deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updated table

Browse Source
This commit is contained in:
Joey Caparas
2021-02-09 13:58:21 -08:00
parent d8a5f8ca90
commit 7658c1b294
1 changed files with 18 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -81,50 +81,24 @@ We've redefined the alert categories to align to the [enterprise attack tactics]
The table below lists the current categories and how they generally map to previous categories. The table below lists the current categories and how they generally map to previous categories.
| New category | Previous category | API category name | Detected threat activity or component | | New category | API category name | Detected threat activity or component |
|----------------------------|--------------------------------------------------------------------------------------------------|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------| |----------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
| | | AccessGovernance | | | Collection | Collection | Locating and collecting data for exfiltration |
| Backdoor | None | | | | Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
| Collection | None | Collection | Locating and collecting data for exfiltration | | Credential access | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network |
| Command and control | CommandAndControl | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | | Defense evasion | DefenseEvasion | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
| Credential access | CredentialTheft | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network | | Discovery | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
| Credential stealing | CredentialTheft | CredentialStealing | Obtaining valid credentials to extend control over devices and other resources in the network | | Execution | Execution | Launching attacker tools and malicious code, including RATs and backdoors |
| Credential theft | None | CredentialTheft | | | Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
| | | DataGovernance | | | Exploit | Exploit | Exploit code and possible exploitation activity |
| | | DataLossPrevention | | | Initial access | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
| Defense evasion | None | DefenseEvasion | | | Lateral movement | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence |
| Delivery | None | | | | Malware | Malware | Backdoors, trojans, and other types of malicious code |
| Discovery | Reconnaissance, WebFingerprinting | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | | Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
| Document exploit | None | DocumentExploit | | | Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
| Enterprise policy | None | EnterprisePolicy | | | Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
| Execution | Delivery, MalwareDownload | Execution | Launching attacker tools and malicious code, including RATs and backdoors | | Suspicious activity | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack |
| Exfiltration | Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | | Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
| Exploit | Exploit | Exploit | Exploit code and possible exploitation activity |
| General | None | General | |
| Impact | None | Impact | |
| Initial access | SocialEngineering, WebExploit, DocumentExploit | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
| Installation | None | Installation | |
| Lateral movement | LateralMovement, NetworkPropagation | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence |
| | | MailFlow | |
| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Malware | Backdoors, trojans, and other types of malicious code |
| Malware download | None | MalwareDownload | |
| Network propagation | None | NetworkPropagation | |
| Persistence | Installation, Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
| Privilege escalation | PrivilegeEscalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
| Ransomware | Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
| Reconnaissance | None | Reconnaissance | |
| Remote access tool | None | RemoteAccessTool | |
| Social engineering | None | SocialEngineering | |
| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack |
| Suspicious network traffic | None | SuspiciousNetworkTraffic | |
| | | ThreatManagement | |
| Trojan | None | Trojan | |
| Trojan downloader | None | TrojanDownloader | |
| Unwanted software | UnwantedSoftware | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
| Weaponization | None | Weaponization | |
| Web exploit | None | WebExploit | |
| Web fingerprinting | None | WebFingerprinting | |
### Status ### Status