Security Center generates different types of alerts for your assets in real time. The types of alerts include the alerts for web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats on your assets based on more than 250 threat detection models. This allows you to monitor the security posture of your assets in real time and take actions at the earliest opportunity.
Background information
Security Center generates alerts when it detects threats on your cloud services or assets. For example, when Security Center detects attacks that are initiated from a malicious IP address or detects exceptions on your assets, Security Center generates alerts. The exceptions include that your server runs a malicious script or accesses a malicious download source after the server is intruded.
To view the alerts that are generated for your assets, you can choose in the left-side navigation pane of the Security Center console.
Note
- By default, all protection features, excluding the web tamper proofing feature, supported by the current Security Center edition are enabled. To enable protection features such as web tamper proofing, you must upgrade Security Center to the Value-added Plan, Anti-virus, Advanced, Enterprise, or Ultimate edition. For more information, see Upgrade and downgrade Security Center.
- The web tamper proofing feature is a value-added feature provided by Security Center. You must separately purchase and enable this feature. Only the Value-added Plan, Anti-virus, Advanced, Enterprise, and Ultimate editions support the web tamper proofing feature. The Basic edition does not support this feature. For more information about how to enable the web tamper proofing feature, see Enable web tamper proofing.
- The cloud threat detection feature is supported by and automatically enabled for the Enterprise and Ultimate editions of Security Center. If you want to use this feature but Security Center runs the Basic, Anti-virus, or Advanced edition, you must upgrade Security Center to the Enterprise or Ultimate edition.
Threat detection limits
When Security Center detects risks, it sends security alerts to you without delay. You can manage security alerts, scan for vulnerabilities, analyze attacks, and perform configuration assessment in the Security Center console. Security Center can also analyze alerts and automatically trace attacks. This reinforces the security of your assets. To protect your assets against attacks, we recommend that you regularly install the latest security patches on your server, and use other security services along with Security Center, such as Cloud Firewall and Web Application Firewall (WAF).
Note Due to the evolution of attacks and viruses, and the variation of workload environments, security breaches may occur. We recommend that you use the alerting, vulnerability detection, baseline check, and configuration assessment features provided by Security Center to protect your assets against attacks.
Threat detection models
Security Center provides more than 250 threat detection models to help you detect threats in a comprehensive manner. In the upper-left corner of the Alerts page, you can click the 
icon to view the threat detection models. The models are used to detect threats during the 10 stages of a network attack. The stages include Attack Portal, Load Delivery, Privilege Escalation, and Escape Detection. This helps you detect threats on your cloud assets from end to end.
Risk levels of alerts
The alerts that are generated by Security Center are classified into the following risk levels.
| Risk level | Description |
|---|---|
| Urgent | Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity. |
| Suspicious | Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks. |
| Reminder | Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts. |
Alert statistics
Security Center provides statistics based on the alert types that are enabled. This allows you to obtain up-to-date information about the alerts on your assets and on the enabled and disabled alert types. On the Alerts page of the Security Center console, you can view the statistics about alerts and the enabled alert types.
The following table describes the parameters in the upper part of the
Alerts page.
| Parameter | Description | Operation |
|---|---|---|
| Alerting Server(s) | The number of servers for which alerts are generated | Click the number below Alerting Server(s) to go to the Server(s) tab of the Assets page. The Server(s) tab displays the details of servers for which alerts are generated. |
| All Alerts | The total number of unhandled alerts | View the details of all Unhandled alerts on the Alerts page. For more information, see View and handle alert events. |
| Urgent Alerts | The number of unhandled Urgent alerts | Click the number below Urgent Alerts. The system displays the urgent alerts on the Alerts page. You can view and handle the Urgent alerts.
Note We recommend that you handle the
Urgent alerts at the earliest opportunity.
|
| Precise Defense | The number of viruses that are automatically quarantined by the antivirus feature | Click the number below Precise Defense. The system displays the related alerts on the Alerts page. You can view all the viruses that are automatically quarantined by the antivirus feature.
Note You can ignore the viruses that are quarantined by Security Center.
|
| IP blocking / All |
|
Click a number below IP blocking / All. In the IP Policy Library panel, you can view the enabled IP address blocking policies or the IP address blocking policies that are created. For more information about IP address blocking policies, see Configure IP address blocking policies. |
| Number Of Quarantined Files | The number of files that are quarantined by Security Center based on handled alerts | Click the number below Number Of Quarantined Files. In the Quarantine panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see Quarantine. |
Alert types
Security Center Basic generates alerts for some types of webshells and for threats that are detected by using the basic logon detection feature. To enable more advanced detection features, you must upgrade Security Center to a paid edition. For more information about the types of alerts that each Security Center edition can generate, see Functions and features.
For more information about the check items of each type of alert in Security Center and the check principles, see Alerts.
The following table describes all the types of alerts that Security Center can generate.
| Alert | Description |
|---|---|
| Web tamper proofing | Security Center monitors web directories in real time and restores tampered files or directories by using the backup files. This protects websites from malicious modifications, trojans, hidden links, and uploads of violent or illicit content. Security Center can detect the following suspicious activities:
Note Web tamper proofing is a value-added feature that is provided by Security Center. To use the feature, you must purchase and enable the feature. Security Center
Anti-virus,
Advanced,
Enterprise, and
Ultimate support web tamper proofing. Security Center Basic does not support web tamper proofing. For more information, see
Use the feature of web tamper proofing.
|
| Suspicious Process | Security Center can detect the following suspicious processes:
|
| Webshell | Security Center uses engines developed by Alibaba Cloud to scan for common webshell files. Security Center supports scheduled scan tasks, provides real-time protection, and quarantines webshell files.
Note Security Center Basic detects only some types of webshells. If you want to detect all types of webshells, we recommend that you upgrade Security Center Basic to the
Anti-virus,
Advanced,
Enterprise, or
Ultimate edition. For more information, see
Upgrade and downgrade Security Center.
|
| Unusual Logon | Security Center detects unusual logons to your servers. You can configure approved logon IP addresses, time periods, and accounts. Logons from unapproved IP addresses, accounts, or time periods trigger alerts. You can manually add approved logon locations or configure the system to automatically update approved logon locations. You can also specify the assets on which alerts are triggered when unusual logon locations are detected. Security Center can detect the following suspicious activities:
|
| Suspicious Event | Security Center detects suspicious activities. |
| Sensitive File Tampering | Security Center checks whether the sensitive files on your servers are tampered with. The sensitive files include pre-loaded configuration files in the shared libraries of Linux. |
| Malicious Process | Security Center uses an agent to scan your servers in real time. If viruses are detected, Security Center generates alerts. You can handle the detected viruses in the Security Center console. Security Center can detect the following suspicious activities:
|
| Unusual Network Connection | Security Center detects unusual network connections and disconnections. Security Center can detect the following suspicious activities:
|
| Other | Security Center detects unusual disconnections of the Security Center agent and network intrusions such as DDoS attacks. |
| Suspicious Account | Security Center detects unapproved accounts that attempt to log on to your assets. |
| Application intrusion event | Security Center detects intrusions that use system application components. |
| Cloud threat detection | Security Center detects whether threats exist in the other Alibaba Cloud services that you have purchased. The threats include suspicious deletion of ECS security group rules. |
| Precise Defense | The antivirus feature provides precise protection against common ransomware, DDoS trojans, mining programs, trojans, malicious processes, webshells, and computer worms. For more information about how to enable the feature, see Use proactive defense. |
| Application Whitelist | You can create a whitelist policy for servers that require reinforced protection. If the suspicious or malicious processes that are identified by the policy are not added to the whitelist, Security Center generates alerts. |
| Persistence | Security Center detects suspicious scheduled tasks on servers. If persistent threats against the servers are detected, Security Center generates alerts. |
| Web Application Threat Detection | Security Center detects intrusions that use web applications. |
| Malicious scripts | Security Center detects whether the system services of your assets are attacked or modified by malicious scripts. If potential script attacks are detected, Security Center generates alerts. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Programming languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript. |
| Threat intelligence | Security Center uses the threat intelligence library developed by Alibaba Cloud to perform correlation analysis on access traffic and logs. Security Center also detects threat events, including access to malicious domains, malicious download sources, and malicious IP addresses. |
| Malicious Network Activity | Security Center identifies unusual network behavior based on log data, such as packet content and server behavior. Unusual network behavior includes intrusions into servers by using network services and unusual behavior of compromised servers. |
| K8s Abnormal Behavior | Security Center monitors the security status of running containers in a Kubernetes cluster. This allows you to detect security risks and intrusions in a cluster at the earliest opportunity. To detect threats to a cluster, you must enable the feature of threat detection on Kubernetes containers. For more information, see Enable features on the Container Protection Settings tab. |
| Trusted exception | Security Center detects whether your system processes have been modified and whether exceptions occur when you start the system. |
Alerts
The following list describes all the alerts that Security Center can generate. The alerts are classified based on operating systems, detection items, and attack methods. Based on the threat intelligence of Alibaba Cloud and the latest disclosed vulnerabilities, Security Center analyzes the threats on your server by using an intrusion prevention system (IPS) and generates different types of alerts. This topic describes the alerts that Security Center can generate and the types of the alerts.
Alerts for Linux servers
| Alert type | Alert name | Description |
|---|---|---|
| Persistence | Tampering of the kernel configuration file | The threat detection model detected that the configuration file of the kernel module on your server was tampered with. In most cases, the tampering is detected when a rootkit program modifies the configuration file to achieve self-starting. |
| Persistence | Malicious startup item script | The threat detection model detected that some files of self-starting items on your server were suspicious. The files may be scheduled tasks or self-starting scripts that are inserted by malware or attackers to achieve persistence. |
| Persistence | Backdoor process | The threat detection model detected a suspicious backdoor process on your server. The backdoor process may be persistent behavior that is left by attackers who attempt to maintain permissions. |
| Persistence | Abnormal code in memory | The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected. |
| Persistence | Abnormal process | The threat detection model detected that abnormal processes exist in the running programs on your server. The processes may be malicious processes or processes that loaded malicious code. |
| Persistence | Abnormal self-starting item | The threat detection model detected abnormal self-starting items on your server. The self-starting items may be added by attackers or malware to achieve persistence. |
| Persistence | Hidden kernel module | The threat detection model detected hidden kernel modules on your server. The kernel modules may be rootkit backdoors that are inserted by attackers or malware, which are used to maintain system permissions and hide other malicious behavior. |
| Persistence | Suspicious scheduled task in Linux | The threat detection model detected a suspicious scheduled task on your server. The task may be persistent behavior that is left by attackers in your server. |
| Persistence | SSH public key backdoor | The threat detection model detected an abnormal SSH public key for logons on your server. The SSH public key was added to the attacked server by a worm or attacker to maintain permissions. |
| Malicious scripts | Execution of malicious script code | The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server. |
| Malicious scripts | Detection of a malicious script file | The threat detection model detected a malicious script file on your server. The file may be inserted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file. |
| Malicious Process | Tainted basic software | The threat detection model detected tainted basic software on your server. In most cases, tainted basic software is a system program into which malicious code is injected. Although the tainted basic software offers basic features, it covertly conducts malicious behavior. |
| Malicious Process | Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. |
| Malicious Process | Access to a malicious IP address | The threat detection model detected that a process on your server was attempting to connect to a malicious IP address. This IP address may be the IP address of a C&C server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is inserted by attackers. |
| Malicious Process | Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. |
| Malicious Process | Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. |
| Malicious Process | Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. |
| Malicious Process | Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. |
| Malicious Process | Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. |
| Malicious Process | Exploit | The threat detection model detected that an exploit was running on your server. An exploit takes advantage of known vulnerabilities in operating systems and applications to escalate privileges, implement escapes, and execute arbitrary code. |
| Malicious Process | Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. |
| Malicious Process | Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. |
| Malicious Process | Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. |
| Malicious Process | Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. |
| Malicious Process | DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. |
| Malicious Process | Rootkit | The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is inserted in the underlying system. A rootkit is used to hide the traces of itself or other malicious programs. |
| Malicious Process | Rootkit kernel module | The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is inserted in the underlying system. A rootkit is used to hide the traces of itself or other malicious programs. |
| Suspicious Process | Tampering of file time | The threat detection model detected that a process on your server attempted to modify the file time. The process may be triggered by attackers who imitate the actual file time to forge the actual creation, access, or modification time of abnormal files to evade detection. |
| Suspicious Process | Call of risk tools | The threat detection model detected a suspicious call of risk tools on your server. The risk tools can be used as proxies, tunnels, or scanning tools that are exploited by attackers to intrude into the server. |
| Suspicious Process | Reverse shell | The threat detection model detected that your server has run a reverse shell command. Attackers run reverse shell commands to establish a reverse network connection between your server and the server of attackers. Arbitrary commands can be run on your server based on the reverse network connection. For more information, see Detect reverse shells from multiple dimensions. |
| Suspicious Process | Connection to a malicious download source | The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. |
| Suspicious Process | Access to sensitive files | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process suspiciously read or modified important system files. |
| Suspicious Process | Suspicious command run by a process | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited the Remote Code Execution (RCE) vulnerability of the service to run the command. |
| Suspicious Process | Suspicious command run by a high-risk application | The threat detection model detected that a high-risk application on your server ran a suspicious command. A high-risk application can be a web service, database service, script, scheduled task, or self-starting item. These applications may have been compromised and used by attackers to run malicious commands. |
| Suspicious Process | Suspicious encoded command | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. |
| Suspicious Process | Suspicious port listening | The threat detection model detected suspicious port listening on your server. After attackers intrude into a server, attackers use software, such as nc, for port listening. This way, attackers establish a hidden communication channel to steal information from the server. |
| Suspicious Process | Suspicious path | The threat detection model detected a suspicious file name extension on your server. The file is executable, and the format of the file does not match the format represented by the extension. A potential cause is that attackers have changed the file name extension of an executable file during the intrusion process to evade detection. |
| Suspicious Process | Execution of suspicious files | The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers. |
| Suspicious Process | Suspicious behavior | The threat detection model automatically analyzed the historical behavior of a process on your server and detected a suspicious command. |
| Suspicious Process | Potential data breach by using HTTP tunnels | The threat detection model detected that an HTTP channel was used to send command execution results on your server to an external server. A potential cause is that attackers have exploited RCE vulnerabilities to send the command execution results on the compromised server to the server that the attackers use. |
| Suspicious Process | Suspicious SSH tunneling | The threat detection model detected that your server was attempting to establish a suspicious SSH tunnel. |
| Suspicious Process | Suspicious webshell injection | The threat detection model detected that a suspicious process was attempting to inject a webshell file into your server. |
| Suspicious Process | Suspicious privilege escalation | The threat detection model detected that some processes on your server were exploiting system vulnerabilities and application vulnerabilities to obtain high system permissions. A potential cause is that attackers have implemented privilege escalation during the intrusion process. |
| Suspicious Process | Suspicious rootkit behavior | The threat detection model detected that a rootkit backdoor on your server was running suspicious commands. A potential cause is that attackers have inserted a rootkit backdoor and have sent malicious instructions to the backdoor to achieve remote control. |
| Suspicious Process | Suspicious call of database export tools | The threat detection model analyzed the historical behavior of a process on your server and detected suspicious calls of database export tools. A potential cause is that attackers have stolen data from your server after the server has been compromised. |
| Suspicious Process | Abnormal behavior sequence | The threat detection model detected the combination of multiple abnormal behavior sequences on your server. The combination is usually caused by the spreading of a family of worms. Your services may also have been infected by worms. |
| Suspicious Process | Suspicious command run by Apache CouchDB | The threat detection model detected that Apache CouchDB on your server ran a suspicious command. |
| Suspicious Process | Suspicious command run by FTP applications | The threat detection model detected that an FTP application on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and have used FTP to run batch files. |
| Suspicious Process | Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. |
| Suspicious Process | Linux crontab file tampering | The threat detection model detected that a process on your server was attempting to modify files for scheduled tasks on a Linux server. A potential cause is that malicious programs or rootkit programs were attempting to write persistent backdoor code into your server. |
| Suspicious Process | Suspicious command run by scheduled tasks in Linux | The threat detection model detected that a scheduled task on your server ran a suspicious command. A potential cause is that attackers have written malicious commands in the scheduled tasks to maintain permissions after the server has been compromised. |
| Suspicious Process | Suspicious command sequence in Linux | The threat detection model detected that a process on your server ran a sequence of suspicious commands. These commands are similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected. |
| Suspicious Process | Execution of suspicious commands in Linux. | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. |
| Suspicious Process | Suspicious file writing by using the MySQL EXPORT function | The threat detection model detected that the MySQL application on your server was attempting to write files to sensitive directories. A potential cause is that attackers have executed malicious SQL statements by cracking weak passwords or by using web applications. |
| Suspicious Process | Suspicious command run by MySQL | The threat detection model detected that the MySQL service on your server ran a suspicious command. Potential causes include weak passwords in the MySQL service and web services into which the SQL statements have been injected. |
| Suspicious Process | Suspicious command run by Oracle | The threat detection model detected that the Oracle database on your server ran a suspicious command. A potential cause is that attackers have run remote commands after the password of the Oracle database is leaked. |
| Suspicious Process | Suspicious UDF library file writing by using the Postgres EXPORT function | The threat detection model detected that the Postgres application on your server was attempting to write a suspicious .so file to a disk. A potential cause is that attackers have executed malicious SQL statements in the Postgres application after attackers have cracked the weak password of the Postgres application and have logged on to the Postgres application. Attackers may have used the .so file to obtain control permissions on your server. |
| Suspicious Process | Suspicious command run by PostgreSQL applications | The threat detection model detected that a PostgreSQL application on your server ran a suspicious command. Potential causes include weak passwords in PostgreSQL applications and web services into which malicious SQL statements have been injected. |
| Suspicious Process | Execution of suspicious commands by Python applications. | The threat detection model detected that a Python application on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised. |
| Suspicious Process | Crontab file modified by Redis | The threat detection model detected that the Redis application on your server wrote a suspicious file to a disk. A potential cause is that attackers have used a blank password or have cracked the weak password of the Redis application to execute malicious SQL statements and obtain system permissions. |
| Suspicious Process | Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. |
| Sensitive File Tampering | System file tampering | The threat detection model detected that a process on your server was attempting to modify or replace system files. A potential cause is that attackers were attempting to replace system files to evade detection and hide backdoors. We recommend that you check whether the system files for which the alerts are generated are actual system files. |
| Sensitive File Tampering | System file moving | The threat detection model detected that an upstream process was attempting to move system files on your server. A potential cause is that attackers have moved the system files that have been monitored by security software during the intrusion process to evade detection. |
| Sensitive File Tampering | Tampering of configuration files used to preload Linux shared library files | The threat detection model detected that the configuration files used to preload Linux shared library files were being tampered with. |
| Other | Abnormal disconnection of the Security Center agent | The threat detection model detected that the main process AliYunDun of the Security Center agent on your server exceptionally stopped and the agent was disconnected from Alibaba Cloud. The disconnection may be caused by network instability and last for a short period of time. Another potential cause is that the Security Center agent has been uninstalled from your server after the server has been compromised. In this case, you must log on to your server and check whether the Security Center agent is running. If the agent is not running, start the agent. |
| Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
| Unusual Logon | Logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance. |
| Unusual Logon | FTP logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the FTP application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the FTP application. |
| Unusual Logon | MySQL logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the MySQL application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the MySQL application. |
| Unusual Logon | Server logon by using a backdoor account | The threat detection model detected that an attacker inserted a backdoor account into your server and logged on to your server by using the backdoor account. If you did not perform this operation, we recommend that you immediately delete the backdoor account. |
| Unusual Logon | Server logon by using an account with a weak password | The threat detection model detected that an account with a weak password was used to log on to your server. This logon may be performed by yourself or attackers. In most cases, attackers crack weak passwords to intrude into a server. We recommend that you immediately configure a strong password. |
| Unusual Logon | Suspicious external logon scanning | The threat detection model detected that your server frequently initiated brute-force attacks on protocols, such as SSH, RDP, and SMB. A potential cause is that your server has been attacked and has been used by attackers to attack other servers. |
| Unusual Logon | Logon from an unusual location | The threat detection model detected that your server was logged on from two locations that are far from each other within a short period of time. One of the locations is your usual logon location. The logons from different locations indicate that one of the logon requests is initiated from an unusual location rather than the usual location. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the server. |
| Unusual Logon | Logon by using an unusual account | The threat detection model detected that you added an unusual account to the administrator group and the account was used to log on to your server. If you did not perform this operation, we recommend that you immediately delete the account. |
| Unusual Logon | ECS instance compromised due to brute-force attacks initiated by multiple invalid users | The threat detection model detected that multiple invalid users logged on to your server by using the same IP address. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance. |
| Unusual Logon | ECS instance compromised due to brute-force attacks on RDP | The threat detection model detected that your server was under brute-force attacks on RDP. Attackers cracked the RDP service password and logged on to the server after several times of attempts. |
| Unusual Logon | Suspicious command sequence executed after ECS logons over SSH | The threat detection model detected that some malicious commands ran on your server after an IP address was used to log on to the server. A potential cause is that the password used to log on to your server is weak or is leaked. |
| Unusual Logon | Logon to an ECS instance within an unusual time range | The time when the server is logged on is not within the logon time range that you specify. We recommend that you check whether the logon is valid. |
| Unusual Logon | Logon to an ECS instance by using an unusual account | The account that is used to log on to the server does not match the condition of a legitimate account. We recommend that you check whether the logon is valid. |
| Unusual Logon | Logon to an ECS instance by using an unusual IP address | The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid. |
| Unusual Logon | Logon to an ECS instance from an unusual location | The location from which the server is logged on is not within the logon locations that you specify. We recommend that you check whether the logon is valid. |
| Unusual Network Connection | Port forwarding | The threat detection model detected that a process on your server was attempting to set up a tunnel for port forwarding. A potential cause is that attackers have used your compromised server to attack other servers that are deployed on the same internal network. |
| Unusual Network Connection | Access to a malicious domain name | The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, or mining pool address. In this case, attackers may have intruded into your server and exploited the server. |
| Unusual Network Connection | Suspicious outbound connection | The threat detection model detected that your server was attempting to access a website. The website may be related to a mining pool address, a C&C backdoor, and the domain name of a botnet organization. |
| Unusual Network Connection | Reverse shell connection by using Meterpreter | The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter. For more information, see Detect reverse shells from multiple dimensions. |
| Unusual Network Connection | Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. |
| Unusual Network Connection | Internal network scan | The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised. |
| Unusual Network Connection | Suspicious lateral movement attack on an internal network | The threat detection model detected an abnormal internal network connection on your server. A potential cause is that attackers have launched lateral movement attacks on an internal network after the server has been compromised. |
| Unusual Network Connection | Abnormal traffic | The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert. |
| Unusual Network Connection | Proactive connection to malicious download sources | The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. |
| Unusual Network Connection | Suspicious command run by Redis | The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server. |
| Suspicious Account | System logon by using a suspicious account | The threat detection model detected that a user was attempting to log on to the system by using an unauthorized account, a system built-in account, or an attacker account. The logon may be performed by an attacker. |
Alerts for Windows servers
| Alert type | Alert name | Description |
|---|---|---|
| Persistence | Suspicious self-starting item | The threat detection model detected that some self-starting items on your server were suspicious. The items may have been added by malware or attackers to achieve persistence. |
| Persistence | Suspicious backdoor | The threat detection model detected a WMI or bitsadmin backdoor on your server. Such a backdoor may have been left by attackers to maintain system permissions after your server has been compromised. |
| Persistence | Abnormal code in memory | The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected. |
| Persistence | Abnormal process | The threat detection model detected that abnormal processes exist in the running programs on your server. The processes may be malicious processes or processes that loaded malicious code. |
| Persistence | Abnormal registry configuration | The threat detection model detected a suspicious registry configuration on your server. In most cases, some key registry configurations may be modified by malware to achieve persistence or conduct sabotage behavior. |
| Persistence | Abnormal self-starting item | The threat detection model detected abnormal self-starting items on your server. The self-starting items may be added by attackers or malware to achieve persistence. |
| Persistence | Cobalt Strike RAT | The threat detection model detected malicious code of Cobalt Strike RAT in the memory of a process on your server. The process may be a malicious process or a process into which malicious code has been injected. |
| Malicious scripts | Execution of malicious script code | The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server. |
| Malicious scripts | Detection of a malicious script file | The threat detection model detected a malicious script file on your server. The file may be inserted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file. |
| Malicious Process | Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. |
| Malicious Process | Access to a malicious IP address | The threat detection model detected that a process on your server was attempting to connect to a malicious IP address. This IP address may be the IP address of a C&C server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is inserted by attackers. |
| Malicious Process | Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. |
| Malicious Process | Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. |
| Malicious Process | Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. |
| Malicious Process | Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. |
| Malicious Process | Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. |
| Malicious Process | Exploit | The threat detection model detected that an exploit was running on your server. An exploit takes advantage of known vulnerabilities in operating systems and applications to escalate privileges, implement escapes, and execute arbitrary code. |
| Malicious Process | Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. |
| Malicious Process | Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. |
| Malicious Process | Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. |
| Malicious Process | Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. |
| Malicious Process | DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. |
| Malicious Process | Hashdump running | The threat detection model detected that malware, such as Windows Credentials Editor (WCE) and minikazi, was running on your server. Such malware can steal the hash value of the system account, which causes password leaks. |
| Suspicious Process | Creation of suspicious scheduled tasks in Windows | The threat detection model detected that a suspicious scheduled task was created on your server. A potential cause is that malware or attackers have created the task to maintain permissions during the intrusion process. |
| Suspicious Process | Call of risk tools | The threat detection model detected a suspicious call of risk tools on your server. The risk tools can be used as proxies, tunnels, or scanning tools that are exploited by attackers to intrude into the server. |
| Suspicious Process | Suspicious process running by using WMIC | The threat detection model detected that your server was attempting to use WMIC to create and run programs. A potential cause is that attackers have created WMIC tasks to maintain system permissions after the server has been compromised. |
| Suspicious Process | Connection to a malicious download source | The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. |
| Suspicious Process | Suspicious command run by a high-risk application | The threat detection model detected that a high-risk application on your server ran a suspicious command. A high-risk application can be a web service, database service, script, scheduled task, or self-starting item. These applications may have been compromised and used by attackers to run malicious commands. |
| Suspicious Process | Creation of suspicious files in high-risk applications | The threat detection model detected that sensitive services, such as web applications, created executable files or scripts on your server. A potential cause is that attackers have exploited vulnerabilities to implant viruses or trojans into your server. |
| Suspicious Process | Suspicious script operation | The threat detection model detected that some commands that are related to scripts running on your server are highly suspicious. The detected threat may be caused by malware or attackers. |
| Suspicious Process | Suspicious process path | The threat detection model detected that a process on your server was started from an unusual path in which normal software is not installed. The process may be a virus, a trojan, or a tool that is brought in when attackers intrude into your server. |
| Suspicious Process | Process with a suspicious file name | The threat detection model detected that the file of a process on your server had a suspicious file name extension or the file name imitated the name of the system file. The process may be a virus, a trojan, or a tool that is brought in when attackers intrude into your server. |
| Suspicious Process | Suspicious port listening | The threat detection model detected suspicious port listening on your server. After attackers intrude into a server, attackers use software, such as nc, for port listening. This way, attackers establish a hidden communication channel to steal information from the server. |
| Suspicious Process | Suspicious command | The threat detection model detected that the information collection command on your server was suspicious or the calls among running processes were suspicious. This may be related to trojans, viruses, or attackers. |
| Suspicious Process | Execution of suspicious files | The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers. |
| Suspicious Process | Suspicious modification to registry configurations | The threat detection model detected that a process was attempting to modify the registry configurations on your server. A potential cause is that attackers have written backdoor code into your server or have modified the sensitive configurations after attackers have obtained system permissions. |
| Suspicious Process | Suspicious command sequence | The threat detection model detected that a process on your server ran a sequence of suspicious commands. These commands are similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected. |
| Suspicious Process | ProcDump for data dumps | The threat detection model detected that the ProcDump process was saving sensitive data that is stored in the process memory to the disks on your server. This saving operation may cause sensitive data breaches. |
| Suspicious Process | Suspicious process startup by using BITSAdmin | The threat detection model detected that the BITSAdmin tool was being used to start a suspicious process on your server. A potential cause is that attackers have used the BITSAdmin tool to implant malicious programs into your server and run malicious commands. |
| Suspicious Process | Malicious code loading by using Windows system files | The threat detection model detected that a malicious command was running on your server. A potential cause is that attackers have used Windows system files to execute malicious code and evade the detection of security software. |
| Suspicious Process | Suspicious modification to self-starting items | The threat detection model detected that a process was attempting to modify a self-starting item on your server. The modification may be performed by attackers or trojans to maintain system permissions. |
| Suspicious Process | Modification to read-only and hidden attributes of files by using attrib.exe | The threat detection model detected that a process was attempting to use attrib.exe to modify the read-only and hidden attributes of the files on your server. |
| Suspicious Process | Self-starting item addition in the system registry | The threat detection model detected that a program was adding self-starting items to the registry on your server. The program may be malware, promotion software into which backdoors have been injected, or a persistent task that has been inserted by attackers after the server has been compromised. The program may also have been used by normal software to achieve self-starting. We recommend that you check whether the program is a trusted program. |
| Suspicious Process | Suspicious file download from a remote server to a disk by using FTP | The threat detection model detected that a process was attempting to download suspicious files from a remote server by using FTP on your server. |
| Suspicious Process | Suspicious file copy to a disk by using RDP | The threat detection model detected that an attacker was attempting to copy suspicious files to your server by using RDP. A potential cause is that attackers have stolen or cracked the RDP password that is used to log on to your server. |
| Suspicious Process | Abnormal deletion of system backup files | The threat detection model detected that a process was attempting to delete the system backup files from your server. A potential cause is that ransomware has deleted your system backup files to prevent file restoration and extort ransom. |
| Suspicious Process | Abnormal deletion of system logs | The threat detection model detected that a process was attempting to delete the system logs. A potential cause is that malware or attackers have deleted the system logs to evade detection. |
| Suspicious Process | Suspicious attacker tool | The threat detection model detected that some commands running on your server are very similar to the tools that are usually used by attackers. The commands may be run by attackers during the intrusion process. |
| Suspicious Process | Suspicious privilege escalation in Windows | The threat detection model detected that some commands that were running on your server were very suspicious. A potential cause is that attackers have exploited the Windows system vulnerabilities or application vulnerabilities to escalate privileges. |
| Suspicious Process | Abnormal registry operation | The threat detection model detected that some commands that were used to manage the Windows registry were highly suspicious. A potential cause is that malware or attackers have modified some registry configurations after the server has been compromised. |
| Suspicious Process | Suspicious call of database export tools | The threat detection model analyzed the historical behavior of a process on your server and detected suspicious calls of database export tools. A potential cause is that attackers have stolen data from your server after the server has been compromised. |
| Suspicious Process | Suspicious calls of system tools | The threat detection model detected that a process on your server was calling system tools in a suspicious manner. A potential cause is that trojans or attackers have called the tools to perform some malicious operations, such as malicious file download, malicious code execution, encryption, and decryption, to evade the detection of common security software. |
| Suspicious Process | Suspicious modification to system security configurations | The threat detection model detected that a process on your server was modifying the security configurations of the system. A potential cause is that malware or attackers have modified the configurations of the firewall and antivirus software to evade detection. |
| Suspicious Process | Execution of malicious commands | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. |
| Suspicious Process | Malicious commands run by Cobalt Strike | The threat detection model detected that a Cobalt Strike agent was installed on your server and the Cobalt Strike agent was running malicious commands. |
| Suspicious Process | Suspicious command run by FTP applications | The threat detection model detected that an FTP application on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and have used FTP to run batch files. |
| Suspicious Process | Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. |
| Suspicious Process | Suspicious process run by LSASS | The threat detection model detected that the lsass.exe process ran a suspicious command on your server. The lsass.exe process is a security authorization process in the Windows operating system. The process authenticates users and generates tokens. Multiple system vulnerabilities are exploited by attackers to initiate buffer overflow attacks against this process so that the attackers can obtain the complete control permissions of the target process. |
| Suspicious Process | Suspicious command run by MySQL | The threat detection model detected that the MySQL service on your server ran a suspicious command. Potential causes include weak passwords in the MySQL service and web services into which the SQL statements have been injected. |
| Suspicious Process | Suspicious command run by PostgreSQL applications | The threat detection model detected that a PostgreSQL application on your server ran a suspicious command. Potential causes include weak passwords in PostgreSQL applications and web services into which malicious SQL statements have been injected. |
| Suspicious Process | Execution of suspicious commands by Python applications. | The threat detection model detected that a Python application on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised. |
| Suspicious Process | Suspicious command run by regsvr32 | The threat detection model detected that regsvr32.exe was running a suspicious command on your server. A potential cause is that attackers have injected malicious code into the Windows OCX files to evade detection and have used regsvr32.exe to execute the code in the memory of your server. |
| Suspicious Process | Suspicious command run by rundll32 | The threat detection model detected that rundll32.exe was running a suspicious command on your server. A potential cause is that attackers have injected malicious code into the Windows DLL files to evade detection and have used rundll32.exe to execute the code in the memory of your server. |
| Suspicious Process | Suspicious file writes to disks by SQL Server | The threat detection model detected that the SQL Server application on your server was attempting to write a suspicious file to a disk. A potential cause is that attackers have cracked the weak password of the Redis application to execute malicious SQL statements in the SQL Server application. |
| Suspicious Process | Suspicious command run by SQL Server applications | The threat detection model detected that the SQL Server application on your server ran a suspicious command. A potential cause is that attackers have cracked the weak password of the SQL Server application and have used the command execution component of the SQL Server application to run malicious commands. |
| Suspicious Process | Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. |
| Suspicious Process | Modification to Windows Defender configurations | The threat detection model detected that your server was modifying the registry to disable some features of Windows Defender. The modification operation may have been performed by attackers who have attempted to evade detection and prevention after the server has been compromised. |
| Suspicious Process | Modification to Windows RDP configurations for port 3389 | The threat detection model detected that the RDP configurations of your server were being modified. A potential cause is that attackers have modified the RDP configurations to maintain permissions after the server has been compromised. |
| Suspicious Process | Creation of scheduled tasks in Windows | The threat detection model detected that suspicious scheduled tasks were being created on your server. A potential cause is that attackers have inserted backdoors in your server to maintain permissions after the server has been compromised. |
| Suspicious Process | Creation of suspicious service startup items in Windows | The threat detection model detected that an upstream process was attempting to create suspicious service startup items on your server. A potential cause is that attackers have inserted malicious programs in your server. If a malicious program is running, service startup items are created to maintain permissions. |
| Suspicious Process | Logon credential breaches in Windows | The threat detection model detected that some programs on your server modified the WDigest item in the registry. A potential cause is that attackers have changed the value of UseLogonCredential to allow logon credentials to be stored in plaintext. This way, attackers can steal the logon credentials from the memory of the server. |
| Suspicious Process | Execution of HTML scripts by using mshta on Windows | The threat detection model detected that a process on your server was attempting to call mshta to execute scripts embedded in HTML pages. This way, attackers can implant malicious programs into the server. |
| Suspicious Process | Suspicious port forwarding in Windows | The threat detection model detected that a command was running for port forwarding on an internal network. A potential cause is that attackers were launching lateral movement attacks on the internal network. |
| Suspicious Process | Modification of Windows Firewall configurations | The threat detection model detected that a process was attempting to modify the configurations of Windows Firewall. |
| Suspicious Process | Self-starting item addition in Windows | The threat detection model detected that abnormal self-starting items were added to your server. A potential cause is that attackers have added malicious programs to the start-up items to maintain permissions after the server has been compromised. |
| Suspicious Process | Abnormal operation on a Windows account | The threat detection model detected that the Windows account was used to perform operations on your server and the running command was suspicious. A potential cause is that malware or attackers have used the Windows account to perform operations on the server. |
| Other | Abnormal disconnection of the Security Center agent | The threat detection model detected that the main process AliYunDun of the Security Center agent on your server exceptionally stopped and the agent was disconnected from Alibaba Cloud. The disconnection may be caused by network instability and last for a short period of time. Another potential cause is that the Security Center agent has been uninstalled from your server after the server has been compromised. In this case, you must log on to your server and check whether the Security Center agent is running. If the agent is not running, start the agent. |
| Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
| Unusual Logon | Logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance. |
| Unusual Logon | FTP logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the FTP application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the FTP application. |
| Unusual Logon | MySQL logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the MySQL application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the MySQL application. |
| Unusual Logon | SQL Server logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the SQL Server application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the SQL Server application. |
| Unusual Logon | Server logon by using a backdoor account | The threat detection model detected that an attacker inserted a backdoor account into your server and logged on to your server by using the backdoor account. If you did not perform this operation, we recommend that you immediately delete the backdoor account. |
| Unusual Logon | Server logon by using an account with a weak password | The threat detection model detected that an account with a weak password was used to log on to your server. This logon may be performed by yourself or attackers. In most cases, attackers crack weak passwords to intrude into a server. We recommend that you immediately configure a strong password. |
| Unusual Logon | Suspicious external logon scanning | The threat detection model detected that your server frequently initiated brute-force attacks on protocols, such as SSH, RDP, and SMB. A potential cause is that your server has been attacked and has been used by attackers to attack other servers. |
| Unusual Logon | Logon from an unusual location | The threat detection model detected that your server was logged on from two locations that are far from each other within a short period of time. One of the locations is your usual logon location. The logons from different locations indicate that one of the logon requests is initiated from an unusual location rather than the usual location. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the server. |
| Unusual Logon | Logon by using an unusual account | The threat detection model detected that you added an unusual account to the administrator group and the account was used to log on to your server. If you did not perform this operation, we recommend that you immediately delete the account. |
| Unusual Logon | ECS instance compromised due to brute-force attacks initiated by multiple invalid users | The threat detection model detected that multiple invalid users logged on to your server by using the same IP address. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance. |
| Unusual Logon | ECS instance compromised due to brute-force attacks on SSH | The threat detection model detected that your server was under brute-force attacks on SSH. Attackers cracked the SSH service password and logged on to the server after several times of attempts. |
| Unusual Logon | Suspicious command sequence executed after ECS logons over SSH | The threat detection model detected that some malicious commands ran on your server after an IP address was used to log on to the server. A potential cause is that the password used to log on to your server is weak or is leaked. |
| Unusual Logon | Logon to an ECS instance within an unusual time range | The time when the server is logged on is not within the logon time range that you specify. We recommend that you check whether the logon is valid. |
| Unusual Logon | Logon to an ECS instance by using an unusual account | The account that is used to log on to the server does not match the condition of a legitimate account. We recommend that you check whether the logon is valid. |
| Unusual Logon | Logon to an ECS instance by using an unusual IP address | The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid. |
| Unusual Logon | Logon to an ECS instance from an unusual location | The location from which the server is logged on is not within the logon locations that you specify. We recommend that you check whether the logon is valid. |
| Unusual Network Connection | Port forwarding | The threat detection model detected that a process on your server was attempting to set up a tunnel for port forwarding. A potential cause is that attackers have used your compromised server to attack other servers that are deployed on the same internal network. |
| Unusual Network Connection | Access to a malicious domain name | The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, or mining pool address. In this case, attackers may have intruded into your server and exploited the server. |
| Unusual Network Connection | Reverse shell connection by using Meterpreter | The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter. For more information, see Detect reverse shells from multiple dimensions. |
| Unusual Network Connection | Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. |
| Unusual Network Connection | Internal network scan | The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised. |
| Unusual Network Connection | Suspicious sensitive port scanning | The threat detection model detected that a process on your server sent a large number of network requests to sensitive ports in a short period of time. The behavior may be port scanning behavior. |
| Unusual Network Connection | Abnormal traffic | The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert. |
| Unusual Network Connection | Proactive connection to malicious download sources | The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. |
| Unusual Network Connection | Abnormal network connections in Windows | The threat detection model detected that the connection of a process on your server was unusual. This may be related to trojans, viruses, or attackers. |
| Suspicious Account | System logon by using a suspicious account | The threat detection model detected that a user was attempting to log on to the system by using an unauthorized account, a system built-in account, or an attacker account. The logon may be performed by an attacker. |
Alerts for containers
| Alert type | Alert name | Description |
|---|---|---|
| Malicious Process | Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. |
| Malicious Process | Access to a malicious IP address | The threat detection model detected that a process on your server was attempting to connect to a malicious IP address. This IP address may be the IP address of a C&C server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is inserted by attackers. |
| Malicious Process | Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. |
| Malicious Process | Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. |
| Malicious Process | Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. |
| Malicious Process | Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. |
| Malicious Process | Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. |
| Malicious Process | Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. |
| Malicious Process | Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. |
| Malicious Process | Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. |
| Malicious Process | Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. |
| Malicious Process | DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. |
| Suspicious Process | Tampering of file time | The threat detection model detected that a process on your server attempted to modify the file time. The process may be triggered by attackers who imitate the actual file time to forge the actual creation, access, or modification time of abnormal files to evade detection. |
| Suspicious Process | Remote API debugging in Docker that may pose security risks | The threat detection model detected that the Docker remote debugging interface was open to 0.0.0.0 on your server. The interface exposed on the Internet will be quickly intruded by worms. Make sure that the interface is exposed only on a trusted network. |
| Suspicious Process | Connection to a malicious download source | The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. |
| Suspicious Process | Suspicious command run by a process | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited the Remote Code Execution (RCE) vulnerability of the service to run the command. |
| Suspicious Process | Suspicious encoded command | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. |
| Suspicious Process | Suspicious starting of a privileged container. | The threat detection model detected that a suspicious privileged container was started on your server, which affected container security. If the container is compromised, containers and assets on the server will be affected. Make sure that the privileged container uses trusted image sources and the service that is running in the container is protected against intrusion. |
| Suspicious Process | Execution of suspicious files | The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers. |
| Suspicious Process | Suspicious behavior | The threat detection model automatically analyzed the historical behavior of a process on your server and detected a suspicious command. |
| Suspicious Process | Container network scanning behavior | The threat detection model detected that a container on your server was proactively performing a suspicious network scan. The scan may be performed by attackers to compromise your server and move from the compromised server to other servers. |
| Suspicious Process | High-risk container-related operation | The threat detection model detected that high-risk container-related operations were being performed on your server. The high-risk operations include container startup by using high-risk permissions and mapping of sensitive directories, files, and ports to containers. |
| Suspicious Process | Execution of suspicious commands inside a container | The threat detection model detected that suspicious commands were being executed inside your container, which indicates potential intrusion. |
| Suspicious Process | Collection of credentials inside containers | The threat detection model detected access to sensitive information and files within a container. The information and files include the configuration files of Docker/Swarm/Kubernetes, database connection configurations, logon credentials, AccessKey pairs, certificates, and private key files. We recommend that you check whether the container has been compromised and data has been leaked. |
| Suspicious Process | Privilege escalation in containers or container escapes | The threat detection model detected suspicious scripts or instructions that were used to escalate privileges or vulnerabilities in your containers. A potential cause is that your containers have been compromised. |
| Suspicious Process | Collection of container information | The threat detection model detected that suspicious commands were run inside the containers on your server. These commands are usually used by attackers to collect information inside a container after the container is compromised. If the operation is not a trusted operation, we recommend that you immediately reset the container. Trusted operations include the operations of security software and O&M operations of administrators. |
| Suspicious Process | Running of malicious container images | The threat detection model detected that a malicious container image was running on your server. This image may contain backdoors, mining programs, viruses, or known severe vulnerabilities. We recommend that you perform troubleshooting and use trusted image resources. |
| Suspicious Process | Abnormal operation on files of Docker | The threat detection model detected that the Docker process on your server was modifying the core service configurations or sensitive files of the system. A potential cause is that attackers have exploited the vulnerabilities in the Docker services to hijack some Docker services and have used the services to initiate container escape attacks, such as CVE-2019-5736 Docker runC and CVE-2019-14271 Docker CP. We recommend that you check whether the Docker container of the current version has such vulnerabilities. |
| Suspicious Process | Suspicious command run by FTP applications | The threat detection model detected that an FTP application on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and have used FTP to run batch files. |
| Suspicious Process | Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. |
| Suspicious Process | Abnormal behavior of Kubernetes service accounts | The threat detection model detected an abnormal instruction inside your container. The instruction attempted to connect to the Kubernetes API server by using a Kubernetes service account. We recommend that you check whether the operation is a trusted operation. Trusted operations include the operations of security software and O&M operations of administrators. Make sure that the account is granted permissions based on the principle of least privilege. This avoids an attacker moving from a compromised container to other containers by using the Kubernetes API after the container is compromised. |
| Suspicious Process | Suspicious command sequence in Linux | The threat detection model detected that a process on your server ran a sequence of suspicious commands. These commands are similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected. |
| Suspicious Process | Execution of suspicious commands in Linux. | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. |
| Suspicious Process | Suspicious command run by Oracle | The threat detection model detected that the Oracle database on your server ran a suspicious command. A potential cause is that attackers have run remote commands after the password of the Oracle database is leaked. |
| Suspicious Process | Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. |
| K8s Abnormal Behavior | Startup of a pod based on a malicious image | The threat detection model detected that a pod that contained a malicious image was started in your Kubernetes cluster. We recommend that you check whether the image is from a trusted image source and the process inside the pod has malicious programs, such as backdoors and mining programs. |
| K8s Abnormal Behavior | Suspicious instruction run on a Kubernetes API server | The threat detection model detected that suspicious instructions were run on your Kubernetes API server. A potential cause is that attackers have obtained and used the credentials of your API server. We recommend that you check whether the server has been compromised. |
| K8s Abnormal Behavior | Abnormal access to Secrets in a Kubernetes cluster | The threat detection model detected that Secrets were being enumerated inside your Kubernetes cluster. A potential cause is that attackers were stealing sensitive information of the Secrets in the Kubernetes cluster after the cluster has been compromised. We recommend that you check whether the operation was performed by a trusted program or the administrator. |
| K8s Abnormal Behavior | Transfer of Kubernetes service accounts from one application to another | The threat detection model detected that one of your service accounts requested permissions outside of the historical baseline or failed authentication several times. A potential cause is that attackers have intruded into a pod and have used the credentials of the service account that was obtained from your server to attack an API server. We recommend that you immediately perform troubleshooting. |
| K8s Abnormal Behavior | Successful authentication of an anonymous user in Kubernetes API logs | The threat detection model analyzed your Kubernetes API logs and detected that an anonymous user logged on to your Kubernetes cluster. In most cases, anonymous users cannot be used for Kubernetes cluster O&M. If an anonymous user logs on to a cluster and the cluster is exposed to the Internet, the cluster is at high risk. We recommend that you check whether the operation is performed by a trusted administrator and immediately revoke the access permissions of the anonymous user. |
| K8s Abnormal Behavior | Mounting of sensitive node directories | The threat detection model detected that sensitive directories or files were mounted when your pod was starting. A potential cause is that attackers have mounted sensitive files to escape from the pod layer to the node layer to achieve persistence. We recommend that you check whether the operation is trusted. |
| Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
| Unusual Network Connection | Suspicious outbound connection | The threat detection model detected that your server was attempting to access a website. The website may be related to a mining pool address, a C&C backdoor, and the domain name of a botnet organization. |
| Unusual Network Connection | Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. |
| Unusual Network Connection | Internal network scan | The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised. |
| Unusual Network Connection | Suspicious command run by Redis | The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server. |
Alerts for the Alibaba Cloud platform
| Alert type | Alert name | Description |
|---|---|---|
| Cloud threat detection | Suspicious changing of user passwords | The threat detection model detected that your Alibaba Cloud account changed the password of a specific user by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious enumeration of security group rules | The threat detection model detected that your Alibaba Cloud account enumerated the security group policies by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious enumeration of users | The threat detection model detected that your Alibaba Cloud account enumerated all users by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious enumeration of specific roles | The threat detection model detected that your Alibaba Cloud account enumerated specific roles by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious deletion of security group rules | The threat detection model detected that your Alibaba Cloud account deleted security group rules by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious modification to security group rules | The threat detection model detected that your Alibaba Cloud account modified security group rules by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious behavior of changing an ECS password | The threat detection model detected that your Alibaba Cloud account changed the password that was used to log on to your ECS instance by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious addition of security group rules | The threat detection model detected that your Alibaba Cloud account added security group rules by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Suspicious addition of SSH keys to an ECS instance | The threat detection model detected that your Alibaba Cloud account added SSH keys by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | Abnormal commands of Cloud Assistant | The threat detection model detected that your Alibaba Cloud account ran malicious commands by using the Cloud Assistant API, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
| Cloud threat detection | ActionTrail disabled | The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you keep ActionTrail enabled in consideration of security. |
| Cloud threat detection | Log delivery from ActionTrail to OSS disabled | The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you enable the feature of log delivery from ActionTrail to OSS in consideration of security. |
| Cloud threat detection | Log delivery from ActionTrail to Log Service disabled | The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you enable the feature of log delivery from ActionTrail to Log Service in consideration of security. |
Alerts generated by analyzing traffic
| Alert type | Alert name | Description |
|---|---|---|
| Unusual Network Connection | Access to a malicious domain name | The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, or mining pool address. In this case, attackers may have intruded into your server and exploited the server. |
| Unusual Network Connection | Reverse shell connection by using Meterpreter | The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter. |
| Unusual Network Connection | Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. |
| Unusual Network Connection | Abnormal traffic | The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert. |
| Unusual Network Connection | Proactive connection to malicious download sources | The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. |
| Unusual Network Connection | Suspicious command run by Redis | The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server. |
| Web Application Threat Detection | SQL injection | The threat detection model analyzed HTTP traffic and detected that the Web service on your server was suspected of having SQL injection vulnerabilities and had been exploited by attackers. |
| Web Application Threat Detection | Successful exploitation of high-risk vulnerabilities | The threat detection model analyzed HTTP traffic and detected that your server had high-risk web vulnerabilities, which have been exploited by attackers. |
| Web Application Threat Detection | Sensitive file leaks | The threat detection model analyzed HTTP traffic and detected that sensitive files on your server were accessed by external IP addresses over HTTP. This may cause data breaches. |
| Web Application Threat Detection | Suspected attacks against web services | The threat detection model detected that the HTTP request logs generated on your server included command lines and the HTTP response logs included command outputs. A potential cause is that command execution vulnerabilities have been detected on your web services and have been exploited by attackers. |
| Malicious Network Activity | Access to a suspicious domain name | The threat detection model analyzed DNS traffic and detected that your server requested access to a high-risk domain name. In this case, your server may be exposed to intrusions or unauthorized access. Your server may also be infected by malware. |
Alerts generated by analyzing file content
| Alert type | Alert name | Description |
|---|---|---|
| Persistence | Suspicious scheduled task in Linux | The threat detection model detected a suspicious scheduled task on your server. The task may be persistent behavior that is left by attackers in your server. |
| Malicious scripts | Detection of a malicious script file | The threat detection model detected a malicious script file on your server. The file may be inserted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file. |
| Malicious Process | Tainted basic software | The threat detection model detected tainted basic software on your server. In most cases, tainted basic software is a system program into which malicious code is injected. Although the tainted basic software offers basic features, it covertly conducts malicious behavior. |
| Malicious Process | Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. |
| Malicious Process | Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. |
| Malicious Process | Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. |
| Malicious Process | Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. |
| Malicious Process | Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. |
| Malicious Process | Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. |
| Malicious Process | Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. |
| Malicious Process | Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. |
| Malicious Process | Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. |
| Malicious Process | Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. |
| Malicious Process | DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. |
| Malicious Process | Rootkit | The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is inserted in the underlying system. A rootkit is used to hide the traces of itself or other malicious programs. |
| Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
Alerts related to fileless malware
| Alert type | Alert name | Description |
|---|---|---|
| Persistence | Suspicious backdoor | The threat detection model detected a WMI or bitsadmin backdoor on your server. Such a backdoor may have been left by attackers to maintain system permissions after your server has been compromised. |
| Persistence | Abnormal code in memory | The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected. |
| Persistence | Abnormal registry configuration | The threat detection model detected a suspicious registry configuration on your server. In most cases, some key registry configurations may be modified by malware to achieve persistence or conduct sabotage behavior. |
| Persistence | Cobalt Strike RAT | The threat detection model detected malicious code of Cobalt Strike RAT in the memory of a process on your server. The process may be a malicious process or a process into which malicious code has been injected. |
| Malicious scripts | Execution of malicious script code | The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server. |
| Suspicious Process | Suspicious command run by a process | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited the Remote Code Execution (RCE) vulnerability of the service to run the command. |
| Suspicious Process | Suspicious modification to registry configurations | The threat detection model detected that a process was attempting to modify the registry configurations on your server. A potential cause is that attackers have written backdoor code into your server or have modified the sensitive configurations after attackers have obtained system permissions. |
| Suspicious Process | Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. |
| Suspicious Process | Suspicious command run by scheduled tasks in Linux | The threat detection model detected that a scheduled task on your server ran a suspicious command. A potential cause is that attackers have written malicious commands in the scheduled tasks to maintain permissions after the server has been compromised. |
| Suspicious Process | Execution of suspicious commands by Python applications. | The threat detection model detected that a Python application on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised. |
| Suspicious Process | Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. |