EDR / Host Alerts Flashcards
EDR / Host Alerts (30 cards)
What does an alert for “Credential Dumping via LSASS Access” indicate?
Potential attempt to extract credentials from memory using tools like Mimikatz.
What does a “Suspicious PowerShell Activity” alert mean?
PowerShell is being used for potentially malicious scripting or execution.
What is indicated by “Parent Process Anomaly”?
A process spawned from an unexpected or uncommon parent (e.g., Word spawning PowerShell).
What does “Execution from Suspicious Directory” alert indicate?
A binary or script is running from locations like C:\Users\Public or Temp, often abused by attackers.
What does “Unsigned Binary Execution” typically imply?
An untrusted or possibly malicious executable is running without a digital signature.
What does an alert for “PSEXEC or Remote Admin Tool Detected” mean?
Lateral movement using remote execution tools; could be legitimate or malicious.
What does “Process Hollowing Detected” indicate?
A legitimate process is being used to hide malicious code – often used in malware.
What alert might indicate exploitation of a zero-day vulnerability?
Execution of a suspicious process following unexpected software crash or vulnerability trigger.
What does “Encoded Command in PowerShell” mean?
Obfuscated commands (e.g., base64) that may hide malicious behavior.
What does “Registry Modification for Persistence” alert indicate?
Potential attempt to establish persistence by modifying Run keys or other autorun locations.
What does “User Added to Local Administrators Group” alert mean?
Possible privilege escalation or lateral movement attempt.
What does “New Service Creation” on a host imply?
An attacker may be installing a backdoor or creating persistence.
What does “Scheduled Task Creation” indicate?
Potential attempt at persistence or automation of malicious behavior.
What does an alert for “Local Account Enumeration” mean?
The attacker may be performing reconnaissance on local users for privilege escalation.
What does “Token Impersonation or Theft” alert suggest?
An attacker may be using stolen tokens to impersonate a privileged user.
What does “Script Block Logging Alert” indicate in PowerShell?
A PowerShell script attempted to execute potentially harmful commands.
What does “Suspicious File Written to Startup Folder” mean?
Possible malware attempting persistence by executing on system boot.
What is indicated by “Macros Enabled in Office Document”?
User may have enabled macros in a phishing document, potentially leading to malware.
What does “Executable File Downloaded via Browser” alert mean?
A user or malware has downloaded a potentially dangerous executable.
What does “Scripting Engine Abuse (wscript/cscript)” suggest?
Possible use of Windows scripting engines for malware execution.
What does an “Unusual Outbound Connection to Rare IP” mean?
Potential command-and-control (C2) communication or data exfiltration.
What does “SMB or RDP from Unusual Host” alert suggest?
Lateral movement using network protocols from unexpected endpoints.
What does “Reverse Shell Behavior Detected” mean?
An attacker may have established a remote shell back to their infrastructure.
What does “Use of Living Off the Land Binary (LOLBin)” indicate?
An attacker is using built-in OS tools like mshta, certutil, or regsvr32 for evasion.
