安全警报 - 参考指南Security alerts - a reference guide

本文列出了可能在“Azure 安全中心的威胁防护”模块中看到的安全警报。This article lists the security alerts you might see in Azure Security Center's Threat Protection module. 环境中显示的警报取决于要保护的资源和服务,以及自定义的配置。The alerts shown in your environment depend on the resources and services you're protecting, as well as your customized configuration.

若要了解如何响应这些警报,请参阅管理和响应 Azure 安全中心的安全警报To learn about how to respond to these alerts, see Manage and respond to security alerts in Azure Security Center.

警报表下面还有一个表,该表描述用于对这些警报的意图进行分类的 Azure 安全中心杀伤链。Below the alerts tables is a table describing the Azure Security Center kill chain that is used to categorize the intents of these alerts.

Windows 计算机的警报Alerts for Windows machines

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
检测到来自恶意 IP 的登录A logon from a malicious IP has been detected 已成功为帐户 tristan.schleining 和进程 Advapi 进行远程身份验证,但登录 IP 地址 [IP 地址] 曾涉及恶意记录,或极为异常。A successful remote authentication for the account 'tristan.schleining' and process 'Advapi' occurred, however the logon IP address [IP address] has previously been reported as malicious or highly unusual. 可能已受到攻击。A successful attack has probably occurred. - High
检测到来自恶意 IP 的登录。[出现多次]A logon from a malicious IP has been detected. [seen multiple times] 已成功为帐户 IUSR_10001 和进程 Advapi 进行远程身份验证,但登录 IP 地址 [IP 地址] 曾涉及恶意记录,或极为异常。A successful remote authentication for the account 'IUSR_10001' and process 'Advapi' occurred, however the logon IP address [IP address] has previously been reported as malicious or highly unusual. 可能已受到攻击。A successful attack has probably occurred. 扩展名为 .scr 的文件是屏幕保护文件,通常位于 Windows 系统目录中并从该目录执行。Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory. - High
向本地管理员组添加来宾帐户Addition of Guest account to Local Administrators group 主机数据分析已检测到,%{Compromised Host} 上的本地管理员组中添加了内置来宾帐户,这很可能涉及攻击活动。Analysis of host data has detected the addition of the built in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity. - 中型Medium
事件日志被清除An event log was cleared 计算机日志指出存在可疑的事件日志清除操作,操作者是计算机 %{CompromisedEntity} 中的用户“%{user name}”。Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. %{log channel} 日志被清除。The %{log channel} log was cleared. - 信息性Informational
发现代码注入Code injection discovered 代码注入是将可执行模块插入到正在运行的进程或线程中。Code injection is the insertion of executable modules into running processes or threads. 恶意软件使用此项技术来访问数据,同时成功地隐藏自身以防止被找到和删除。This technique is used by malware to access data, while successfully hiding itself to prevent being found and removed.
此警报指示故障转储中存在注入模块。This alert indicates that an injected module is present in the crash dump. 为了帮助区分恶意和非恶意注入模块,安全中心会检查注入模块是否符合描述可疑行为的配置文件。To differentiate between malicious and non-malicious injected modules, Security Center checks whether the injected module conforms to a profile of suspicious behavior.
- 中型Medium
检测到 Petya 勒索痕迹Detected Petya ransomware indicators %{Compromised Host} 上的主机数据分析检测到与 Petya 勒索软件有关的迹象。Analysis of host data on %{Compromised Host} detected indicators associated with Petya ransomware. 有关详细信息,请参阅 https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. 查看此警报中关联的命令行,并将此警报上报至安全团队。Review the commandline associated in this alert and escalate this alert to your security team. - High
检测到禁用和删除 IIS 日志文件的操作Detected actions indicative of disabling and deleting IIS log files 主机数据分析检测到试图禁用和/或删除 IIS 日志文件的操作。Analysis of host data detected actions that show IIS log files being disabled and/or deleted. - 中型Medium
在命令行中检测到大小写字符的异常混用Detected anomalous mix of upper and lower case characters in command-line %{Compromised Host} 上的主机数据分析检测到命令行中存在大小写字符的异常混用。Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. 这种模式(尽管可能是无害的)也是典型的攻击手段,当攻击者在遭入侵的主机上执行管理任务时,他们会通过这种手段避开区分大小写的规则匹配或基于哈希的规则匹配。This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host. - 中型Medium
检测到更改了可能会被滥用于规避 UAC 的注册表项Detected change to a registry key that can be abused to bypass UAC %{Compromised Host} 上的主机数据分析检测到,有人更改了可能会被滥用于规避 UAC 的注册表项(用户帐户控制)。Analysis of host data on %{Compromised Host} detected that a registry key that can be abused to bypass UAC (User Account Control) was changed. 这种配置(尽管可能是无害的)也是典型的攻击手段,在遭入侵的主机上,攻击者通过这种手段尝试从非特权访问权限(标准用户)移动至特权访问权限(例如管理员)。This kind of configuration, while possibly benign, is also typical of attacker activity when trying to move from unprivileged (standard user) to privileged (for example administrator) access on a compromised host. - 中型Medium
检测到使用内置的 certutil.exe 工具解码可执行文件Detected decoding of an executable using built-in certutil.exe tool %{Compromised Host} 上的主机数据分析检测到,内置的管理员实用工具 certutil.exe 并未用于与操作证书和证书数据相关的主流用途,而是被用于解码可执行文件。Analysis of host data on %{Compromised Host} detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. 我们知道,攻击者可以滥用合法的管理员工具的功能来执行恶意操作,例如,使用 certutil.exe 之类的工具来解码恶意的可执行文件,随后执行该文件。Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed. - High
检测到启用 WDigest UseLogonCredential 注册表项Detected enabling of the WDigest UseLogonCredential registry key 主机数据分析检测到注册表项 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ "UseLogonCredential" 中存在更改。Analysis of host data detected a change in the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ "UseLogonCredential". 具体而言,该项已被更新以允许采用明文形式在 LSA 内存中存储登录凭据。Specifically this key has been updated to allow logon credentials to be stored in clear text in LSA memory. 启用后,攻击者可以使用 Mimikatz 等凭据捕获工具从 LSA 内存中转储明文密码。Once enabled an attacker can dump clear text passwords from LSA memory with credential harvesting tools such as Mimikatz. - 中型Medium
在命令行数据中检测到被编码的可执行文件Detected encoded executable in command line data %{Compromised Host} 上的主机数据分析检测到 base-64 编码的可执行文件。Analysis of host data on %{Compromised Host} detected a base-64 encoded executable. 此警报层与攻击者的以下行为相关:试图通过一系列命令动态构造可执行文件,以及试图通过确保任何单个命令都无法触发警报来绕开入侵检测系统。This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. 这可能是合法活动,也可能指示主机已遭入侵。This could be legitimate activity, or an indication of a compromised host. - High
检测到混淆的命令行Detected obfuscated command line 攻击者使用越来越复杂的混淆技术来避开针对基础数据的检测。Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. %{Compromised Host} 上的主机数据分析检测到与命令行混淆有关的可疑迹象。Analysis of host data on %{Compromised Host} detected suspicious indicators of obfuscation on the commandline. - 信息性Informational
检测到可能执行了 keygen 可执行文件Detected possible execution of keygen executable %{Compromised Host} 上的主机数据分析检测到,有人执行了从名称上看是 keygen 工具的进程,此类工具通常用于破解软件许可机制,但其下载包通常绑定了其他恶意软件。Analysis of host data on %{Compromised Host} detected execution of a process whose name is indicative of a keygen tool; such tools are typically used to defeat software licensing mechanisms but their download is often bundled with other malicious software. 我们都知道,活动组 GOLD 就是利用此类 keygen 偷偷获取遭入侵的主机的后门访问权限。Activity group GOLD has been known to make use of such keygens to covertly gain back door access to hosts that they compromise. - 中型Medium
检测到可能执行了植入程序这种恶意软件Detected possible execution of malware dropper %{Compromised Host} 上的主机数据分析检测到此前与活动组 GOLD 某个在受害主机上安装恶意软件的方法关联的文件名。Analysis of host data on %{Compromised Host} detected a filename that has previously been associated with one of activity group GOLD's methods of installing malware on a victim host. - High
检测到可能存在本地侦查活动Detected possible local reconnaissance activity %{Compromised Host} 上的主机数据分析检测到此前与活动组 GOLD 某个执行侦查活动的方法关联的 systeminfo 命令组合。Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing reconnaissance activity. 虽然 systeminfo.exe 是合法的 Windows 工具,但此处这样的使用方式(即连续执行该工具两次)是非常少见的。While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession in the way that has occurred here is rare. -
检测到 Telegram 工具可疑的使用方式Detected potentially suspicious use of Telegram tool 主机数据分析表明安装了 Telegram,该工具是基于云的免费即时消息服务,移动系统和桌面系统都可使用。Analysis of host data shows installation of Telegram, a free cloud-based instant messaging service that exists both for mobile and desktop system. 众所周知,攻击者滥用此服务将恶意二进制文件传输至其他计算机、手机或平板电脑。Attackers are known to abuse this service to transfer malicious binaries to any other computer, phone, or tablet. - 中型Medium
检测到禁止向登录用户显示法律声明Detected suppression of legal notice displayed to users at logon %{Compromised Host} 上的主机数据分析检测到,攻击者对用于控制是否向登录用户显示法律声明的注册表项进行了更改。Analysis of host data on %{Compromised Host} detected changes to the registry key that controls whether a legal notice is displayed to users when they log on. Microsoft 安全分析已判定这是攻击者在侵入主机后进行的常见活动。Microsoft security analysis has determined that this is a common activity undertaken by attackers after having compromised a host. - Low
检测到 HTA 和 PowerShell 的可疑组合Detected suspicious combination of HTA and PowerShell mshta.exe(Microsoft HTML 应用程序主机)是经过签名的 Microsoft 二进制文件,攻击者正在使用它来启动恶意的 PowerShell 命令。mshta.exe (Microsoft HTML Application Host) which is a signed Microsoft binary is being used by the attackers to launch malicious PowerShell commands. 攻击者通常使用带有内联 VBScript 的 HTA 文件。Attackers often resort to having a HTA file with inline VBScript. 当受害者浏览到 HTA 文件并选择运行它时,将执行该文件包含的 PowerShell 命令和脚本。When a victim browses to the HTA file and chooses to run it, the PowerShell commands and scripts that it contains are executed. %{Compromised Host} 上的主机数据分析检测到,mshta.exe 正在启动 PowerShell 命令。Analysis of host data on %{Compromised Host} detected mshta.exe launching PowerShell commands. - 中型Medium
检测到可疑的命令行参数Detected suspicious commandline arguments %{Compromised Host} 上的主机数据分析检测到可疑的命令行参数,这些参数曾与活动组 HYDROGEN 所使用的反向 shell 结合使用。Analysis of host data on %{Compromised Host} detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN. - High
检测到用于启动目录中所有可执行文件的可疑命令行Detected suspicious commandline used to start all executables in a directory 主机数据分析检测到 %{Compromised Host} 上运行着可疑的进程。Analysis of host data has detected a suspicious process running on %{Compromised Host}. 该命令行代表的意图可能是要启动某个目录中所有的可执行文件 (*.exe)。The commandline indicates an attempt to start all executables (*.exe) that may reside in a directory. 这可能说明主机已遭入侵。This could be an indication of a compromised host. - 中型Medium
在命令行中检测到可疑凭据Detected suspicious credentials in commandline %{Compromised Host} 上的主机数据分析检测到,活动组 BORON 使用可疑的密码执行文件。Analysis of host data on %{Compromised Host} detected a suspicious password being used to execute a file by activity group BORON. 我们已知此活动组使用此密码在受害主机上执行 Pirpi 恶意软件。This activity group has been known to use this password to execute Pirpi malware on a victim host. - High
检测到可疑的文档凭据Detected suspicious document credentials %{Compromised Host} 上的主机数据分析检测到,在通过恶意软件执行某个文件时,该恶意软件所使用的常用预计算密码哈希可疑。Analysis of host data on %{Compromised Host} detected a suspicious, common precomputed password hash used by malware being used to execute a file. 我们已知活动组 HYDROGEN 使用此密码在受害主机上执行恶意软件。Activity group HYDROGEN has been known to use this password to execute malware on a victim host. - High
检测到执行 VBScript.Encode 命令的方式可疑Detected suspicious execution of VBScript.Encode command %{Compromised Host} 上的主机数据分析检测到执行了 VBScript.Encode 命令。Analysis of host data on %{Compromised Host} detected the execution of VBScript.Encode command. 这会将脚本编码成不可读的文本,增加用户检查代码的难度。This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft 威胁研究表明,攻击者通常会在攻击过程中使用编码 VBscript 文件以绕开检测系统。Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. 这可能是合法活动,也可能指示主机已遭入侵。This could be legitimate activity, or an indication of a compromised host. - 中型Medium
检测到通过 rundll32.exe 执行的可疑操作Detected suspicious execution via rundll32.exe %{Compromised Host} 上的主机数据分析检测到,使用 rundll32.exe 执行的进程有一个不常见的名称,这与此前活动组 GOLD 在已遭入侵的主机上安装第一阶段的植入软件时所使用的进程命名方案一致。Analysis of host data on %{Compromised Host} detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host. - High
检测到可疑的文件清除命令Detected suspicious file cleanup commands %{Compromised Host} 上的主机数据分析检测到与活动组 GOLD 某个执行入侵后的自清除活动的方法关联的 systeminfo 命令组合。Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. 虽然 systeminfo.exe 是合法的 Windows 工具,但此处这样的使用方式(即连续执行该工具两次,然后使用删除命令)是非常少见的。While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare. - High
检测到可疑的文件创建操作Detected suspicious file creation %{Compromised Host} 上的主机数据分析检测到,有人创建或执行了某个进程,该进程之前已涉及活动组 BARIUM 在受害主机上执行的入侵后的操作。Analysis of host data on %{Compromised Host} detected creation or execution of a process which has previously indicated post-compromise action taken on a victim host by activity group BARIUM. 我们已知该活动组会利用此项技术,在用户打开钓鱼文档中的某个附件以后,攻击者通过该进程将其他恶意软件下载到已遭入侵的主机中。This activity group has been known to use this technique to download additional malware to a compromised host after an attachment in a phishing doc has been opened. - High
检测到可疑的命名管道通信Detected suspicious named pipe communications %{Compromised Host} 上的主机数据分析检测到,攻击者通过 Windows 控制台命令将数据写入本地命名管道。Analysis of host data on %{Compromised Host} detected data being written to a local named pipe from a Windows console command. 我们知道,攻击者可以通过命名管道来为恶意植入软件分配任务以及与恶意植入软件通信。Named pipes are known to be a channel used by attackers to task and communicate with a malicious implant. 这可能是合法活动,也可能指示主机已遭入侵。This could be legitimate activity, or an indication of a compromised host. - High
检测到可疑的网络活动Detected suspicious network activity 对 %{Compromised Host} 中的网络流量进行分析时检测到可疑的网络活动。Analysis of network traffic from %{Compromised Host} detected suspicious network activity. 虽然此类流量可能是无害的,但攻击者经常借此与恶意服务器通信,以下载工具、命令和控制以及渗透数据。Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. 典型的相关攻击者活动包括将远程管理工具复制到已遭入侵的主机上并窃取该主机中的用户数据。Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it. - Low
检测到可疑的新防火墙规则Detected suspicious new firewall rule 主机数据分析检测到,有人通过 netsh.exe 添加了新的防火墙规则,以允许来自可疑位置的可执行文件的流量。Analysis of host data detected a new Firewall rule has been added via netsh.exe to allow traffic from an executable in a suspicious location. - 中型Medium
检测到使用 Cacls 来降低系统安全状态的可疑行为Detected suspicious use of Cacls to lower the security state of the system 攻击者使用多种方法(如暴力攻击、鱼叉式网络钓鱼等)完成初始入侵,并在网络上建立据点。Attackers use myriad ways like brute force, spear phishing etc. to achieve initial compromise and get a foothold on the network . 一旦完成了初始入侵,他们通常就会采取一些措施来降低系统的安全设置级别。Once initial compromise is achieved they often take steps to lower the security settings of a system. Cacls 是“更改访问控制列表”的简写,它是 Microsoft Windows 本机命令行实用工具,通常用于修改文件夹和文件的安全权限。Cacls—short for change access control list is Microsoft Windows native command line utility often used for modifying the security permission on folders and files. 很多时候攻击者都会使用该二进制文件来降低系统的安全设置级别。A lot of time the binary is used by the attackers to lower the security settings of a system. 他们会将对部分系统二进制文件(例如 ftp.exe、net.exe、wscript.exe 等)的完全访问权限授予“所有人”。%{Compromised Host} 上的主机数据分析检测到,有人使用 Cacls 来降低系统安全状态的可疑行为。This is done by giving Everyone full access to some of the system binaries like ftp.exe, net.exe, wscript.exe etc. Analysis of host data on %{Compromised Host} detected suspicious use of Cacls to lower the security of a system. - 中型Medium
检测到可疑的 FTP -s 开关使用方式Detected suspicious use of FTP -s Switch %{Compromised Host} 中的进程创建数据分析检测到,有人使用了 FTP 的“-s:filename”开关。Analysis of process creation data from the %{Compromised Host} detected the use of FTP's "-s:filename" switch. 此开关用于指定要运行的客户端的 FTP 脚本文件。This switch is used to specify an FTP script file for the client to run. 我们已知,恶意软件或恶意进程会使用此 FTP 开关 (-s:filename) 指向配置为连接到远程 FTP 服务器的脚本文件,并下载其他恶意二进制文件。Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file which is configured to connect to a remote FTP server and download additional malicious binaries. - 中型Medium
检测到使用 Pcalua.exe 启动可执行代码的可疑行为Detected suspicious use of Pcalua.exe to launch executable code %{Compromised Host} 上的主机数据分析检测到,有人使用了 pcalua.exe 来启动可执行代码。Analysis of host data on %{Compromised Host} detected the use of pcalua.exe to launch executable code. Pcalua.exe 是 Microsoft Windows“程序兼容助手”的组件,用于检测程序安装或执行过程中的兼容性问题。Pcalua.exe is component of the Microsoft Windows "Program Compatibility Assistant" which detects compatibility issues during the installation or execution of a program. 我们已知,攻击者可以滥用合法的 Windows 系统工具的功能来执行恶意操作,例如,使用 pcalua.exe 和 -a 开关从本地或者从远程共享中启动恶意可执行文件。Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares. - 中型Medium
检测到关键服务被禁用Detected the disabling of critical services %{Compromised Host} 上的主机数据分析检测到,有人执行了“net.exe stop”命令来停止 SharedAccess 或 Windows 安全中心之类的关键服务。The analysis of host data on %{Compromised Host} detected execution of "net.exe stop" command being used to stop critical services like SharedAccess or Windows Security Center. 无论停止的是这些服务中的哪一项,都可能属于恶意行为。The stopping of either of these service can be indication of a malicious behavior. - 中型Medium
检测到数字货币挖掘相关行为Digital currency mining related behavior detected %{Compromised Host} 上的主机数据分析检测到,有人执行了通常与数字货币挖掘关联的进程或命令。Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining. - High
动态构造 PS 脚本Dynamic PS script construction %{Compromised Host} 上的主机数据分析检测到,有人正在动态构造 PowerShell 脚本。Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. 攻击者有时会使用此方法来逐步构造脚本,目的是逃避 IDS 系统的检测。Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. 该活动可能是合法的,也可能表示某个计算机已遭入侵。This could be legitimate activity, or an indication that one of your machines has been compromised. - 中型Medium
检测到可执行文件正在从可疑位置运行Executable found running from a suspicious location 主机数据分析检测到,%{Compromised Host} 上的某个可执行文件正在从公认的可疑位置运行。Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. 该可执行文件可能是合法的,也可能表示主机已遭入侵。This executable could either be legitimate activity, or an indication of a compromised host. - High
检测到无文件攻击技术Fileless attack technique detected 指定进程的内存包含无文件攻击工具包:[工具包名称]。The memory of the process specified contains a fileless attack toolkit: [toolkit name]. 无文件攻击工具包通常不会存在于文件系统,因此传统的防病毒软件难以检测到它们。Fileless attack toolkits typically don't have a presence on the file system, making detection by traditional antivirus software difficult. 防御规避/执行DefenseEvasion / Execution High
检测到高风险软件High risk software detected %{Compromised Host} 上的主机数据分析检测到,有人使用了与恶意软件安装有关的软件。Analysis of host data from %{Compromised Host} detected the usage of software that has been associated with the installation of malware in the past. 在恶意软件分发过程中,攻击者使用的一种常用方法是将其打包在其他合法工具中,如此警报中所示。A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. 使用这些工具时,恶意软件可以在后台无提示安装。Upon using these tools, the malware can be silently installed in the background. - 中型Medium
已枚举本地管理员组成员Local Administrators group members were enumerated 计算机日志指示有人对组 %{Enumerated Group Domain Name}%{Enumerated Group Name} 成功地进行了枚举。Machine logs indicate a successful enumeration on group %{Enumerated Group Domain Name}%{Enumerated Group Name}. 具体而言,%{Enumerating User Domain Name}%{Enumerating User Name} 远程枚举了 %{Enumerated Group Domain Name}%{Enumerated Group Name} 组的成员。Specifically, %{Enumerating User Domain Name}%{Enumerating User Name} remotely enumerated the members of the %{Enumerated Group Domain Name}%{Enumerated Group Name} group. 此活动可能是合法的,也可能表示组织中的某台计算机已遭入侵并被用于侦查 %{vmname}。This activity could either be legitimate activity, or an indication that a machine in your organization has been compromised and used to reconnaissance %{vmname}. - 信息性Informational
恶意 SQL 活动Malicious SQL activity 计算机日志指示帐户 %{user name} 执行了“%{process name}”。Machine logs indicate that '%{process name}' was executed by account: %{user name}. 这被视为恶意活动。This activity is considered malicious. - High
ZINC 服务器植入软件创建了恶意防火墙规则 [出现多次]Malicious firewall rule created by ZINC server implant [seen multiple times] 有人使用与已知的执行组件 ZINC 匹配的技术创建了防火墙规则。A firewall rule was created using techniques that match a known actor, ZINC. 此规则可能已用于打开 %{Compromised Host} 上的端口,以允许进行命令和控制通信。The rule was possibly used to open a port on %{Compromised Host} to allow for Command & Control communications. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - High
检测到伪装 Windows 模块Masquerading Windows Module Detected 故障转储分析检测到,在此警报中标识的进程内,存在一个在故障转储中伪装成 Windows 模块的第三方模块。Crash dump analysis detected the presence of a 3rd party module impersonating a Windows module within a crash dump from the process identified in this alert. 这种情况可能表示系统已遭入侵。This occurrence may indicate a system compromise. - 中型Medium
查询了多个域帐户Multiple Domain Accounts Queried 主机数据分析已判定 %{Compromised Host} 中短时间内对不同域帐户的查询次数异常。Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. 这种活动可能是合法的,但也可能表示系统已遭入侵。This kind of activity could be legitimate, but can also be an indication of compromise. - 中型Medium
检测到可能存在凭据转储活动 [出现多次]Possible credential dumping detected [seen multiple times] 主机数据分析检测到,有人使用本机 Windows 工具(如 sqldumper.exe)的方式允许从内存提取凭据。Analysis of host data has detected use of native windows tool( e.g. sqldumper.exe) being used in a way that allows to extract credentials from memory. 攻击者通常会使用这些方法来提取凭据,这些凭据随后会进一步用于横向移动和特权提升。Often times attackers use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到尝试绕过 AppLocker 的行为Potential attempt to bypass AppLocker detected %{Compromised Host} 上的主机数据分析检测到,有人尝试绕过 AppLocker 限制。Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. 可以配置 AppLocker 以实施限制策略,对可以在 Windows 系统上运行的可执行文件进行限制。AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. 此警报中标识的命令行模式与攻击者此前使用过的模式类似,攻击者通过使用受信任的可执行文件(AppLocker 策略允许的可执行文件)来执行不受信任的代码,从而尝试绕过 AppLocker 策略。The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. 这可能是合法活动,也可能指示主机已遭入侵。This could be legitimate activity, or an indication of a compromised host. - High
检测到 PsExec 执行PsExec execution detected 主机数据分析表明,进程 %{Process Name} 是由 PsExec 实用工具执行的。Analysis of host data indicates that the process %{Process Name} was executed by PsExec utility. PsExec 可用于远程运行进程。PsExec can be used for running processes remotely. 此技术可能用于恶意目的。This technique might be used for malicious purposes. - 信息性Informational
检测到勒索软件痕迹 [出现多次]Ransomware indicators detected [seen multiple times] 主机数据分析表明,存在通常与锁屏和加密勒索软件相关的可疑活动。Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. 锁屏勒索软件会显示一条全屏消息以阻止用户与主机进行交互以及访问其中的文件。Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. 加密勒索软件会通过加密数据文件来阻止访问。Encryption ransomware prevents access by encrypting data files. 在这两种情况下,通常都会显示一条勒索赎金的消息,要求用户付款以恢复正常的文件访问。In both cases a ransom message is typically displayed, requesting payment in order to restore file access. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - High
检测到勒索软件痕迹Ransomware indicators detected 主机数据分析表明,存在通常与锁屏和加密勒索软件相关的可疑活动。Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. 锁屏勒索软件会显示一条全屏消息以阻止用户与主机进行交互以及访问其中的文件。Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. 加密勒索软件会通过加密数据文件来阻止访问。Encryption ransomware prevents access by encrypting data files. 在这两种情况下,通常都会显示一条勒索赎金的消息,要求用户付款以恢复正常的文件访问。In both cases a ransom message is typically displayed, requesting payment in order to restore file access. - High
已执行罕见 SVCHOST 服务组Rare SVCHOST service group executed 检测到系统进程 SVCHOST 在罕见的服务组中运行。The system process SVCHOST was observed running a rare service group. 恶意软件通常使用 SVCHOST 来掩饰恶意活动。Malware often use SVCHOST to masquerade its malicious activity. - 信息性Informational
发现 ShellcodeShellcode discovered Shellcode 是在恶意软件利用软件漏洞之后运行的有效负载。Shellcode is the payload that is run after malware exploits a software vulnerability.
此警报指示故障转储分析检测到可执行代码表现出通常由恶意有效负载表现出的行为。This alert indicates that crash dump analysis has detected executable code that exhibits behavior commonly performed by malicious payloads. 虽然非恶意软件也可能会表现出此行为,但这在正常的软件开发实践中并不常见。Although non-malicious software can also perform this behavior, it isn't typical of normal software development practices.
- 中型Medium
检测到粘滞键攻击Sticky keys attack detected 主机数据分析指示攻击者可能通过破坏辅助功能二进制文件(例如粘滞键、屏幕键盘、讲述人)来提供主机 %{Compromised Host} 的后门访问权限。Analysis of host data indicates that an attacker may be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}. - 中型Medium
成功的暴力攻击Successful brute force attack 在 Azure 订阅中的多个主机上检测到同一来源的多次失败的身份验证操作。Multiple failed authentication attempts originating from the same source were detected across multiple hosts in Azure subscriptions . 这类似于密码喷射攻击,攻击者会在多个主机上执行大量的身份验证尝试。This resembles a password spray attack, in which an attacker performs numerous authentication attempts spread across multiple hosts. 某些身份验证尝试操作会成功登录此订阅中的主机。Some of the authentication attempts successfully signed in to a host in this subscription. - High
涉及 RDP 劫持的可疑完整性级别Suspect integrity level indicative of RDP hijacking 主机数据分析已检测到,有人使用系统特权运行 tscon.exe,这可能表明攻击者滥用此二进制文件以便将上下文切换到此主机上的任一其他已登录用户;这是一种已知的攻击技术,用于入侵其他用户帐户并在网络中横向移动。Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it is a known attacker technique to compromise additional user accounts and move laterally across a network. - 中型Medium
可疑的服务安装Suspect service installation 主机数据分析已检测到 tscon.exe 以服务形式安装:此二进制文件作为服务启动,可能允许攻击者通过劫持 RDP 连接来完全切换到此主机上的任一其他已登录用户;这是一种已知的攻击技术,用于入侵其他用户帐户并在网络中横向移动。Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it is a known attacker technique to compromise additional user accounts and move laterally across a network. - 中型Medium
已发现可疑的 Kerberos 黄金票证攻击参数Suspected Kerberos Golden Ticket attack parameters observed 主机数据分析检测到符合 Kerberos 黄金票证攻击特征的命令行参数。Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack. - 中型Medium
检测到可疑的帐户创建操作Suspicious Account Creation Detected %{Compromised Host} 上的主机数据分析检测到,有人创建或使用了本地帐户 %{Suspicious account name},此帐户名称与标准 Windows 帐户或组名“%{Similar To Account Name}”类似。Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. 这可能是攻击者创建的恶意帐户,目的是不让人工管理员注意到。This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator. - 中型Medium
检测到可疑活动Suspicious Activity Detected 主机数据分析检测到一个或多个在 %{machine name} 上运行的进程的序列曾涉及恶意活动。Analysis of host data has detected a sequence of one or more processes running on %{machine name} that have historically been associated with malicious activity. 虽然单个命令看起来可能是良性的,但警报的评分是基于这些命令的聚合。While individual commands may appear benign the alert is scored based on an aggregation of these commands. 这可能是合法活动,也可能表示主机已遭入侵。This could either be legitimate activity, or an indication of a compromised host. - 中型Medium
检测到可疑的 PowerShell 活动Suspicious PowerShell Activity Detected 主机数据分析检测到,%{Compromised Host} 上运行的某个 PowerShell 脚本具有与已知的可疑脚本相同的特征。Analysis of host data detected a PowerShell script running on %{Compromised Host} that has features in common with known suspicious scripts. 这可能是合法脚本,也可能表示主机已遭入侵。This script could either be legitimate activity, or an indication of a compromised host. - High
执行了可疑的 PowerShell cmdletSuspicious PowerShell cmdlets executed 主机数据分析指示有人执行了已知的恶意 PowerShell PowerSploit cmdlet。Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets. - 中型Medium
可疑的 SQL 活动Suspicious SQL activity 计算机日志指示帐户 %{user name} 执行了“%{process name}”。Machine logs indicate that '%{process name}' was executed by account: %{user name}. 该活动在这个帐户中并不常见。This activity is uncommon with this account. - 中型Medium
执行了可疑的 SVCHOST 进程Suspicious SVCHOST process executed 检测到系统进程 SVCHOST 在异常的上下文中运行。The system process SVCHOST was observed running in an abnormal context. 恶意软件通常使用 SVCHOST 来掩饰恶意活动。Malware often use SVCHOST to masquerade its malicious activity. - High
执行了可疑的屏幕保护进程Suspicious Screensaver process executed 检测到进程“%{process name}”从不常见的位置执行。The process '%{process name}' was observed executing from an uncommon location. 扩展名为 .scr 的文件是屏幕保护文件,通常位于 Windows 系统目录中并从该目录执行。Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory. - 中型Medium
可疑的卷影复制活动Suspicious Volume Shadow Copy Activity 主机数据分析检测到,在资源上存在影子副本删除活动。Analysis of host data has detected a shadow copy deletion activity on the resource. 卷影复制 (VSC) 是重要的项目,用于存储数据快照。Volume Shadow Copy (VSC) is an important artifact that stores data snapshots. 某些恶意软件,尤其是勒索软件,会锁定 VSC 以破坏备份策略。Some malware and specifically Ransomware, targets VSC to sabotage backup strategies. - High
检测到可疑的 WindowPosition 注册表值Suspicious WindowPosition registry value detected %{Compromised Host} 上的主机数据分析检测到攻击者尝试更改 WindowPosition 注册表配置,这可能表明攻击者想将应用程序窗口隐藏在桌面的不可见部分。Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. 这可能是合法活动,也可能表明计算机已遭入侵:此类活动与以前已知的广告软件或不需要的软件(如 Win32/OneSystemCare 和 Win32/SystemHealer)以及恶意软件(如 Win32/Creprote)相关。This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. 当 WindowPosition 值设置为 201329664 时,(十六进制值:0x0c00 0c00,即 X 轴 = 0c00,Y 轴 = 0c00),这会将控制台应用的窗口置于用户屏幕中的不可见的部分,该区域隐藏在可见的“开始”菜单/任务栏下。When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. 已知的可疑十六进制值包括但不限于 c000c000Known suspect Hex value includes, but not limited to c000c000 - Low
可疑的身份验证活动Suspicious authentication activity 虽然它们都没有成功,但是使用的某些帐户已被主机识别。Although none of them succeeded, some of them used accounts were recognized by the host. 这类似于字典攻击,在这种攻击中,攻击者使用由预定义的帐户名和密码构成的字典执行大量的身份验证尝试操作,以便找出有效凭据来访问主机。This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. 这表示你的一些主机帐户名称可能存在于某个流传甚广的帐户名字典中。This indicates that some of your host account names might exist in a well-known account name dictionary. - 中型Medium
检测到可疑的代码段Suspicious code segment detected 该警报指示有人使用非标准方法(如反射注入和进程替换)分配代码段。Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. 该警报提供该代码段的其他特征,这些特征已经过处理,可针对涉事代码段的功能和行为提供上下文。The alert provides additional characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment. - 中型Medium
可疑的命令执行活动Suspicious command execution 计算机日志指出用户 %{user name} 存在可疑的命令行执行操作。Machine logs indicate a suspicious command line execution by user %{user name}. -
执行了可疑的双扩展名文件Suspicious double extension file executed 主机数据的分析指示有人执行了具有可疑的双扩展名的进程。Analysis of host data indicates an execution of a process with a suspicious double extension. 此扩展可能会诱使用户认为打开文件是安全的,并且可能表明系统上存在恶意软件。This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system. - High
检测到使用 Certutil 进行可疑下载 [多次出现]Suspicious download using Certutil detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到内置的管理员实用工具 certutil.exe 并未用于与操作证书和证书数据相关的主流用途,而是被用于下载二进制文件。Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. 我们知道,攻击者可以滥用合法的管理员工具的功能来执行恶意操作,例如,使用 certutil.exe 来下载和解码恶意的可执行文件,随后执行该文件。Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到使用 Certutil 进行可疑下载Suspicious download using Certutil detected %{Compromised Host} 上的主机数据分析检测到内置的管理员实用工具 certutil.exe 并未用于与操作证书和证书数据相关的主流用途,而是被用于下载二进制文件。Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. 我们知道,攻击者可以滥用合法的管理员工具的功能来执行恶意操作,例如,使用 certutil.exe 来下载和解码恶意的可执行文件,随后执行该文件。Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. - 中型Medium
执行了可疑进程 [多次出现]Suspicious process executed [seen multiple times] 计算机日志表明计算机上运行了可疑进程 '%{Suspicious Process}',该进程通常意味着攻击者尝试访问凭据。Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - High
执行了可疑进程Suspicious process executed 计算机日志表明计算机上运行了可疑进程 '%{Suspicious Process}',该进程通常意味着攻击者尝试访问凭据。Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials.' - High
检测到可疑的进程名称 [多次出现]Suspicious process name detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到名称可疑的进程,例如该名称对应于某个已知的攻击工具,或者从名称上看,它涉及想在众目睽睽下隐藏的攻击工具。Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. 该进程可能是合法活动,也可能表示某个计算机已遭入侵。This process could be legitimate activity, or an indication that one of your machines has been compromised. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到可疑的进程名称Suspicious process name detected %{Compromised Host} 上的主机数据分析检测到名称可疑的进程,例如该名称对应于某个已知的攻击工具,或者从名称上看,它涉及想在众目睽睽下隐藏的攻击工具。Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. 该进程可能是合法活动,也可能表示某个计算机已遭入侵。This process could be legitimate activity, or an indication that one of your machines has been compromised. - 中型Medium
可疑的突发进程终止Suspicious process termination burst 主机数据分析指示 %{Machine Name} 中存在可疑的突发进程终止。Analysis of host data indicates a suspicious process termination burst in %{Machine Name}. 具体而言,就是在 %{Begin} 到 %{Ending} 之间有 %{NumberOfCommands} 个进程被终止。Specifically, %{NumberOfCommands} processes were killed between %{Begin} and %{Ending}. - Low
可疑系统文件执行活动Suspicious system file execution 主机数据分析检测到有人正在从异常位置运行 %{Compromised Host} 上的可执行文件。Analysis of host data detected an executable file on %{Compromised Host} that is running from an unusual location. 该可执行文件可能是合法的,也可能表示主机已遭入侵。This executable could either be legitimate activity, or an indication of a compromised host. - High
执行了可疑的系统进程Suspicious system process executed 检测到系统进程 %{process name} 在异常的上下文中运行。The system process %{process name} was observed running in an abnormal context. 恶意软件通常使用这个进程名称来掩饰恶意活动。Malware often use this process name to masquerade its malicious activity. - High
检测到名称可疑的进程Suspiciously named process detected %{Compromised Host} 上的主机数据分析检测到名称可疑的进程,该进程的名称非常类似于极常运行的进程 (%{Similar To Process Name}),但又与之不同。Analysis of host data on %{Compromised Host} detected a process whose name is very similar to but different from a very commonly run process (%{Similar To Process Name}). 尽管此进程可能是无害的,但是我们已知攻击者有时会将恶意工具命名为与合法进程相似的样子,从而隐藏于众目睽睽之下。While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names. - 中型Medium
检测到异常的进程执行活动Unusual process execution detected %{Compromised Host} 上的主机数据分析检测到 %{User Name} 存在异常的进程执行活动。Analysis of host data on %{Compromised Host} detected the execution of a process by %{User Name} that was unusual. %{User Name} 这样的帐户在操作上应该是受限的,此执行活动被判定为不符合限制,可能是可疑的。Accounts such as %{User Name} tend to perform a limited set of operations, this execution was determined to be out of character and may be suspicious. - High
检测到 VBScript HTTP 对象分配活动VBScript HTTP object allocation detected 检测到有人使用命令提示符创建 VBScript 文件。Creation of a VBScript file using Command Prompt has been detected. 以下脚本包含 HTTP 对象分配命令。The following script contains HTTP object allocation command. 此操作可能被用于下载恶意文件。This action can be used to download malicious files. - High
检测到 Windows 注册表持久性方法Windows registry persistence method detected 主机数据分析检测到攻击者尝试在 Windows 注册表中持久保留某个可执行文件。Analysis of host data has detected an attempt to persist an executable in the Windows registry. 恶意软件通常使用这种方法,因此在计算机启动后仍然存在。Malware often uses such a technique to survive a boot. - Low

Linux 计算机的警报Alerts for Linux machines

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
加载了内核模块A kernel module was loaded 用户 %{user} 使用命令 %{Command used} 在主机 %{compromised host} 中加载了内核模块。A kernel module was loaded in the host %{compromised host} using the command %{Command used} by the user %{user}. - Low
删除了内核模块A kernel module was removed 用户 %{user} 使用命令 %{Command used} 在主机 %{compromised host} 中删除了内核模块。A kernel module was removed in the host %{compromised host} using the command %{Command used} by the user %{user}. - 中型Medium
向 sudoers 组添加了新用户A new user was added to the sudoers group 主机数据分析检测到有人向 sudoers 组添加了用户。该组的成员可以使用较高的权限来运行命令。Host data analysis detected that a user was added to the sudoers group, which enables its members to run commands with high privileges. 特权提升PrivilegeEscalation Low
检测到 htaccess 文件的访问Access of htaccess file detected %{Compromised Host} 上的主机数据分析检测到有人可能对 htaccess 文件进行了操作。Analysis of host data on %{Compromised Host} detected possible manipulation of a htaccess file. Htaccess 是一个功能强大的配置文件,使用该文件,可对运行 Apache Web 软件的 Web 服务器进行多项更改,包括基本的重定向功能以及更高级的功能,例如基本密码保护。Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running the Apache Web software including basic redirect functionality, or for more advanced functions such as basic password protection. 攻击者通常会在已遭入侵的计算机上修改 htaccess 文件,以实现持久入侵。Attackers will often modify htaccess files on machines they have compromised to gain persistence. - 中型Medium
已清除历史记录文件An history file has been cleared 主机数据分析指示有人清除了命令历史记录日志文件。Analysis of host data indicates that the command history log file has been cleared. 攻击者可能会这样做,目的是掩盖入侵痕迹。Attackers may do this to cover their traces. 此操作由用户 %{user name} 执行。The operation was performed by user: '%{user name}'. - 中型Medium
检测到尝试停止 apt-daily-upgrade.timer 服务 [多次出现]Attempt to stop apt-daily-upgrade.timer service detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人尝试停止 apt-daily-upgrade.timer 服务。在最近的攻击中,我们发现攻击者会阻止此项服务,以下载恶意文件并授予执行特权以达到其攻击目的。Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service.In some recent attacks ,its been observed attackers stopping this service ,to download malicious files and granting execution privileges for their attack. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - Low
检测到尝试停止 apt-daily-upgrade.timer 服务Attempt to stop apt-daily-upgrade.timer service detected %{Compromised Host} 上的主机数据分析检测到有人尝试停止 apt-daily-upgrade.timer 服务。在最近的攻击中,我们发现攻击者会阻止此项服务,以下载恶意文件并授予执行特权以达到其攻击目的Analysis of host data on %{Compromised Host} detected an attempt to stop apt-daily-upgrade.timer service.In some recent attacks ,its been observed attackers stopping this service ,to download malicious files and granting execution privileges for their attack - Low
检测到与 Fairware 勒索软件类似的行为 [多次出现]Behavior similar to Fairware ransomware detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人针对可疑的位置执行了rm -rf 命令。Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. 由于 rm -rf 会以递归方式删除文件,因此通常用于离散的文件夹。As rm -rf will recursively delete files, it is normally used on discrete folders. 在这种情况下,它会在可能删除大量数据的位置中使用。In this case, it is being used in a location that could remove a lot of data. 我们都知道,Fairware 勒索软件就会在该文件夹执行 rm -rf 命令。Fairware ransomware is known to execute rm -rf commands in this folder. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到与 Fairware 勒索软件类似的行为Behavior similar to Fairware ransomware detected %{Compromised Host} 上的主机数据分析检测到有人针对可疑的位置执行了rm -rf 命令。Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. 由于 rm -rf 会以递归方式删除文件,因此通常用于离散的文件夹。As rm -rf will recursively delete files, it is normally used on discrete folders. 在这种情况下,它会在可能删除大量数据的位置中使用。In this case, it is being used in a location that could remove a lot of data. 我们都知道,Fairware 勒索软件就会在该文件夹执行 rm -rf 命令。Fairware ransomware is known to execute rm -rf commands in this folder. - 中型Medium
检测到与常见的 Linux 机器人类似的行为 [多次出现]Behavior similar to common Linux bots detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人执行了通常与常见的 Linux 僵尸网络有关的进程。Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到与常见的 Linux 机器人类似的行为Behavior similar to common Linux bots detected %{Compromised Host} 上的主机数据分析检测到有人执行了通常与常见的 Linux 僵尸网络有关的进程。Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with common Linux botnets. - 中型Medium
检测到与勒索软件类似的行为 [多次出现]Behavior similar to ransomware detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到与已知的勒索软件相似的文件执行活动,这种勒索软件可能会阻止用户访问系统或自己的文件,并要求支付赎金才能恢复正常访问。Analysis of host data on %{Compromised Host} detected the execution of files that have resemblance of known ransomware that can prevents users from accessing their system or personal files and demands ransom payment in order to regain access. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - High
检测到带有挖掘器映像的容器Container with a miner image detected 计算机日志指示执行的某个 Docker 容器运行与数字货币挖掘关联的映像。Machine logs indicate execution of a Docker container that run an image associated with a digital currency mining. 此行为可能表示你的资源被攻击者滥用。This behavior can possibly indicate that your resources are abused by an attacker. - High
检测到持久性尝试 [多次出现]Detected Persistence Attempt [seen multiple times] %{Compromised Host} 上的主机数据分析检测到安装了单用户模式的启动脚本。Analysis of host data on %{Compromised Host} has detected installation of a startup script for single-user mode. 很少有合法的进程需要以这种模式执行,因此这可能表示攻击者已将恶意进程添加到每个运行级别以保证持久性。It is extremely rare than any legitimate process has any requirement to execute in that mode so may indicate an attacker has added a malicious process to every run-level to guarantee persistence. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到持久性尝试Detected Persistence Attempt 主机数据分析检测到安装了单用户模式的启动脚本。Host data analysis has detected that a startup script for single-user mode has been installed.
因为很少有合法的进程需要以这种模式执行,所以这可能表示攻击者已将恶意进程添加到每个运行级别以保证持久性。Because it's rare that any legitimate process would be required to run in that mode, this might indicate that an attacker has added a malicious process to every run-level to guarantee persistence.
持久性Persistence 中型Medium
在命令行中检测到大小写字符的异常混用Detected anomalous mix of upper and lower case characters in command line %{Compromised Host} 上的主机数据分析检测到命令行中存在大小写字符的异常混用。Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. 这种模式(尽管可能是无害的)也是典型的攻击手段,当攻击者在遭入侵的主机上执行管理任务时,他们会通过这种手段避开区分大小写的规则匹配或基于哈希的规则匹配。This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host. - 中型Medium
检测到自已知恶意来源的文件下载 [多次出现]Detected file download from a known malicious source [seen multiple times] 主机数据分析检测到 %{Compromised Host} 有从已知恶意来源下载的文件。Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}. 今天在下列计算机上出现了超过 [x] 次此行为:[计算机名称]This behavior was seen over [x] times today on the following machines: [Machine names] - 中型Medium
检测到自已知恶意来源的文件下载Detected file download from a known malicious source 主机数据分析检测到 %{Compromised Host} 有从已知恶意来源下载的文件。Analysis of host data has detected the download of a file from a known malware source on %{Compromised Host}. - 中型Medium
检测到可疑的文件下载 [多次出现]Detected suspicious file download [seen multiple times] 主机数据分析检测到有人在 %{Compromised Host} 上下载了可疑的远程文件。Analysis of host data has detected suspicious download of remote file on %{Compromised Host}. 今天在下列计算机上出现了 10 次此行为:[计算机名称]This behavior was seen 10 times today on the following machines: [Machine name] - Low
检测到可疑的文件下载Detected suspicious file download 主机数据分析检测到有人在 %{Compromised Host} 上下载了可疑的远程文件。Analysis of host data has detected suspicious download of remote file on %{Compromised Host}. - Low
检测到可疑的网络活动Detected suspicious network activity 对 %{Compromised Host} 中的网络流量进行分析时检测到可疑的网络活动。Analysis of network traffic from %{Compromised Host} detected suspicious network activity. 虽然此类流量可能是无害的,但攻击者经常借此与恶意服务器通信,以下载工具、命令和控制以及渗透数据。Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. 典型的相关攻击者活动包括将远程管理工具复制到已遭入侵的主机上并窃取该主机中的用户数据。Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it. - Low
检测到对 nohup 命令的可疑使用 [多次出现]Detected suspicious use of the nohup command [seen multiple times] 主机数据分析检测到 %{Compromised Host} 上存在可疑的 nohup 命令使用情况。Analysis of host data has detected suspicious use of the nohup command on %{Compromised Host}. 攻击者被发现在临时目录中运行 nohup 命令,从而能在后台运行他们的可执行文件。Attackers have been seen running the command nohup from a temporary directory to allow their executables to run in the background. 对临时目录中的文件运行此命令是不正常的。It is not normal to see this command run on files located in a temporary directory. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到对 nohup 命令的可疑使用Detected suspicious use of the nohup command 主机数据分析检测到 %{Compromised Host} 上存在可疑的 nohup 命令使用情况。Analysis of host data has detected suspicious use of the nohup command on %{Compromised Host}. 攻击者被发现在临时目录中运行 nohup 命令,从而能在后台运行他们的可执行文件。Attackers have been seen running the command nohup from a temporary directory to allow their executables to run in the background. 对临时目录中的文件运行此命令是不正常的。It is not normal to see this command run on files located in a temporary directory. - 中型Medium
检测到对 useradd 命令的可疑使用 [多次出现]Detected suspicious use of the useradd command [seen multiple times] 主机数据分析检测到 %{Compromised Host} 上存在可疑的 useradd 命令使用情况。Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到对 useradd 命令的可疑使用Detected suspicious use of the useradd command 主机数据分析检测到 %{Compromised Host} 上存在可疑的 useradd 命令使用情况。Analysis of host data has detected suspicious use of the useradd command on %{Compromised Host}. - 中型Medium
检测到数字货币挖掘相关行为Digital currency mining related behavior detected %{Compromised Host} 上的主机数据分析检测到,有人执行了通常与数字货币挖掘关联的进程或命令。Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining. - High
审核日志记录被禁用 [多次出现]Disabling of auditd logging [seen multiple times] Linux 审核系统提供了一种方法来跟踪系统上与安全相关的信息。The Linux Audit system provides a way to track security-relevant information on the system. 它尽可能多地记录了系统事件的相关信息。It records as much information about the events that are happening on your system as possible. 禁用审核日志记录可能会遮掩违背系统安全策略的行为。Disabling auditd logging could hamper discovering violations of security policies used on the system. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - Low
检测到可执行文件正在从可疑位置运行Executable found running from a suspicious location 主机数据分析检测到,%{Compromised Host} 上的某个可执行文件正在从公认的可疑位置运行。Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. 该可执行文件可能是合法的,也可能表示主机已遭入侵。This executable could either be legitimate activity, or an indication of a compromised host. - High
利用 Xorg 漏洞 [多次出现]Exploitation of Xorg vulnerability [seen multiple times] %{Compromised Host} 上的主机数据分析检测到具有可疑参数的 Xorg 用户。Analysis of host data on %{Compromised Host} detected the user of Xorg with suspicious arguments. 攻击者可能会在尝试提升特权时使用此技术。Attackers may use this technique in privilege escalation attempts. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到公开的 Docker 守护程序Exposed Docker daemon detected 计算机日志指示 Docker 守护程序 (dockerd.exe) 公开了一个 TCP 套接字。Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. 默认情况下,启用 TCP 套接字时,Docker 配置不会使用加密或身份验证。By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. 这样,任何有权访问相关端口的人都会获得 Docker 守护程序的完全访问权限。This enables full access to the Docker daemon, by anyone with access to the relevant port. - 中型Medium
失败的 SSH 暴力攻击Failed SSH brute force attack 检测到失败的暴力攻击,攻击者为:%{Attackers}。Failed brute force attacks were detected from the following attackers: %{Attackers}. 攻击者尝试使用以下用户名访问主机:%{Accounts used on failed sign in to host attempts}。Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}. - 中型Medium
检测到隐藏文件执行活动Hidden file execution detected 主机数据分析指示 %{user name} 执行了隐藏文件。Analysis of host data indicates that a hidden file was execute by %{user name}. 这可能是合法活动,也可能表示主机已遭入侵。This activity could either be legitimate activity, or an indication of a compromised host. - 信息性Informational
检测到本地主机侦查 [多次出现]Local host reconnaissance detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人执行了通常与常见的 Linux 机器人侦查有关的命令。Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到本地主机侦查Local host reconnaissance detected %{Compromised Host} 上的主机数据分析检测到有人执行了通常与常见的 Linux 机器人侦查有关的命令。Analysis of host data on %{Compromised Host} detected the execution of a command normally associated with common Linux bot reconnaissance. - 中型Medium
检测到主机防火墙操作 [多次出现]Manipulation of host firewall detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人可能对主机上的防火墙进行了操作。Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. 攻击者通常会禁用防火墙以盗取数据。Attackers will often disable this to exfiltrate data. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到主机防火墙操作Manipulation of host firewall detected %{Compromised Host} 上的主机数据分析检测到有人可能对主机上的防火墙进行了操作。Analysis of host data on %{Compromised Host} detected possible manipulation of the on-host firewall. 攻击者通常会禁用防火墙以盗取数据。Attackers will often disable this to exfiltrate data. - 中型Medium
添加了新的 SSH 密钥 [多次出现]New SSH key added [seen multiple times] 授权密钥文件中添加了新的 SSH 密钥。A new SSH key was added to the authorized keys file. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - Low
添加了新的 SSH 密钥New SSH key added 授权密钥文件中添加了新的 SSH 密钥A new SSH key was added to the authorized keys file - Low
检测到可能存在日志篡改活动 [出现多次]Possible Log Tampering Activity Detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到,在某项用户活动的操作过程中,有人可能删除了跟踪该活动的文件。Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. 攻击者通常会通过删除此类日志文件来避开检测以及清除恶意活动的痕迹。Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到可能存在日志篡改活动Possible Log Tampering Activity Detected %{Compromised Host} 上的主机数据分析检测到,在某项用户活动的操作过程中,有人可能删除了跟踪该活动的文件。Analysis of host data on %{Compromised Host} detected possible removal of files that tracks user's activity during the course of its operation. 攻击者通常会通过删除此类日志文件来避开检测以及清除恶意活动的痕迹。Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. - 中型Medium
检测到可能存在攻击工具 [出现多次]Possible attack tool detected [seen multiple times] 计算机日志表明 %{Compromised Host} 上运行了可疑的进程“%{Suspicious Process}”。Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. 此工具通常涉及恶意用户以某种方式攻击其他计算机的行为。This tool is often associated with malicious users attacking other machines in some way. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到可能存在攻击工具Possible attack tool detected 计算机日志表明 %{Compromised Host} 上运行了可疑的进程“%{Suspicious Process}”。Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. 此工具通常涉及恶意用户以某种方式攻击其他计算机的行为。This tool is often associated with malicious users attacking other machines in some way. - 中型Medium
检测到可能存在后门 [出现多次]Possible backdoor detected [seen multiple times] 主机数据分析检测到,订阅中的 %{Compromised Host} 上下载并运行了可疑的文件。Analysis of host data has detected a suspicious file being downloaded then run on %{Compromised Host} in your subscription. 此活动曾涉及后门安装。This activity has previously been associated with installation of a backdoor. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到可能存在凭据访问工具 [出现多次]Possible credential access tool detected [seen multiple times] 计算机日志指示进程 %{Suspicious Process} 在 %{Compromised Host} 上启动了可能已知的凭据访问工具。Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. 此工具通常涉及尝试访问凭据的攻击者。This tool is often associated with attacker attempts to access credentials. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到可能存在凭据访问工具Possible credential access tool detected 计算机日志指示进程 %{Suspicious Process} 在 %{Compromised Host} 上启动了可能已知的凭据访问工具。Machine logs indicate a possible known credential access tool was running on %{Compromised Host} launched by process: '%{Suspicious Process}'. 此工具通常涉及尝试访问凭据的攻击者。This tool is often associated with attacker attempts to access credentials. - 中型Medium
可能存在 Hadoop Yarn 利用Possible exploitation of Hadoop Yarn %{Compromised Host} 上的主机数据分析检测到可能有人利用了 Hadoop Yarn 服务。Analysis of host data on %{Compromised Host} detected the possible exploitation of the Hadoop Yarn service. - 中型Medium
检测到可能存在数据丢失 [多次出现]Possible loss of data detected [seen multiple times] %{Compromised Host} 的主机数据分析检测到可能存在数据流出的情况。Analysis of host data on %{Compromised Host} detected a possible data egress condition. 攻击者经常会从入侵的计算机中盗出数据。Attackers will often egress data from machines they have compromised. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x]] times today on the following machines: [Machine names] - 中型Medium
检测到可能存在数据丢失Possible loss of data detected %{Compromised Host} 的主机数据分析检测到可能存在数据流出的情况。Analysis of host data on %{Compromised Host} detected a possible data egress condition. 攻击者经常会从入侵的计算机中盗出数据。Attackers will often egress data from machines they have compromised. - 中型Medium
检测到可能存在恶意的 Web shell [多次出现]Possible malicious web shell detected [seen multiple times] %{Compromised Host} 的主机数据分析检测到可能存在 Web shell。Analysis of host data on %{Compromised Host} detected a possible web shell. 攻击者通常会将 Web shell 上传到被入侵的计算机以实现持久性,从而进一步地盗用计算机。Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到可能存在恶意的 Web shellPossible malicious web shell detected %{Compromised Host} 的主机数据分析检测到可能存在 Web shell。Analysis of host data on %{Compromised Host} detected a possible web shell. 攻击者通常会将 Web shell 上传到被入侵的计算机以实现持久性,从而进一步地盗用计算机。Attackers will often upload a web shell to a machine they have compromised to gain persistence or for further exploitation. - 中型Medium
检测到可能有人使用 crypt 方法更改密码 [多次出现]Possible password change using crypt-method detected [seen multiple times] %{Compromised Host} 的主机数据分析检测到有人使用 crypt 方法更改了密码。Analysis of host data on %{Compromised Host} detected password change using crypt method. 攻击者可能会进行此更改以继续访问并在入侵后实现持久性。Attackers can make this change to continue access and gaining persistence after compromise. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
常用文件的潜在重写活动 [多次出现]Potential overriding of common files [seen multiple times] 主机数据分析检测到 %{Compromised Host} 上存在重写常用可执行文件的情况。Analysis of host data has detected common executables being overwritten on %{Compromised Host}. 攻击者将重写常用文件,以便遮掩他们的操作或实现持久性。Attackers will overwrite common files as a way to obfuscate their actions or for persistence. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
常用文件的潜在重写活动Potential overriding of common files 主机数据分析检测到 %{Compromised Host} 上存在重写常用可执行文件的情况。Analysis of host data has detected common executables being overwritten on %{Compromised Host}. 攻击者将重写常用文件,以便遮掩他们的操作或实现持久性。Attackers will overwrite common files as a way to obfuscate their actions or for persistence. - 中型Medium
对外部 IP 地址的潜在端口转发活动 [多次出现]Potential port forwarding to external IP address [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人发起对外部 IP 地址的端口转发。Analysis of host data on %{Compromised Host} detected the initiation of port forwarding to an external IP address. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
对外部 IP 地址的潜在端口转发活动Potential port forwarding to external IP address 主机数据分析检测到有人启动了对外部 IP 地址的端口转发。Host data analysis detected the initiation of port forwarding to an external IP address. 渗透/命令和控制Exfiltration / CommandAndControl 中型Medium
检测到潜在的反向 shell [多次出现]Potential reverse shell detected [seen multiple times] %{Compromised Host} 的主机数据分析检测到潜在的反向 shell。Analysis of host data on %{Compromised Host} detected a potential reverse shell. 它们用于让被入侵的计算机回调到攻击者拥有的计算机中。These are used to get a compromised machine to call back into a machine an attacker owns. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到潜在的反向 shellPotential reverse shell detected %{Compromised Host} 的主机数据分析检测到潜在的反向 shell。Analysis of host data on %{Compromised Host} detected a potential reverse shell. 它们用于让被入侵的计算机回调到攻击者拥有的计算机中。These are used to get a compromised machine to call back into a machine an attacker owns. - 中型Medium
检测到特权容器Privileged Container Detected 计算机日志指示有特权 Docker 容器正在运行。Machine logs indicate that a privileged Docker container is running. 特权容器对主机的资源具有完全访问权限。A privileged container has a full access to the host's resources. 如果遭到入侵,攻击者可以使用特权容器获取对主机的访问权限。If compromised, an attacker can use the privileged container to gain access to the host machine. - Low
在容器中运行特权命令Privileged command run in container 计算机日志指示有人在 Docker 容器中运行特权命令。Machine logs indicate that a privileged command was run in a Docker container. 特权命令在主机上具有扩展特权。A privileged command has extended privileges on the host machine. - Low
检测到与数字货币挖掘有关的进程 [多次出现]Process associated with digital currency mining detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人执行了通常与数字货币挖掘关联的进程。Analysis of host data on %{Compromised Host} detected the execution of a process normally associated with digital currency mining. 今天在下列计算机上出现了超过 100 次此行为:[计算机名称]This behavior was seen over 100 times today on the following machines: [Machine name] - 中型Medium
检测到与数字货币挖掘有关的进程Process associated with digital currency mining detected 主机数据分析检测到有人执行了通常与数字货币挖掘关联的进程。Host data analysis detected the execution of a process that is normally associated with digital currency mining. 利用/执行Exploitation / Execution 中型Medium
检测到进程以异常方式访问 SSH 授权密钥文件Process seen accessing the SSH authorized keys file in an unusual way 有人通过与已知恶意软件活动类似的方法访问了 SSH 授权密钥文件。An SSH authorized keys file has been accessed in a method similar to known malware campaigns. 此访问可能表明攻击者正尝试获取计算机的持久访问权限。This access can indicate that an attacker is attempting to gain persistent access to a machine. -
检测到 Python 编码下载器 [多次出现]Python encoded downloader detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人执行编码的 Python 来从远程位置下载和运行代码。Analysis of host data on %{Compromised Host} detected the execution of encoded Python that downloads and runs code from a remote location. 这可能说明存在恶意活动。This may be an indication of malicious activity. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - Low
SSH 服务器在容器中运行SSH server is running inside a container 计算机日志指示有 SSH 服务器在 Docker 容器中运行。Machine logs indicate that an SSH server is running inside a Docker container. 尽管此行为可能是故意的,但它通常表示容器配置不正确或者遭到破坏。While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached. - 中型Medium
在主机上拍摄屏幕截图 [多次出现]Screenshot taken on host [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有用户使用屏幕捕获工具。Analysis of host data on %{Compromised Host} detected the user of a screen capture tool. 攻击者可能会使用这些工具来访问专用数据。Attackers may use these tools to access private data. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - Low
检测到脚本扩展不匹配 [多次出现]Script extension mismatch detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到脚本解释器和作为输入提供的脚本文件的扩展不匹配。Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. 这通常涉及攻击者的脚本执行活动。This has frequently been associated with attacker script executions. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到脚本扩展不匹配Script extension mismatch detected %{Compromised Host} 上的主机数据分析检测到脚本解释器和作为输入提供的脚本文件的扩展不匹配。Analysis of host data on %{Compromised Host} detected a mismatch between the script interpreter and the extension of the script file provided as input. 这通常涉及攻击者的脚本执行活动。This has frequently been associated with attacker script executions. - 中型Medium
检测到 Shellcode [多次出现]Shellcode detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到命令行中生成了 shellcode。Analysis of host data on %{Compromised Host} detected shellcode being generated from the command line. 该进程可能是合法活动,也可能表示某个计算机已遭入侵。This process could be legitimate activity, or an indication that one of your machines has been compromised. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
成功的 SSH 暴力攻击Successful SSH brute force attack 主机数据分析检测到成功的暴力攻击。Analysis of host data has detected a successful brute force attack. 发现 IP %{Attacker source IP} 进行了多次登录尝试。The IP %{Attacker source IP} was seen making multiple login attempts. 该 IP 的攻击者以下列用户身份成功完成了登录:%{Accounts used to successfully sign in to host}。Successful logins were made from that IP with the following user(s): %{Accounts used to successfully sign in to host}. 这意味着主机可能会受到恶意执行组件的入侵和控制。This means that the host may be compromised and controlled by a malicious actor. - High
检测到可疑的帐户创建操作Suspicious Account Creation Detected %{Compromised Host} 上的主机数据分析检测到,有人创建或使用了本地帐户 %{Suspicious account name},此帐户名称与标准 Windows 帐户或组名“%{Similar To Account Name}”类似。Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. 这可能是攻击者创建的恶意帐户,目的是不让人工管理员注意到。This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator. - 中型Medium
检测到可疑 PHP 执行活动Suspicious PHP execution detected 计算机日志指示有可疑 PHP 进程正在运行。Machine logs indicate a that a suspicious PHP process is running. 该操作包含尝试使用 PHP 进程从命令行运行 OS 命令或 PHP 代码。The action included an attempt to run OS commands or PHP code from the command line using the PHP process. 虽然这种行为是合法的,但在 Web 应用程序中,这种行为也会出现在恶意活动中,例如尝试利用 Web shell 感染网站。While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells. - 中型Medium
检测到可疑的编译 [多次出现]Suspicious compilation detected [seen multiple times] %{Compromised Host} 的主机数据分析检测到可疑的编译。Analysis of host data on %{Compromised Host} detected suspicious compilation. 攻击者通常会在已入侵的计算机上编译利用漏洞的内容以提升特权。Attackers will often compile exploits on a machine they have compromised to escalate privileges. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
检测到可疑的编译Suspicious compilation detected %{Compromised Host} 的主机数据分析检测到可疑的编译。Analysis of host data on %{Compromised Host} detected suspicious compilation. 攻击者通常会在已入侵的计算机上编译利用漏洞的内容以提升特权。Attackers will often compile exploits on a machine they have compromised to escalate privileges. - 中型Medium
可疑文件时间戳修改操作Suspicious file timestamp modification 主机数据分析检测到可疑的时间戳修改操作。Host data analysis detected a suspicious timestamp modification. 攻击者经常将时间戳从现有的合法文件复制到新工具,以绕开对这些新丢弃的文件的检测。Attackers often copy timestamps from existing, legitimate files to new tools to avoid detection of these newly dropped files. 持久性/防御规避Persistence / DefenseEvasion Low
检测到可疑内核模块 [多次出现]Suspicious kernel module detected [seen multiple times] %{Compromised Host} 上的主机数据分析检测到有人将共享对象文件加载为内核模块。Analysis of host data on %{Compromised Host} detected a shared object file being loaded as a kernel module. 该活动可能是合法的,也可能表示某个计算机已遭入侵。This could be legitimate activity, or an indication that one of your machines has been compromised. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 中型Medium
可疑的密码访问 [多次出现]Suspicious password access [seen multiple times] 主机数据分析检测到 %{Compromised Host} 上存在对加密用户密码的可疑访问行为。Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}. 今天在下列计算机上出现了 [x] 次此行为:[计算机名称]This behavior was seen [x] times today on the following machines: [Machine names] - 信息性Informational
可疑的密码访问Suspicious password access 主机数据分析检测到 %{Compromised Host} 上存在对加密用户密码的可疑访问行为。Analysis of host data has detected suspicious access to encrypted user passwords on %{Compromised Host}. - 信息性Informational
对 Kubernetes API 的可疑请求Suspicious request to Kubernetes API 计算机日志指示有人对 Kubernetes API 发出了可疑的请求。Machine logs indicate that a suspicious request was made to the Kubernetes API. 该请求是从 Kubernetes 节点发送的,可能来自节点中运行的某个容器。The request was sent from a Kubernetes node, possibly from one of the containers running in the node. 尽管此行为可能是故意的,但它可能指示节点运行的某个容器已遭入侵。Although this behavior can be intentional, it might indicate that the node is running a compromised container. - 中型Medium

Azure 应用服务的警报Alerts for Azure App Service

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
有人尝试在 Windows 应用服务上运行 Linux 命令An attempt to run Linux commands on a Windows App Service 应用服务分析进程检测到有人尝试在 Windows 应用服务上运行 Linux 命令。Analysis of App Service processes detected an attempt to run a Linux command on a Windows App Service. 此操作由 Web 应用程序运行。This action was running by the web application. 此行为在市场活动中经常出现,旨在利用常用 Web 应用程序中的漏洞。This behavior is often seen during campaigns that exploit a vulnerability in a common web application. - 中型Medium
在威胁情报中发现连接到 Azure 应用服务 FTP 接口的 IPAn IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence 应用服务 FTP 日志分析检测到某个连接的源地址在威胁情报源中。App Service FTP logs analysis has detected a connection from a source address that was found in the threat intelligence feed. 在此连接期间,用户访问了列出的页面。During this connection, a user accessed the pages listed. - 中型Medium
检测到异常请求模式Anomalous requests pattern detected Azure 应用服务活动日志指示存在对应用服务的异常 HTTP 活动,来自 %{Source IP}。The Azure App Service activity log indicates an anomalous HTTP activity to the App Service from %{Source IP}. 此活动类似于模糊\暴力攻击活动的模式。This activity resembles a pattern of Fuzzing \ Brute force activity. -
检测到有人尝试运行高特权命令Attempt to run high privilege command detected 应用服务进程分析检测到有人尝试运行需要高特权的命令。Analysis of App Service processes has detected an attempt to run a command that requires high privileges. 命令在 Web 应用程序上下文中运行。The command ran in the web application context. 虽然这种行为是合法的,但在 Web 应用程序中,可能表明存在恶意活动。While this behavior can be legitimate, in web applications this behavior might indicate malicious activities. - 中型Medium
检测到有人从异常 IP 地址连接到网页Connection to web page from anomalous IP address detected Azure 应用服务活动日志指示有人从 IP 地址 %{Source IP Address} 连接到敏感网页,此 IP 以前从未连接到该页面。The Azure App Service activity log indicates a connection to a sensitive web page from a source IP address (%{Source IP Address}) that has never connected to it before. 这可能表示有人正在尝试对 Web 应用管理页面发起暴力攻击。This might indicate that someone is attempting a brute force attack into your web app administration pages. 但也可能是因为某位合法用户使用了新的 IP 地址。It might also be the result of a new IP address being used by a legitimate user. -
Azure Web 应用上托管了网络钓鱼内容Phishing content hosted on Azure Webapps 在 Azure 应用服务网站上发现用于网络钓鱼攻击的 URL。URL used for phishing attack found on the Azure AppServices website. 此 URL 是发送给 O365 客户的仿冒网站的一部分。This URL was part of a phishing attack sent to O365 customers. 该内容通常引诱访问者在看似合法的网站中输入其企业凭据或财务信息。The content typically lures visitors into entering their corporate credentials or financial information into a legitimate looking website. 集合Collection High
上传文件夹中的 PHP 文件PHP file in upload folder Azure 应用服务活动日志指示有人访问上传文件夹中的可疑 PHP 页面。The Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder. 这种类型的文件夹通常不包含 PHP 文件。This type of folder does not usually contain PHP files. 存在这种类型的文件可能表示有人利用了任意文件上传漏洞。The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities. -
检测到原始数据下载Raw data download detected 应用服务进程分析检测到有人尝试从 Pastebin 这样的原始数据网站下载代码。Analysis of App Service processes detected an attempt to download code from raw-data websites such as Pastebin. 此操作由 PHP 进程运行。This action was run by a PHP process. 当攻击者尝试将 Web shell 或其他恶意组件下载到应用服务时,会出现此行为。This behavior is associated with attempts to download web shells or other malicious components to the App Service. - 中型Medium
检测到有人将 Curl 输出保存到磁盘Saving curl output to disk detected 应用服务分析进程检测到有人运行将输出保存到磁盘的 Curl 命令。Analysis of App Service processes detected the running of a curl command in which the output was saved to the disk. 虽然这种行为是合法的,但在 Web 应用程序中,这种行为也会出现在恶意活动中,例如尝试利用 Web shell 感染网站。While this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells. - Low
检测到垃圾邮件文件夹引用活动Spam folder referrer detected Azure 应用服务活动日志指示已标识的 Web 活动源自与 SPAM 活动有关的网站。Azure App Service activity log indicates web activity that was identified as originating from a web site associated with SPAM activity. 如果你的网站遭到入侵并用于垃圾邮件活动,就会发生这种情况。This could occur if your web site is compromised and used for spam activity. -
检测到有人可疑地访问可能易受攻击的网页Suspicious access to possibly vulnerable web page detected 应用服务活动日志指示有人访问了可能敏感的网页。The App Service activity log indicates that a web page that seems to be sensitive was accessed.
此可疑活动源自访问模式与 Web 扫描程序类似的源地址。This suspicious activity originated from a source address whose access pattern resembles that of a web scanner. 当攻击者想扫描你的网络以尝试访问敏感或易受攻击的网页时,通常就会出现此行为。This kind of activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages.
- 中型Medium
检测到可疑 PHP 执行活动Suspicious PHP execution detected 计算机日志指示有可疑 PHP 进程正在运行。Machine logs indicate that a suspicious PHP process is running. 该操作包含尝试使用 PHP 进程从命令行运行操作系统命令或 PHP 代码。The action included an attempt to run operating system commands or PHP code from the command line, by using the PHP process. 虽然这种行为是合法的,但在 Web 应用程序中,它也可能涉及恶意活动,例如尝试利用 Web shell 感染网站。While this behavior can be legitimate, in web applications this behavior might indicate malicious activities, such as attempts to infect websites with web shells. 执行Execution 中型Medium
检测到可疑的用户代理Suspicious User Agent detected Azure 应用服务活动日志指示有请求使用可疑的用户代理。Azure App Service activity log indicates requests with suspicious user agent. 此行为可能表示有人尝试利用应用服务应用程序中的漏洞。This behavior can indicate on attempts to exploit a vulnerability in your App Service application. -
检测到可疑的 WordPress 主题调用Suspicious WordPress theme invocation detected 应用服务活动日志指示应用服务资源上可能存在代码注入活动。The App Service activity log indicates a possible code injection activity on your App Service resource.
此可疑活动类似于操作 WordPress 主题以支持服务器端代码执行的活动,随后是一个直接 Web 请求来调用操作的主题文件。This suspicious activity resembles activity that manipulates a WordPress theme to support server-side execution of code, followed by a direct web request to invoke the manipulated theme file. WordPress 攻击行动中也包含此类活动。This type of activity can be part of an attack campaign over WordPress.
- High
检测到漏洞扫描程序Vulnerability scanner detected
(Joomla/WordPress/CMS)(Joomla/WordPress/CMS)
Azure 应用服务活动日志指示可能有人对应用服务资源使用了漏洞扫描程序。The Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource. 检测到的这项可疑活动类似于那些锁定 Joomla 应用程序/WordPress 应用程序/内容管理系统 (CMS) 的工具。The suspicious activity detected resembles that of tools targeting Joomla applications / WordPress applications / a content management system (CMS). - 中型Medium
检测到 Web 指纹识别Web fingerprinting detected
(NMAP/Blind Elephant)(NMAP / Blind Elephant)
应用服务活动日志指示应用服务资源上可能存在指纹识别活动。The App Service activity log indicates a possible web fingerprinting activity on your App Service resource.
此可疑活动与名为 Blind Elephant 的工具有关。This suspicious activity is associated with a tool called Blind Elephant. 此工具采集 Web 服务器的指纹,并检测已安装的应用程序及其版本。The tool fingerprints web servers and tries to detect the installed applications and their versions. 攻击者通常使用此工具来探测 Web 应用程序以查找漏洞。Attackers often use this tool for probing the web applications to find vulnerabilities.
- 中型Medium

容器的警报 - Azure Kubernetes 服务群集Alerts for containers - Azure Kubernetes Service clusters

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
检测到存在敏感卷装载活动的容器Container with a sensitive volume mount detected Kubernetes 审核日志分析检测到存在敏感卷装载活动的新容器。Kubernetes audit log analysis detected a new container with a sensitive volume mount. 检测到的卷属于 hostPath 类型,会将敏感文件或者文件夹从节点装载到容器。The volume that was detected is a hostPath type that mounts a sensitive file or folder from the node to the container. 如果容器已遭入侵,则攻击者可以通过此装载活动获取对节点的访问权限。If the container gets compromised, the attacker can use this mount to gain access to the node. 特权提升PrivilegeEscalation 中型Medium
检测到数字货币挖掘容器Digital currency mining container detected Kubernetes 审核日志分析检测到一个容器带有与数字货币挖掘工具关联的映像。Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool. 执行Execution High
检测到公开的 Kubernetes 仪表板Exposed Kubernetes dashboard detected Kubernetes 审核日志分析检测到由 LoadBalancer 服务公开的 Kubernetes 仪表板。Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. 公开的仪表板允许未经身份验证的群集管理访问,这会产生安全威胁。Exposed dashboards allow unauthenticated access to the cluster management and pose a security threat. 初始访问Initial access High
在 kube-system 命名空间中检测到新容器New container in the kube-system namespace detected Kubernetes 审核日志分析在 kube-system 命名空间中检测到新容器,该容器不是通常在此命名空间中运行的容器。Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. Kube-system 命名空间不应包含用户资源。The kube-system namespaces shouldn't contain user resources. 攻击者可以使用此命名空间来隐藏恶意组件。Attackers can use this namespace to hide malicious components. 持久性Persistence Low
检测到新的高特权角色New high privileges role detected Kubernetes 审核日志分析检测到新的高特权角色。Kubernetes audit log analysis detected a new role with high privileges. 将角色与高特权绑定,会为用户/组提升群集中的特权。A binding to a role with high privileges gives the user/group elevated privileges in the cluster. 不必要地提升权限可能会导致群集中出现特权提升问题。Unnecessarily providing elevated privileges might result in privilege escalation issues in the cluster. 持久性Persistence Low
检测到特权容器Privileged container detected Kubernetes 审核日志分析检测到新的特权容器。Kubernetes audit log analysis detected a new privileged container. 特权容器可以访问节点的资源,并打破容器之间的隔离。A privileged container has access to the node's resources and breaks the isolation between containers. 如果遭到入侵,攻击者可以使用特权容器获取对节点的访问权限。If compromised, an attacker can use the privileged container to gain access to the node. 特权提升PrivilegeEscalation Low
检测到群集管理员角色的角色绑定Role binding to the cluster-admin role detected Kubernetes 审核日志分析检测到新的群集管理角色绑定,这会使其获得管理员特权。Kubernetes audit log analysis detected a new binding to the cluster-admin role resulting in administrator privileges. 不必要地授予管理员特权,可能会导致群集中出现特权提升问题。Unnecessarily providing administrator privileges might result in privilege escalation issues in the cluster. 持久性Persistence Low

容器的警报 - 主机级别Alerts for containers - host level

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
检测到特权容器Privileged Container Detected 计算机日志指示有特权 Docker 容器正在运行。Machine logs indicate that a privileged Docker container is running. 特权容器对主机的资源具有完全访问权限。A privileged container has full access to the host's resources. 如果遭到入侵,攻击者可以使用特权容器获取对主机的访问权限。If compromised, an attacker can use the privileged container to gain access to the host machine. 特权提升/执行PrivilegeEscalation / Execution Low
在容器中运行特权命令Privileged command run in container 计算机日志指示有人在 Docker 容器中运行特权命令。Machine logs indicate that a privileged command was run in a Docker container. 特权命令在主机上具有扩展特权。A privileged command has extended privileges on the host machine. 特权提升PrivilegeEscalation Low
检测到公开的 Docker 守护程序Exposed Docker daemon detected 计算机日志指示 Docker 守护程序 (dockerd.exe) 公开了一个 TCP 套接字。Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. 默认情况下,当、启用 TCP 套接字时,Docker 配置不会使用加密或身份验证。By default, Docker configuration doesn't use encryption or authentication when a TCP socket is enabled. 可以访问相关端口的任何人均可获取对 Docker 守护程序的完全访问权限。Anyone with access to the relevant port can then get full access to the Docker daemon. 利用/执行Exploitation / Execution 中型Medium
SSH 服务器在容器中运行SSH server is running inside a container 计算机日志指示有 SSH 服务器在 Docker 容器中运行。Machine logs indicate that an SSH server is running inside a Docker container. 尽管此行为可能是故意的,但它通常表示容器配置不正确或者遭到破坏。While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached. 执行Execution 中型Medium
检测到带有挖掘器映像的容器Container with a miner image detected 计算机日志指示执行的某个 Docker 容器运行与数字货币挖掘关联的映像。Machine logs indicate execution of a Docker container running an image associated with digital currency mining. 此行为可能表示你的资源已被滥用。This behavior can possibly indicate that your resources are being abused. 执行Execution High
对 Kubernetes API 的可疑请求Suspicious request to Kubernetes API 计算机日志指示有人对 Kubernetes API 发出了可疑的请求。Machine logs indicate that a suspicious request was made to the Kubernetes API. 该请求是从 Kubernetes 节点发送的,可能来自节点中运行的某个容器。The request was sent from a Kubernetes node, possibly from one of the containers running in the node. 尽管此行为可能是故意的,但它可能指示节点运行的某个容器已遭入侵。Although this behavior can be intentional, it might indicate that the node is running a compromised container. 执行Execution 中型Medium
对 Kubernetes 仪表板的可疑请求Suspicious request to the Kubernetes Dashboard 计算机日志指示有人对 Kubernetes 仪表板发出了可疑的请求。Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. 该请求是从 Kubernetes 节点发送的,可能来自节点中运行的某个容器。The request was sent from a Kubernetes node, possibly from one of the containers running in the node. 尽管此行为可能是故意的,但它可能指示节点运行的某个容器已遭入侵。Although this behavior can be intentional, it might indicate that the node is running a compromised container. 横向移动Lateral movement 中型Medium

SQL Database 和 SQL 数据仓库的警报Alerts for SQL Database and SQL Data Warehouse

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
可能存在易受 SQL 注入攻击的漏洞A possible vulnerability to SQL Injection 某个应用程序在数据库中生成了错误的 SQL 语句。An application has generated a faulty SQL statement in the database. 此警报指示可能存在易受 SQL 注入攻击的漏洞。This can indicate a possible vulnerability to SQL injection attacks. 生成错误语句的可能原因有两个。There are two possible reasons for a faulty statement. 第一是应用程序代码中的缺陷导致构造出错误的 SQL 语句A defect in application code might have constructed the faulty SQL statement. 第二是应用程序代码或存储过程在构造错误的 SQL 语句时无法清理用户输入,使该语句被 SQL 注入攻击利用。Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection. - 中型Medium
来自可能有害的应用程序的登录尝试Attempted logon by a potentially harmful application 有人使用可能有害的应用程序访问数据库。A potentially harmful application has been used to access the database. 在某些情况下,警报会检测操作中的渗透测试。In some cases, the alert detects penetration testing in action. 在其他情况下,警报会检测到使用常见工具执行的攻击。In other cases, the alert detects an attack that uses common tools. 探测Probing High
来自陌生主体的登录Logon by an unfamiliar principal 对 SQL Server 的访问模式发生了变化。There has been a change in the access pattern to SQL Server. 有人使用陌生主体(用户)登录到服务器。Someone has signed in to the server by using an unusual principal (user). 在某些情况下,警报会检测合法操作(发布新应用程序或开发人员维护)。In some cases, the alert detects a legitimate action (a new application or developer maintenance). 在其他情况下,警报会检测到恶意操作(前员工或外部攻击者)。In other cases, the alert detects a malicious action (a former employee or external attacker). 利用Exploitation 中型Medium
来自异常 Azure 数据中心的登录Logon from an unusual Azure Data Center 对 SQL Server 的访问模式发生了变化,有人从异常的 Azure 数据中心登录到了服务器。There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center. 在某些情况下,警报会检测到合法操作(新应用程序或 Azure 服务)。In some cases, the alert detects a legitimate action (a new application or Azure service). 在其他情况下,警报会检测到恶意操作(攻击者从 Azure 已被入侵的资源进行操作)。In other cases, the alert detects a malicious action (attacker operating from breached resource in Azure). 探测Probing Low
来自异常位置的登录Logon from an unusual location 对 SQL Server 的访问模式发生了变化,有人从异常的地理位置登录到服务器。There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. 在某些情况下,警报会检测合法操作(发布新应用程序或开发人员维护)。In some cases, the alert detects a legitimate action (a new application or developer maintenance). 在其他情况下,警报会检测到恶意操作(前员工或外部攻击者)。In other cases, the alert detects a malicious action (a former employee or external attacker). 利用Exploitation 中型Medium
潜在的 SQL 暴力攻击尝试Potential SQL Brute Force attempt 出现大量使用不同凭据的失败登录操作。An abnormally high number of failed sign-ins with different credentials have occurred. 在某些情况下,警报会检测操作中的渗透测试。In some cases, the alert detects penetration testing in action. 在其他情况下,警报会检测暴力破解攻击。In other cases, the alert detects a brute force attack. 探测Probing High
潜在 SQL 注入Potential SQL injection 攻击者有效利用已识别的应用程序漏洞以进行 SQL 注入攻击。An active exploit has occurred against an identified application vulnerable to SQL injection. 这意味着,攻击者正在尝试使用有漏洞的应用程序代码或存储过程注入恶意 SQL 语句。This means an attacker is trying to inject malicious SQL statements by using the vulnerable application code or stored procedures. - High
潜在的不安全操作Potentially Unsafe Action 在 SQL Server 中已执行经常在恶意会话中使用的高特权 SQL 命令。High privileged SQL command which is commonly used in malicious sessions has been executed in an SQL Server. 推荐的默认设置是禁用这些命令。Those commands are recommended to be disabled by default. 在某些情况下,警报会检测到合法操作(管理脚本运行)。In some cases, the alert detects a legitimate action (admin script running). 在其他情况下,警报会检测到恶意操作(攻击者借助 SQL 信任破坏 Windows 层)。In other cases, the alert detects a malicious action (attacker using SQL trusts to breach Windows layer). 执行Execution High
异常的导出位置Unusual export location SQL 导入和导出操作的导出存储目标发生了更改。There has been a change in the export storage destination for a SQL import and export operation. 在某些情况下,警报会检测到合法操作(新的备份目标)。In some cases, the alert detects a legitimate change (new backup destination). 在其他情况下,警报会检测到恶意操作(攻击者轻易地将泄露数据导出为文件)。In other cases, the alert detects a malicious action (attacker easily exfiltrated data to a file). 渗透Exfiltration High

存储 Azure 存储的警报Alerts for Azure Storage

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
有人从 Tor 退出节点访问存储帐户Access from a Tor exit node to a storage account 该警报指示有人从已知为 Tor 主动退出节点(匿名代理)的 IP 地址成功访问此帐户。Indicates that this account has been accessed successfully from an IP address that is known as an active exit node of Tor (an anonymizing proxy). 此警报的严重性要考虑使用的身份验证类型(如果有),以及这是否是此类访问的第一例。The severity of this alert considers the authentication type used (if any), and whether this is the first case of such access. 潜在原因可能是通过使用 Tor 访问你的存储帐户的攻击者,也可能是合法用户。Potential causes can be an attacker who has accessed your storage account by using Tor, or a legitimate user who has accessed your storage account by using Tor. 探测/利用Probing / Exploitation High
有人从异常位置访问存储帐户Access from an unusual location to a storage account 该警报指示对 Azure 存储帐户的访问模式发生了更改。Indicates that there was a change in the access pattern to an Azure Storage account. 与最近的活动相比,有人从较为陌生的 IP 地址访问了此帐户。Someone has accessed this account from an IP address considered unfamiliar when compared with recent activity. 可能是已获取帐户访问权限的攻击者,或者是某位合法用户从新的或异常的地理位置进行连接。Either an attacker has gained access to the account, or a legitimate user has connected from a new or unusual geographic location. 合法用户行为包括新应用程序中的远程维护或开发人员操作。An example of the latter is remote maintenance from a new application or developer. 利用Exploitation Low
对存储帐户的匿名访问Anonymous access to a storage account 该警报指示对存储帐户的访问模式发生了更改。Indicates that there's a change in the access pattern to a storage account. 例如,帐户已被匿名访问(没有进行任何身份验证),这与此帐户上最近的访问模式相比是不正常的。For instance, the account has been accessed anonymously (without any authentication), which is unexpected compared to the recent access pattern on this account. 可能是因为攻击者利用了对保存 blob 存储的容器的公共读取访问权限。A potential cause is that an attacker has exploited public read access to a container that holds blob storage. 利用Exploitation High
可能的恶意软件已上传到存储帐户Potential malware uploaded to a storage account 该警报指示包含可能的恶意软件的 blob 已上传到存储帐户。Indicates that a blob containing potential malware has been uploaded to a storage account . 此警报基于哈希信誉分析,利用了 Microsoft 威胁情报(包括病毒、特洛伊木马、间谍软件和勒索软件的哈希)的强大功能。This alert is based hash reputation analysis leveraging the power of Microsoft threat intelligence, which includes hashes for viruses, trojans, spyware and ransomware. 可能的原因包括:攻击者故意上传恶意软件、合法用户无意间上传了潜在的恶意 blob。Potential causes may include an intentional malware upload by an attacker, or an unintentional upload of a potentially malicious blob by a legitimate user. 在此处详细了解 Microsoft 威胁情报功能: https://go.microsoft.com/fwlink/?linkid=2128684Learn more about Microsoft’s threat intelligence capabilities here: https://go.microsoft.com/fwlink/?linkid=2128684 横向移动LateralMovement High
存储帐户中的异常访问检查Unusual access inspection in a storage account 该警报指示,与此存储帐户上最近的活动相比,有人以异常的方式对其访问权限进行了检查。Indicates that the access permissions of a storage account have been inspected in an unusual way, compared to recent activity on this account. 可能的原因之一是攻击者在为以后的攻击执行侦查。A potential cause is that an attacker has performed reconnaissance for a future attack. 集合Collection 中型Medium
从存储帐户提取的数据量异常Unusual amount of data extracted from a storage account 该警报指示,与此存储容器上最近的活动相比,被提取的数据量是异常的。Indicates that an unusually large amount of data has been extracted compared to recent activity on this storage container. 可能的原因是,攻击者从保存 blob 存储的容器中提取了大量数据。A potential cause is that an attacker has extracted a large amount of data from a container that holds blob storage. 渗透Exfiltration 中型Medium
异常的应用程序访问了存储帐户Unusual application accessed a storage account 该警报指示有异常的应用程序访问了此存储帐户。Indicates that an unusual application has accessed this storage account. 可能的原因是攻击者通过使用新的应用程序访问了你的存储帐户。A potential cause is that an attacker has accessed your storage account by using a new application. 利用Exploitation 中型Medium
存储帐户中访问权限发生了异常的更改Unusual change of access permissions in a storage account 该警报指示此存储容器的访问权限以异常方式发生了更改。Indicates that the access permissions of this storage container have been changed in an unusual way. 可能的原因是攻击者已更改容器权限以减弱其安全防御状态或实现持久性。A potential cause is that an attacker has changed container permissions to weaken its security posture or to gain persistence. 持久性Persistence 中型Medium
存储帐户中的异常数据浏览活动Unusual data exploration in a storage account 该警报指示,与此存储帐户上最近的活动相比,有人以异常的方式枚举了其中的 blob 或容器。Indicates that blobs or containers in a storage account have been enumerated in an abnormal way, compared to recent activity on this account. 可能的原因是攻击者在为以后的攻击执行侦查。A potential cause is that an attacker has performed reconnaissance for a future attack. 集合Collection 中型Medium
存储帐户中的异常删除Unusual deletion in a storage account 该警报指示,与此存储帐户上最近的活动相比,其中出现了一次或多次意外的删除操作。Indicates that one or more unexpected delete operations has occurred in a storage account, compared to recent activity on this account. 可能的原因是攻击者在存储帐户中删除了数据。A potential cause is that an attacker has deleted data from your storage account. 渗透Exfiltration 中型Medium
异常地将 .cspkg 上传到存储帐户Unusual upload of .cspkg to a storage account 该警报指示,与此存储帐户上最近的活动相比,有人以异常的方式将 Azure 云服务包(.cspkg 文件)上传到该帐户。Indicates that an Azure Cloud Services package (.cspkg file) has been uploaded to a storage account in an unusual way, compared to recent activity on this account. 可能的原因是攻击者准备将恶意代码从存储帐户部署到 Azure 云服务。A potential cause is that an attacker has been preparing to deploy malicious code from your storage account to an Azure cloud service. 横向移动/执行LateralMovement / Execution 中型Medium
异常地将 .exe 上传到存储帐户Unusual upload of .exe to a storage account 该警报指示,与此存储帐户上最近的活动相比,有人以异常的方式将 .exe 文件 上传到该帐户。Indicates that an .exe file has been uploaded to a storage account in an unusual way, compared to recent activity on this account. 可能的原因是攻击者已将恶意的可执行文件上传到存储帐户,或者合法用户上传了可执行文件。A potential cause is that an attacker has uploaded a malicious executable file to your storage account, or that a legitimate user has uploaded an executable file. 横向移动/执行LateralMovement / Execution 中型Medium

Azure Cosmos DB 的警报(预览)Alerts for Azure Cosmos DB (Preview)

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
有人从异常位置访问 Cosmos DB 帐户Access from an unusual location to a Cosmos DB account 该警报指示对 Azure Cosmos DB 帐户的访问模式发生了更改。Indicates that there was a change in the access pattern to an Azure Cosmos DB account. 与最近的活动相比,有人从较为陌生的 IP 地址访问了此帐户。Someone has accessed this account from an unfamiliar IP address, compared to recent activity. 可能是攻击者已访问该帐户,或者是某位合法用户从不常见的新地理位置访问了该帐户。Either an attacker has accessed the account, or a legitimate user has accessed it from a new and unusual geographical location. 合法用户行为包括新应用程序中的远程维护或开发人员操作。An example of the latter is remote maintenance from a new application or developer. 利用Exploitation 中型Medium
从 Cosmos DB 帐户提取的数据量异常Unusual amount of data extracted from a Cosmos DB account 该警报指示 Azure Cosmos DB 帐户中的数据提取模式发生了更改。Indicates that there was a change in the data extraction pattern from an Azure Cosmos DB account. 与最近的活动相比,某位用户的数据提取量是异常的。Someone has extracted an unusual amount of data compared to recent activity. 攻击者可能已从 Azure Cosmos DB 数据库提取了大量数据(例如,数据渗透或泄露,或者未经授权的数据传输)。An attacker might have extracted a large amount of data from an Azure Cosmos DB database (for example, data exfiltration or leakage, or an unauthorized transfer of data). 也可能是某位合法用户或应用程序从容器提取的数据量异常(例如用于维护备份活动)。Or, a legitimate user or application might have extracted an unusual amount of data from a container (for example, for maintenance backup activity). 渗透Exfiltration 中型Medium

Azure 网络层的警报Alerts for Azure network layer

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
检测到与恶意计算机进行网络通信Network communication with a malicious machine detected 网络流量分析表明,你的计算机(IP 为 %{Victim IP})已与可能是命令和控制中心的计算机通信。Network traffic analysis indicates that your machine (IP %{Victim IP}) has communicated with what is possibly a Command and Control center. 如果遭到入侵的资源是负载均衡器或应用程序网关,则这项可疑活动可能表示其后端池中的一个或多个资源已与可能是命令和控制中心的地方进行通信。When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) has communicated with what is possibly a Command and Control center. - 中型Medium
检测到计算机可能已遭入侵Possible compromised machine detected 威胁情报表明你的计算机(IP 为 %{Machine IP})可能已被 Conficker 类型的恶意软件入侵。Threat intelligence indicates that your machine (at IP %{Machine IP}) may have been compromised by a malware of type Conficker. Conficker 是一种以 Microsoft Windows 操作系统为目标的计算机蠕虫病毒,并于 2008 年 11 月首次被检测到。Conficker was a computer worm that targets the Microsoft Windows operating system and was first detected in November 2008. Conficker 感染了 200 多个国家/地区的数百万台计算机,包括政府、企业和家庭计算机,是自 2003 年 Welchia 蠕虫病毒爆发以来最广为人知的计算机蠕虫病毒感染。Conficker infected millions of computers including government, business and home computers in over 200 countries, making it the largest known computer worm infection since the 2003 Welchia worm. - 中型Medium
检测到可能的传入型 %{Service Name} 暴力攻击尝试Possible incoming %{Service Name} brute force attempts detected 网络流量分析检测到 %{Attacker IP} 与 %{Victim IP} 之间存在传入的 %{Service Name} 通信,涉及你的资源 %{Compromised Host}。Network traffic analysis detected incoming %{Service Name} communication to %{Victim IP}, associated with your resource %{Compromised Host} from %{Attacker IP}. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传入流量已被转发到其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体而言,采样的网络数据展示的是端口 %{Victim Port} 在 %{Start Time} 到 %{End Time} 之间的可疑活动。Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Victim Port}. 此活动与针对 %{Service Name} 进行的暴力破解尝试的特征相符。This activity is consistent with brute force attempts against %{Service Name} servers. - 中型Medium
检测到可能的传入型 SQL 暴力攻击尝试Possible incoming SQL brute force attempts detected 网络流量分析检测到 %{Attacker IP} 与 %{Victim IP} 之间存在传入的 SQL 通信,涉及你的资源 %{Compromised Host}。Network traffic analysis detected incoming SQL communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传入流量已被转发到其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体而言,采样的网络数据展示的是端口 %{Port Number} 在 %{Start Time} 到 %{End Time} 之间的可疑活动 (%{SQL Service Type})。Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Port Number} (%{SQL Service Type}). 此活动与针对 SQL Server 进行的暴力破解尝试的特征相符。This activity is consistent with brute force attempts against SQL servers. - 中型Medium
检测到可能的传出型拒绝服务攻击Possible outgoing denial-of-service attack detected 网络流量分析检测到源自 %{Compromised Host}(部署中的一个资源)的异常传出活动。Network traffic analysis detected anomalous outgoing activity originating from %{Compromised Host}, a resource in your deployment. 此活动可能表示资源已遭入侵,现已对外部终结点发起了拒绝服务攻击。This activity may indicate that your resource was compromised and is now engaged in denial-of-service attacks against external endpoints. 如果遭到入侵的资源是负载均衡器或应用程序网关,则该可疑活动可能表示其后端池中的一个或多个资源已遭入侵。When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) was compromised. 根据连接量,我们认为以下 IP 可能会成为 DOS 攻击的目标:%{Possible Victims}。Based on the volume of connections, we believe that the following IPs are possibly the targets of the DOS attack: %{Possible Victims}. 请注意,与其中一些 IP 的通信可能是合法的。Note that it is possible that the communication to some of these IPs is legitimate. - 中型Medium
检测到可能的传出型端口扫描活动Possible outgoing port scanning activity detected 网络流量分析检测到源自 %{Compromised Host} 的可疑传出流量。Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host}. 此流量可能是由端口扫描活动产生的。This traffic may be a result of a port scanning activity. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传出流量源自其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). 如果此行为是有意的,请注意执行端口扫描活动是违反 Azure 服务条款的。If this behavior is intentional, please note that performing port scanning is against Azure Terms of service. 如果此行为是无意的,则可能表示你的资源已遭入侵。If this behavior is unintentional, it may mean your resource has been compromised. - 中型Medium
来自多个源的可疑传入 RDP 网络活动Suspicious incoming RDP network activity from multiple sources 网络流量分析检测到来自多个源的异常传入远程桌面协议 (RDP) 通信,通信目标是 %{Victim IP},涉及你的资源 %{Compromised Host}。Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传入流量已被转发到其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示有 %{Number of Attacking IPs} 个唯一的 IP 连接到你的资源,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. 此活动可能表明攻击者尝试从多个主机(僵尸网络)对你的 RDP 终结点实施暴力破解操作This activity may indicate an attempt to brute force your RDP end point from multiple hosts (Botnet) - 中型Medium
可疑的传入 RDP 网络活动Suspicious incoming RDP network activity 网络流量分析检测到 %{Attacker IP} 与 %{Victim IP} 之间存在传入远程桌面协议 (RDP) 通信,涉及你的资源 %{Compromised Host}。Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传入流量已被转发到其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示有 %{Number of Connections} 个指向你的资源的传入连接,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. 此活动可能表明攻击者尝试对你的 RDP 终结点实施暴力破解操作This activity may indicate an attempt to brute force your RDP end point - 中型Medium
来自多个源的可疑传入 SSH 网络活动Suspicious incoming SSH network activity from multiple sources 网络流量分析检测到来自多个源的异常传入 SSH 通信,通信目标是 %{Victim IP},涉及你的资源 %{Compromised Host}。Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from multiple sources. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传入流量已被转发到其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示有 %{Number of Attacking IPs} 个唯一的 IP 连接到你的资源,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows %{Number of Attacking IPs} unique IPs connecting to your resource, which is considered abnormal for this environment. 此活动可能表明攻击者尝试从多个主机(僵尸网络)对你的 SSH 终结点实施暴力破解操作This activity may indicate an attempt to brute force your SSH end point from multiple hosts (Botnet) - 中型Medium
可疑的传入 SSH 网络活动Suspicious incoming SSH network activity 网络流量分析检测到 %{Attacker IP} 与 %{Victim IP} 之间存在异常的传入 SSH 通信,涉及你的资源 %{Compromised Host}。Network traffic analysis detected anomalous incoming SSH communication to %{Victim IP}, associated with your resource %{Compromised Host}, from %{Attacker IP}. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传入流量已被转发到其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示有 %{Number of Connections} 个指向你的资源的传入连接,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows %{Number of Connections} incoming connections to your resource, which is considered abnormal for this environment. 此活动可能表明攻击者尝试对你的 SSH 终结点实施暴力破解操作This activity may indicate an attempt to brute force your SSH end point - 中型Medium
检测到可疑的传出 %{Attacked Protocol} 流量Suspicious outgoing %{Attacked Protocol} traffic detected 网络流量分析检测到源自 %{Compromised Host} 的可疑传出流量,目标端口是 %{Most Common Port}。Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host} to destination port %{Most Common Port}. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传出流量源自其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). 此行为可能表示资源涉及 %{Attacked Protocol} 暴力破解尝试或端口扫描攻击。This behavior may indicate that your resource is taking part in %{Attacked Protocol} brute force attempts or port sweeping attacks. - 中型Medium
到多个目标的可疑传出 RDP 网络活动Suspicious outgoing RDP network activity to multiple destinations 网络流量分析检测到 %{Compromised Host} (%{Attacker IP})(部署中的一个资源)中存在到多个目标的异常传出远程桌面协议 (RDP) 通信。Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传出流量源自其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示你的计算机连接到 %{Number of Attacked IPs} 个唯一 IP,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows your machine connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. 此活动可能表明有人入侵了资源并且正在用它来暴力破解外部 RDP 终结点。This activity may indicate that your resource was compromised and is now used to brute force external RDP end points. 请注意,此类活动可能导致你的 IP 被外部实体标记为恶意 IP。Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. - High
可疑的传出 RDP 网络活动Suspicious outgoing RDP network activity 网络流量分析检测到 %{Compromised Host} (%{Attacker IP})(部署中的一个资源)中存在到 %{Victim IP} 的异常传出远程桌面协议 (RDP) 通信。Network traffic analysis detected anomalous outgoing Remote Desktop Protocol (RDP) communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传出流量源自其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示有 %{Number of Connections} 个源自你的资源的传出连接,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. 此活动可能表明有人入侵了计算机并且正在用它来暴力破解外部 RDP 终结点。This activity may indicate that your machine was compromised and is now used to brute force external RDP end points. 请注意,此类活动可能导致你的 IP 被外部实体标记为恶意 IP。Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. - High
到多个目标的可疑传出 SSH 网络活动Suspicious outgoing SSH network activity to multiple destinations 网络流量分析检测到 %{Compromised Host} (%{Attacker IP})(部署中的一个资源)中存在到多个目标的异常传出 SSH 通信。Network traffic analysis detected anomalous outgoing SSH communication to multiple destinations originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传出流量源自其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示你的资源连接到 %{Number of Attacked IPs} 个唯一 IP,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows your resource connecting to %{Number of Attacked IPs} unique IPs, which is considered abnormal for this environment. 此活动可能表明有人入侵了资源并且正在用它来暴力破解外部 SSH 终结点。This activity may indicate that your resource was compromised and is now used to brute force external SSH end points. 请注意,此类活动可能导致你的 IP 被外部实体标记为恶意 IP。Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. - 中型Medium
可疑的传出 SSH 网络活动Suspicious outgoing SSH network activity 网络流量分析检测到 %{Compromised Host} (%{Attacker IP})(部署中的一个资源)中存在到 %{Victim IP} 的异常传出 SSH 通信。Network traffic analysis detected anomalous outgoing SSH communication to %{Victim IP} originating from %{Compromised Host} (%{Attacker IP}), a resource in your deployment. 如果遭到入侵的资源是负载均衡器或应用程序网关,则表示可疑的传出流量源自其后端池中的一个或多个资源。When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). 具体说来,采样的网络数据显示有 %{Number of Connections} 个源自你的资源的传出连接,可以认为这种情况对于此环境来说是异常的。Specifically, sampled network data shows %{Number of Connections} outgoing connections from your resource, which is considered abnormal for this environment. 此活动可能表明有人入侵了资源并且正在用它来暴力破解外部 SSH 终结点。This activity may indicate that your resource was compromised and is now used to brute force external SSH end points. 请注意,此类活动可能导致你的 IP 被外部实体标记为恶意 IP。Note that this type of activity could possibly cause your IP to be flagged as malicious by external entities. - 中型Medium
检测到来自建议阻止的 IP 地址的流量Traffic detected from IP addresses recommended for blocking Azure 安全中心检测到来自建议阻止的 IP 地址的入站流量。Azure Security Center detected inbound traffic from IP addresses that are recommended to be blocked. 这通常发生在此 IP 地址不会经常与此资源通信的情况下。This typically occurs when this IP address doesn't communicate regularly with this resource. 或者是该 IP 地址已被安全中心的威胁情报源标记为恶意 IP。Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. 探测Probing Low

Azure 资源管理器的警报(预览)Alerts for Azure Resource Manager (Preview)

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
来自匿名 IP 地址的活动Activity from anonymous IP addresses 检测到来自已被标识为匿名代理 IP 地址的 IP 地址的用户活动。Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.
这些代理通常被想要隐藏其设备 IP 地址的用户使用,并可能用于恶意目的。These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. 此项检测利用的机器学习算法可以减少“误报”,例如,错误地标记组织中用户广泛使用的 IP 地址。This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.
- 中型Medium
来自不常见国家/地区的活动Activity from infrequent country 活动来自组织中所有用户最近都没有访问或者从未访问过的地址。Activity from a location that wasn't recently or ever visited by any user in the organization has occurred.
此项检测考虑过去的活动位置,以确定新的和不常见的位置。This detection considers past activity locations to determine new and infrequent locations. 异常情况检测引擎将存储组织中用户以往用过的位置的相关信息。The anomaly detection engine stores information about previous locations used by users in the organization.
- 中型Medium
不可能旅行活动Impossible travel activity 发生了两个用户活动(在单个或多个会话中),分别来自距离很远的两个地点。Two user activities (in a single or multiple sessions) have occurred, originating from geographically distant locations. 此情况发生在很短的时间内,该时间短于用户从第一个地点到第二个地点应该花费的时间。This occurs within a time period shorter than the time it would have taken the user to travel from the first location to the second. 这表示另一位用户正在使用相同的凭据。This indicates that a different user is using the same credentials.
此项检测利用的机器学习算法会忽略明显的“误报”,从而改善不可能前往条件,例如组织中其他用户定期使用的 VPN 和位置。This detection uses a machine learning algorithm that ignores obvious false positives contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. 此项检测的初始学习期限为 7 天,在此期间,它会学习新用户的活动模式。The detection has an initial learning period of seven days, during which it learns a new user's activity pattern.
- 中型Medium
预览 - 检测到 Azurite 工具包PREVIEW - Azurite toolkit run detected 已在环境中检测到一个已知的云环境侦查工具包运行。A known cloud-environment reconnaissance toolkit run has been detected in your environment. 攻击者(或渗透测试人员)可以使用 Azurite 这个工具来映射订阅的资源并标识不安全的配置。The tool Azurite can be used by an attacker (or penetration tester) to map your subscriptions' resources and identify insecure configurations. - High
预览 - 检测到使用 PowerShell 的可疑管理会话PREVIEW - Suspicious management session using PowerShell detected 订阅活动日志分析检测到可疑行为。Subscription activity logs analysis has detected suspicious behavior. 一个很少使用 PowerShell 来管理订阅环境的主体现在正在使用 PowerShell 执行可保护攻击者持久性的操作。A principal that doesn't regularly use PowerShell to manage the subscription environment is now using PowerShell, and performing actions that can secure persistence for an attacker. 持久性Persistence 中型Medium
预览 - 检测到使用非活动帐户的可疑管理会话PREVIEW - Suspicious management session using an inactive account detected 订阅活动日志分析检测到可疑行为。Subscription activity logs analysis has detected suspicious behavior. 很长时间没有使用的一个主体现在正在执行可保护攻击者持久性的操作。A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker. 持久性Persistence 中型Medium
预览 - 检测到 MicroBurst 工具包“Get-AzureDomainInfo”命令运行PREVIEW – MicroBurst toolkit "Get-AzureDomainInfo" function run detected 已在环境中检测到一个已知的云环境侦查工具包运行。A known cloud-environment reconnaissance toolkit run has been detected in your environment. 攻击者(或渗透测试人员)可以使用 MicroBurst 这个工具(请参阅 https://github.com/NetSPI/MicroBurst) )来映射订阅资源、标识不安全的配置以及泄露机密信息。The tool "MicroBurst" (see https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscription(s) resources, identify insecure configurations, and leak confidential information. - High
预览 - 检测到 MicroBurst 工具包“Get-AzurePasswords”命令运行PREVIEW – MicroBurst toolkit "Get-AzurePasswords" function run detected 已在环境中检测到一个已知的云环境侦查工具包运行。A known cloud-environment reconnaissance toolkit run has been detected in your environment. 攻击者(或渗透测试人员)可以使用 MicroBurst 这个工具(请参阅 https://github.com/NetSPI/MicroBurst) )来映射订阅资源、标识不安全的配置以及泄露机密信息。The tool "MicroBurst" (see https://github.com/NetSPI/MicroBurst) can be used by an attacker (or penetration tester) to map your subscription(s) resources, identify insecure configurations, and leak confidential information. - High
预览 - 检测到使用 Azure 门户的可疑管理会话PREVIEW – Suspicious management session using Azure portal detected 订阅活动日志分析检测到可疑行为。Analysis of your subscription activity logs has detected a suspicious behavior. 通常不会使用 Azure 门户 (Ibiza) 管理订阅环境的主体(最近 45 天都没有使用 Azure 门户进行管理,也没有会主动管理的订阅)现在正在使用 Azure 门户执行可保护攻击者持久性的操作。A principal that doesn't regularly use the Azure portal (Ibiza) to manage the subscription environment (hasn't used Azure portal to manage for the last 45 days, or a subscription that it is actively managing), is now using the Azure portal and performing actions that can secure persistence for an attacker. - 中型Medium
使用高级 Azure 持久性技术Use of advanced Azure persistence techniques 订阅活动日志分析检测到可疑行为。Subscription activity logs analysis has detected suspicious behavior. 为合法化身份实体赋予了自定义角色。Customized roles have been given legitimized identity entities. 这可能会使攻击者在 Azure 客户环境中获得持久性。This can lead the attacker to gain persistency in an Azure customer environment. -

Azure Key Vault 的警报(预览)Alerts for Azure Key Vault (Preview)

更多详细信息和说明Further details and notes

警报Alert 说明Description 意图(了解详细信息Intent (Learn more) severitySeverity
有人从 TOR 退出节点访问 Key VaultAccess from a TOR exit node to a Key Vault 有人在访问 Key Vault 时使用 TOR IP 匿名系统以隐藏其位置。The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their location. 当尝试在未经授权的情况下访问连接到 Internet 的资源时,恶意执行组件通常会尝试隐藏其位置。 Malicious actors often try to hide their location when attempting to gain unauthorized access to internet-connected resources. - 中型Medium
Key Vault 中存在大量操作High volume of operations in a Key Vault 与历史数据相比,对 Key Vault 执行的操作较多。A larger volume of Key Vault operations has been performed compared with historical data. 不同时间的 Key Vault 活动数量通常是稳定的。Key Vault activity is typically the same over time. 这可能是活动的合法更改。This may be a legitimate change in activity. 也可能是基础结构已遭入侵,并且需要进一步的调查。Alternatively, your infrastructure might be compromised and further investigations are necessary. - 中型Medium
Key Vault 中存在可疑的策略更改和机密查询Suspicious policy change and secret query in a Key Vault Key Vault 策略已被更改,然后还执行了 List 和/或 Get 机密的操作。A Key Vault policy change has been made and then operations to list and/or get secrets occurred. 并且用户通常不会对此保管库执行这样的操作。In addition, this operation pattern isn't normally performed by the user on this vault. 这极有可能意味着这个 Key Vault 已遭入侵,恶意执行组件窃取了其中的机密。This is highly indicative that the Key Vault is compromised and the secrets within have been stolen by a malicious actor. - 中型Medium
Key Vault 中存在可疑的机密列出和查询活动Suspicious secret listing and query in a Key Vault 机密 List 操作之后有多次机密 Get 操作。A Secret List operation was followed by many Secret Get operations. 并且用户通常不会对此保管库执行这样的操作。Also, this operation pattern isn't normally performed by the user on this vault. 这表明有人可能在转储存储在 Key Vault 中的机密,以实现潜在的恶意目的。This indicates that someone could be dumping the secrets stored in the Key Vault for potentially malicious purposes. - 中型Medium
异常的应用程序访问了 Key VaultUnusual application accessed a Key Vault 有个不常访问这个 Key Vault 的应用程序访问了它。The Key Vault has been accessed by an Application that doesn't normally access it. 这可能是合法的访问尝试(例如在基础设施或代码更新后)。 This may be a legitimate access attempt (for example, following an infrastructure or code update). 但也可能表示你的基础结构遭到入侵,恶意执行组件正在尝试访问你的 Key Vault。This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault. - 中型Medium
Key Vault 中存在异常的操作模式Unusual operation pattern in a Key Vault 与历史数据相比,有人执行了一组异常的 Key Vault 操作。An unusual set of Key Vault operations has been performed compared with historical data. 不同时间的 Key Vault 活动数量通常是稳定的。Key Vault activity is typically the same over time. 这可能是活动的合法更改。This may be a legitimate change in activity. 也可能是基础结构已遭入侵,并且需要进一步的调查。Alternatively, your infrastructure might be compromised and further investigations are necessary. - 中型Medium
异常的用户访问了 Key VaultUnusual user accessed a Key Vault 有个不常访问这个 Key Vault 的用户访问了它。The Key Vault has been accessed by a User that doesn't normally access it. 这可能是合法的访问尝试(例如,组织中增加的新用户需要访问它)。 This may be a legitimate access attempt (for example, a new user needing access has joined the organization). 但也可能表示你的基础结构遭到入侵,恶意执行组件正在尝试访问你的 Key Vault。This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault. - 中型Medium
异常的用户-应用程序访问了 Key VaultUnusual user-application pair accessed a Key Vault 有个不常访问这个 Key Vault 的用户-应用程序对访问了它。The Key Vault has been accessed by a User-Application pairing that doesn't normally access it. 这可能是合法的访问尝试(例如在基础结构或代码更新后)。This may be a legitimate access attempt (for example, following an infrastructure or code update). 但也可能表示你的基础结构遭到入侵,恶意执行组件正在尝试访问你的 Key Vault。This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault. - 中型Medium
用户访问了大量 Key VaultUser accessed high volume of Key Vaults 与历史数据相比,某位用户或某个应用程序访问的保管库的数量发生了变化。The number of vaults that a user or application accesses has changed compared with historical data. 不同时间的 Key Vault 活动数量通常是稳定的。Key Vault activity is typically the same over time. 这可能是活动的合法更改。 This may be a legitimate change in activity. 也可能是基础结构已遭入侵,并且需要进一步的调查。Alternatively, your infrastructure might be compromised and further investigations are necessary. - 中型Medium

意图Intentions

了解攻击的意图,可帮助你更轻松地调查和报告事件。Understanding the intention of an attack can help you investigate and report the event more easily. Azure 安全中心警报包含了一个“intent”字段以在这些方面提供帮助。Azure Security Center alerts include the 'intent' field to help with these efforts.

描述网络攻击的过程(从侦查到数据渗透)的一系列步骤通常被称为“杀伤链”。The series of steps that describe the progression of a cyberattack from reconnaissance to data exfiltration is often referred to as a "kill chain".

安全中心支持的杀伤链意图基于 MITRE ATT&CK™ 框架,下表对其进行了描述。Security Center's supported kill chain intents are based on the MITRE ATT&CK™ framework and described in the table below.

IntentIntent 说明Description
预攻击PreAttack 预攻击可能是对某个资源的访问尝试,而不考虑恶意意图,也可能是在利用之前访问目标系统以收集信息的失败尝试。PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. 此步骤通常被检测为源自网络外部的尝试,目的是扫描目标系统并标识入口点。This step is usually detected as an attempt, originating from outside the network, to scan the target system and identify an entry point.
若要详细了解预攻击阶段,请访问 MITRE 页面Further details on the PreAttack stage can be read in MITRE's page.
初始访问InitialAccess 初始访问是攻击者设法在受到攻击的资源上建立据点的阶段。InitialAccess is the stage where an attacker manages to get a foothold on the attacked resource. 此阶段与计算主机和资源(例如用户帐户、证书等)相关。在此阶段之后,威胁参与者通常能控制资源。This stage is relevant for compute hosts and resources such as user accounts, certificates etc. Threat actors will often be able to control the resource after this stage.
持久性Persistence 持久性指的是为了让威胁参与者在系统上持久存在而对该系统进行的任何访问、操作或配置更改。Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. 威胁参与者通常需要通过中断操作来维持自己对系统的访问,这些中断操作包括系统重启、丢失凭据或其他可能需要远程访问工具重启的故障,或者提供备用后门来重新获得访问权限。Threat actors will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or provide an alternate backdoor for them to regain access.
特权提升PrivilegeEscalation 通过执行一些操作来让攻击者在某个系统或网络上获取更高级别的权限,造成的结果就是特权提升。Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. 某些工具或操作需要更高级别的特权才能正常运行,并且在操作过程中的很多时候它们都是必需的。Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. 有权访问特定系统或执行攻击者所需的特定函数的用户帐户也可能被视为特权提升。User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.
防御规避DefenseEvasion 防御闪避包含攻击者可能用于绕开检测或避开其他防护措施的技术。Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. 在某些情况下,这些操作与其他类别中的技术相同(或者是它们的变体),这些技术还能破坏特定防护或风险缓解工具。Sometimes these actions are the same as (or variations of) techniques in other categories that have the added benefit of subverting a particular defense or mitigation.
凭据访问CredentialAccess 凭据访问指的是能够访问或控制企业环境中使用的系统、域或服务凭据的技术。Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. 攻击者可能会尝试通过用户或管理员帐户(本地系统管理员或具有管理员权限的域用户)获取合法凭据,以便在网络中使用。Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. 当攻击者在网络中具备足够的访问权限时,他们就可以创建帐户以供此后在环境中使用。With sufficient access within a network, an adversary can create accounts for later use within the environment.
发现Discovery 发现所包含的技术允许攻击者获取有关系统和内部网络的知识。Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. 当攻击者获得对新系统的访问权限时,在入侵期间,他们必须适应于自己现在能控制的内容,并了解从该系统执行操作对他们的当前目标或总体目标有什么好处。When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. 操作系统提供了许多对这个入侵后信息收集阶段有帮助的本机工具。The operating system provides many native tools that aid in this post-compromise information-gathering phase.
横向移动LateralMovement 横向移动包含的技术让攻击者能够访问并控制网络上的远程系统,还可能包括在远程系统上执行工具。Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. 攻击者可利用这些横向移动技术从系统收集信息,而无需其他工具,例如远程访问工具。The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. 攻击者可以使用横向移动来实现多种目的,包括远程执行工具、转到其他系统、访问特定信息或文件、访问其他凭据或造成某种影响。An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.
执行Execution 执行策略包含的技术让攻击者能在本地或远程系统上执行由攻击者控制的代码。The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. 这一策略通常与横向移动一起使用,目的是扩展网络上的远程系统的访问权限。This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.
集合Collection 收集包含的技术让攻击者能在渗透之前标识和收集目标网络中的信息,例如敏感文件。Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. 此类别还涉及系统和网络上的一些位置,攻击者会在这些位置中查找要盗用的信息。This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
渗透Exfiltration 渗透包含的技术和特性能帮助攻击者从目标网络中删除文件和信息。Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. 此类别还涉及系统和网络上的一些位置,攻击者会在这些位置中查找要盗用的信息。This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
命令和控制CommandAndControl 命令和控制策略表示攻击者如何与目标网络中的受控系统进行通信。The command and control tactic represents how adversaries communicate with systems under their control within a target network.
影响Impact 影响事件主要尝试直接降低系统、服务或网络的可用性或完整性;包括为了影响业务或操作过程而进行的数据操作活动。Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. 这通常是指勒索软件、篡改、数据操作等技术。This would often refer to techniques such as ransomware, defacement, data manipulation, and others.

后续步骤Next steps

若要了解有关警报的详细信息,请参阅以下内容:To learn more about alerts, see the following: