kubernetes API server by using a Kubernetes service account. We recommend that you check whether the operation is a trusted operation. Trusted operations include operations triggered by security software and O&M behavior performed by an administrator. Make sure that the account is granted permissions based on the principle of least privilege. This avoids an attacker moving from a compromised container to other containers by using the Kubernetes API after the container is compromised.
Suspicious Process Suspicious command sequence in Linux The threat detection model detected that detected that a sequence of suspicious commands were run by a process on your server. These commands are very similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected.
Suspicious Process Execution of suspicious commands in Linux The threat detection model detected that the command line data of a process on your server is highly suspicious. This may be associated with trojans, viruses, or attackers.
Suspicious Process Suspicious command run by Oracle The threat detection model detected that the Oracle database on your server ran a suspicious command. A potential cause is that attackers have run remote commands after the password of the Oracle database is leaked.
Suspicious Process Suspicious command run by Tomcat The threat detection model detected that your Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in Java applications of Tomcat containers to run malicious commands.
K8s Abnormal Behavior Startup of a pod that contains a malicious image The threat detection model detected that a pod that contains a malicious image was started in your Kubernetes cluster. We recommend that you check whether the image is from a trusted image source and the process inside the pod has malicious programs, such as backdoors and mining programs.
K8s Abnormal Behavior Suspicious instruction run on a Kubernetes API server The threat detection model detected that suspicious instructions were run on your Kubernetes API server. A potential cause is that attackers have obtained and used the credentials of your API server. We recommend that you check whether the server has been compromised.
K8s Abnormal Behavior Abnormal access to AccessKey secrets in a Kubernetes cluster The threat detection model detected that Secret objects were being enumerated inside your Kubernetes cluster. A potential cause is that attackers were stealing sensitive information of the Secret objects in the Kubernetes cluster after the cluster has been compromised. We recommend that you check whether the operation was performed by a trusted program or the administrator.
K8s Abnormal Behavior Lateral movement among Kubernetes service accounts The threat detection model detected that one of your service accounts requested permissions outside of the historical baseline or failed authentication several times. A potential cause is that attackers have intruded into a pod and have used the credentials of the service account that was obtained from your server to attack an API server. We recommend that you immediately perform troubleshooting.
K8s Abnormal Behavior Successful authentication of an anonymous user in Kubernetes API logs The threat detection model analyzed your Kubernetes API logs and detected that an anonymous user logged on to your Kubernetes cluster. In most cases, anonymous users cannot be used for Kubernetes cluster O&M. If an anonymous user logs on to a cluster and the cluster is exposed to the Internet, the cluster is at high risks. We recommend that you check whether the operation is performed by a trusted administrator and immediately revoke the access permissions of the anonymous user.
K8s Abnormal Behavior Mounting of sensitive node directories The threat detection model detected that sensitive directories or files were mounted when your pod was starting. A potential cause is that attackers have mounted sensitive files to escape from the pod layer to the node layer, which achieves persistence. We recommend that you check whether the operation is trusted.
Webshell Webshell file The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is implanted and used by attackers to maintain permissions after attackers intrude into a website.
Unusual Network Connection Suspicious outbound connection The threat detection model detected that your server was attempting to access a website. The website may be related to a mining pool address, a C&C backdoor, and the domain name of a botnet organization.
Unusual Network Connection Communication with mining pools The threat detection model detected that your server communicated with IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining.
Unusual Network Connection Internal network scan The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised.
Unusual Network Connection Suspicious command run by Redis The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server.

Alerts for the Alibaba Cloud platform

Alert type Alert name Description
Cloud threat detection Suspicious changing of user passwords The threat detection model detected that your Alibaba Cloud account changed the password of a specific user by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious enumeration of security group rules The threat detection model detected that your Alibaba Cloud account enumerated the security group policies by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious enumeration of users The threat detection model detected that your Alibaba Cloud account enumerated all users by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious enumeration of specific roles The threat detection model detected that your Alibaba Cloud account enumerated specific roles by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious deletion of security group rules The threat detection model detected that your Alibaba Cloud account deleted security group rules by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious modification of security group rules The threat detection model detected that your Alibaba Cloud account modified security group rules by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious behavior of changing an ECS password The threat detection model detected that your Alibaba Cloud account changed the password that was used to log on to your ECS instance by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious addition of security group rules The threat detection model detected that your Alibaba Cloud account added security group rules by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Suspicious addition of SSH keys to an ECS instance The threat detection model detected that your Alibaba Cloud account added SSH keys by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection Abnormal commands by using OpenAPI The threat detection model detected that your Alibaba Cloud account ran malicious commands by using APIs, which was not a high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations.
Cloud threat detection ActionTrail disabled The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you keep ActionTrail enabled in consideration of security.
Cloud threat detection Log delivery from ActionTrail to OSS disabled The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you enable the feature of log delivery from ActionTrail to OSS in consideration of security.
Cloud threat detection Log delivery from ActionTrail to Log Service disabled The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you enable the feature of log delivery from ActionTrail to Log Service in consideration of security.

Alerts generated by analyzing traffic

Alert type Alert name Description
Unusual Network Connection Access to a malicious domain name The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, and mining pool address. In this case, attackers may have intruded into your server and exploited the server.
Unusual Network Connection Reverse shell connection by using Meterpreter The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter.
Unusual Network Connection Communication with mining pools The threat detection model detected that your server communicated with IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining.
Unusual Network Connection Abnormal traffic The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert.
Unusual Network Connection Proactive connection to malicious download sources The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server.
Unusual Network Connection Suspicious command run by Redis The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server.
Web Application Threat Detection SQL injection The detection model finds that the Web service on your server is suspected of having SQL injection vulnerabilities and has been exploited by hackers by analyzing HTTP traffic.
Web Application Threat Detection Successful exploitation of high-risk vulnerabilities The detection model finds that your server has high-risk web vulnerabilities by analyzing HTTP traffic, which have been successfully exploited by attackers.
Web Application Threat Detection Sensitive file leaks The threat detection model analyzed the HTTP traffic and detected that sensitive files on your server were accessed by external IP addressees over HTTP. This may cause data breaches.
Web Application Threat Detection Suspected attacks against web services The threat detection model detected that the HTTP request logs generated on your server included command lines and the HTTP response logs included command outputs. A potential cause is that command execution vulnerabilities have been detected on your web services and have been exploited by attackers.

Alerts generated by analyzing file content

Alert type Alert name Description
Persistence Suspicious scheduled task in Linux The threat detection model detected a suspicious scheduled task on your server. The task may be persistent behavior that is left by attackers in your server.
Malicious scripts Detection of a malicious script file The threat detection model detected a malicious script file on your server. The file may be implanted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file.
Malicious Process Tainted basic software The threat detection model detected tainted basic software on your server. In most cases, tainted basic software is a system program into which malicious code is injected. Although the tainted basic software offers basic features, it covertly conducts malicious behavior.
Malicious Process Malicious program The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage.
Malicious Process Infectious virus The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and detected as virus hosts.
Malicious Process Attacker tool The threat detection model detected attacker tools on your server. Attacker tools are tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, programs that are used to uninstall security software, or backdoor programs that are implanted in the system after the attackers intrude into your server.
Malicious Process Backdoor program The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is implanted in the system and exploited by attackers to continuously intrude into the server.
Malicious Process Suspicious program The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code, or has the characteristics of programs that are highly suspicious and need to be classified by users based on the details of the programs.
Malicious Process Ransomware The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server for ransom.
Malicious Process Trojan The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is implanted in disguise in the system, it downloads and releases other malicious programs.
Malicious Process Worm The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks.
Malicious Process Mining program The threat detection model detected that a mining program is running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings other malicious programs.
Malicious Process Self-mutating trojan The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes the hash of itself or copies a large number of its file to different paths and runs in the background. This way, it avoids being cleaned by the system.
Malicious Process DDoS trojan The threat detection model detected that a distributed denial of service (DDoS) trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from the compromised server to launch DDoS attacks against a specific server.
Malicious Process Rootkit The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is implanted in the underlying system. A rootkit is used to hide traces of itself or other malicious programs.
Webshell Webshell file The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is implanted and used by attackers to maintain permissions after attackers intrude into a website.

Alerts related to fileless malware

Alert type Alert name Description
Persistence Suspicious backdoor The threat detection model detected a Windows Management Instrumentation (WMI) or bitsadmin backdoor on your server. Such a backdoor may have been left by attackers to maintain system permissions after your server has been compromised.
Persistence Abnormal code in memory The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected.
Persistence Abnormal registry configuration The threat detection model detected a suspicious registry configuration on your server. In most cases, some key registry configurations may be modified by malware to achieve persistence or conduct sabotage behavior.
Persistence Cobalt Strike RAT The threat detection model detected malicious code of Cobalt Strike RAT in the memory of a process on your server. The process may be a malicious process or process into which malicious code has been injected.
Malicious scripts Execution of malicious script code The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server.
Suspicious Process Suspicious command run by a process The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited Remote Code Execution (RCE) vulnerability of the service to run the command.
Suspicious Process Suspicious modification of registry configurations The threat detection model detected that a process was attempting to modify the registry configurations on your server. A potential cause is that attackers have written backdoor code into your server or have modified the sensitive configurations after attackers have obtained system permissions.
Suspicious Process Suspicious command run by Java applications The threat detection model detected that the Java process on your server performed high-risk behavior, such as malicious program download and backdoor adding. A potential cause is that you have used vulnerable web frameworks or middleware.
Suspicious Process Suspicious command run by scheduled tasks in Linux The threat detection model detected that a scheduled task on your server ran a suspicious command. A potential cause is that attackers have written malicious commands in the scheduled tasks to maintain permissions after the server has been compromised.
Suspicious Process Suspicious command run by Python applications The threat detection model detected that Python applications on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised.
Suspicious Process Suspicious command run by Tomcat The threat detection model detected that your Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in Java applications of Tomcat containers to run malicious commands.