Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1038
Views
0
Helpful
0
Comments

Cognitive Intelligence - List of Activities with Descriptions

psomol
Cisco Employee
Cisco Employee

on ‎05-31-2019 10:16 AM

List of Activity types that - when observed in telemetry - lead to creation of Incident in Cognitive Intelligence. 

 

Activities related to Confirmed Threat Categories (both on StealthWatch and ProxyLogs)

Note that each category covers up to dozens of different Confirmed Threat types

Activity Extended Description in Incident Detail Page Risks
Exfiltration Botnet infection with exfiltration capability and larger uploads observed Critical

Information stealer

 Botnet infection with exfiltration capability Critical, High, Mid, Low

Ransomware

 Infection with disk encrypting ransomware Critical, High, Mid

Banking trojan

 Botnet infection with exfiltration capability that targets banking credentials High

Click fraud

 Botnet infection with click fraud capability High, Mid

Trojan

 Malicious software executed by user High, Low

Exploit kit

 Execution of browser-based exploit kit High

Cryptocurrency miner

 Software that uses your computing resources to mine cryptocurrencies High, Low

Malware dropper

 Infection that can download additional malware such as droppers High, Mid, Low

Malware distribution

 Web site that distributes malware High, Low

Spam botnet

 Botnet infection that is capable of sending spam e-mail High

Ad injector

 Web browser plugin that injects advertisements to visited pages Mid, Low

PUA

 Potentially unwanted application Mid, Low

Malicious advertising

 Advertisements that contain malicious code or lead to malicious pages Low

Money scam

 Fraudulent web site tricking user into spending money Low

Scareware

 Fraudulent web site tricking user into installing fake antivirus or product updates Low

Anonymization software

 Free or paid software for enabling anonymous communication Low
Spam tracking Visit of tracking back-link from spam e-mail Low

 

Activities related to specific Confirmed Threats (both on StealthWatch and ProxyLogs)

Activity Extended Description in Incident Detail Page Confirmed Threat ID Risk
WannaCry ransomware Encrypting ransomware exploiting the ETERNALBLUE SMB vulnerability CWNC01 Critical

DNS changer

 Trojan capable of stealing user and system information CDCH01 High

InstallCapital malware installer

 Family of malicious malware that profits from spyware and adware distribution CADW26 High

Adups Android firmware

 Mobile firmware which transmits sensitive, personal information without disclosure or the user's consent CAEX01 Mid

Rig exploit kit malware delivery

 Web site distributing malware associated with Rig exploit kit CMCD06 Low

HotSpot Shield VPN

 Software for enabling anonymous communication CMPV01 Low

In-browser cryptocurrency miner

 Javascript scriptlets that use your computing resources to mine cryptocurrencies CCMM03 Low

ArcadeYum / GameVance

 Applications displaying malicious advertising that tricks user into installing other malware CAYM01 Mid

 

Activities related to StealthWatch-specific Detections (Unconfirmed)

Activity Extended Description in Incident Detail Page Risk

Unknown botnet

 Unknown communication to many external nodes, likely caused by botnet High

Unknown threat - C&C channel

 Unknown communication - likely command and control (C&C) channel High

SMB infecting malware

 Discovery of external SMB servers, e.g. as used by Wannacry malware High

Malware download

 File download with name and other characteristics typical for malware High

Disproportionately high DNS usage

 Likely caused by C&C search (DGA) or Exfiltration (DNS tunneling) Mid

Phishing

 HTTP request with characteristics typical of phishing Mid

Unknown threat - ICMP burst

 Surge of ICMP packets, sent to many external nodes Low

Torrent

 Distributed protocol used for file sharing Low

Vulnerability scanning tool

 Communication characteristic for vulnerability scanning tools such as Qualys or Nessus Low
TOR Free software for enabling anonymous communication Low

 

Activities related to ProxyLog-specific Detections (Unconfirmed)

Activity Extended Description in Incident Detail Page Risk

Cryptowall C&C

 Command and control scheme used by Cryptowall ransomware and other malware Critical

Remote Access Trojan

 Malicious software for remote control of a system Critical

Ramnit malware

 Ramnit malware with remote access capability High

Sality malware

 File infecting modular malware High

Miuref malware

 Modular malware with exfiltration capability High

Exploit kit

 Execution of browser-based exploit kit High

Unknown threat

 Unknown high severity malware identified by machine learning classifier High
Malware download Malicious file download High
Unknown threat Unknown high severity threat identified by machine learning classifier High

Brute-forcing botnet

 Botnet infection with observed brute-forcing of web password Mid
Unknown threat - generated domain name Random domains used by advertisements or malware C&C channel Mid
Unknown threat - data in URL Data encoded in URL used by advertisements or malware C&C channel Mid
Cryptocurrency miner Software that uses your computing resources to mine cryptocurrencies Mid
Click fraud Botnet infection with click fraud capability Mid
E-mail infection Malware infection through an e-mail Mid
Unknown threat - sinkholed domain Communication with domain sinkholed by Anubis Networks Mid
Unknown threat Unknown threat identified by machine learning classifier Mid
Unknown threat Hostnames flagged by sandbox Mid
Unknown threat - bad reputation Bad reputation hostnames and IP addresses Mid
Unknown encrypted threat Unknown malware using HTTPS identified by machine learning classifier Mid
Phishing HTTP request with characterictics typical for phishing Mid
Service login brute-forcing High number of consecutive login attempts to external or internal service Mid
Service data leak Data leak from external or internal service Mid
Adware Software displaying unwanted advertisements Low
Supercookie tracking Visit to sites known to collect supercookie/evercookie tracking data Low
Vulnerability scanning tool Communication characteristic of vulnerability-scanning tools such as Qualys or Nessus Low
Hola VPN Software for enabling anonymous communication Low
Ultrasurf Software for enabling anonymous communication Low
TOR Free software for enabling anonymous communication Low
Spam tracking Visit of tracking back-link from spam e-mail Low

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents